A Polish security researcher has claimed to have found multiple flaws in mobile Java, but is demanding 20,000 euros (US$30,000) in return for full details of the vulnerabilities.
Adam Gowdiak, founder and chief executive of Security Explorations, has written on his Web site that he has created two proof-of-concept codes--stretching to over 14,000 lines--to attack vulnerabilities "affecting the implementation of mobile Java [J2ME] used by Sun and Nokia in their products". He has published the first few pages of his 178-page report, but will only reveal the rest if Nokia or Sun pay him 20,000 euros (US$30,000).
On his Web site, Gowdiak stated he is taking this approach "to gather funds for creating a cutting-edge security research center in Poland", adding: "It's [a] better approach than to beg a [venture capital] company for money." His overall funding target is 1 million euros (US$1 million).
Gowdiak also appears to be a former employee of Sun, according to the biography on his site.
The research paper appears to include information on how to hack into a Nokia Series 40 handset and maliciously target functions such as phone information, SMS sending, audio and video recording, phone-book access and SIM-card access. According to Gowdiak, attackers could initiate phone calls or Internet connections, or read and write to files stored on the device.
"Security Explorations successfully verified that Sun's implementation of mobile Java technology used in its latest version of Java Wireless Toolkit software is vulnerable to the discovered flaws," Gowdiak said in a statement, adding that an attacker needed only "a cell-phone number of a target device" in order to gain unauthorized access to "selected Nokia devices".
Gowdiak suggested that his unusual method of obtaining compensation for his research helps maintain "freedom with regard to the research we conduct". In the FAQ section of the Security Explorations Web site, the company claims not to be afraid of lawsuits because "if a given vendor prefers to throw money for lawyers instead of spending them to improve the security of their products, we can't do anything about it".
Neither Sun nor Nokia were able to provide comment on Gowdiak's claims at the time of writing on Tuesday.
Security researchers who find vulnerabilities already have two outlets for selling them. Through its Zero Day Initiative, TippingPoint offers a bounty and awards program to researchers who report bugs to the company, while VeriSign's iDefense Vulnerability Contributor Program offers up to US$15,000 for "well-researched, high-impact" vulnerabilities.
Play video
There are currently no comments for this post.