The flaws are difficult to exploit because malicious programs must be tailored to a specific model of cell phone, said Adam Gowdiak, a 29-year-old security researcher with the Poznan Supercomputing and Networking Center who discovered the vulnerabilities. He figured out how to attack a Nokia 6310i mobile phone, but the effort took four months, he said in a Friday posting to the BugTraq vulnerability mailing list.
Before the vulnerabilities could be exploited, a phone user would have to download and run a malicious Java program, called a midlet, Gowdiak said in an e-mail interview. He's not aware of a way to automate an attack.
He notified Sun of the vulnerabilities in August, and the company said it sent Java licensees a patched version of the vulnerable component, called the Java bytecode verifier, within two weeks.
"We have not seen any attempts to exploit this vulnerability, but if there is one, the user can simply delete...the applications they downloaded from an untrusted source," said Eric Chu, Sun's director of marketing for the Java 2 Micro Edition, or J2ME, software.
But in an October talk at the Hack in the Box conference in Malaysia, Gowdiak said the situation should be taken seriously. "Vendors and (the) antivirus industry are not prepared for this kind of threat," he said in his presentation. "It should be expected that remote vulnerabilities for mobile devices will be published within the next six months."
Sun didn't publish the vulnerabilities, instead choosing to let the cell phone makers notify their customers. "We don't have a relationship with the end consumer," Chu said.
Java, which lets programs such as video games run on many different cell phones, has grown common. Sun estimates that more than 570 million Java-enabled handsets will have been sold by the end of 2004, and one in three handsets is equipped with Java. Hundreds of cell phone service providers rely on J2ME to sell ring tones, games and other downloads.
Sophisticated mobile devices are growing more important. According to the Meta Group, roughly two-thirds of all businesses and organizations will deploy mobile data services by 2007. Mobile e-mail will top the application list, with half of organizations launching a wireless e-mail system within three years and 75 percent in four years.
The vulnerability disclosure comes on the eve of CTIA Wireless I.T. & Entertainment 2004, a cell phone trade show in San Francisco, where Java will support many new services to be unveiled.
Java has been relatively free of vulnerabilities, especially compared with Windows. One advantage is that Java has built-in security features that make it hard for local or remote programs to take unauthorized actions.
Using the vulnerabilities, Gowdiak created programs for the Nokia phone that could send text messages or photos, wipe the phone's memory, connect to the Internet and steal data such as phone book records--all without the user knowing.
And at the Hack in the Box conference, he said the vulnerabilities could potentially be used to install software that secretly records text messages, or to install other applications.
Qualcomm makes a competing but less popular technology to download software onto cell phones. There have not been any reports of vulnerabilities among the scores of carriers using Qualcomm's, or BREW, technology.
Microsoft has had some issues with mobile devices; vulnerabilities have been found for its smart phone operating system, itsfor gadgets and its software for handhelds.