A security researcher is trying to garner funds to set up his own company by charging for details of software flaws.
Adam Gowdiak says he has identified flaws in Java Nokia's Series 40 phone operating system and built two exploits that could be to subvert systems running the code. He is asking Nokia and Sun for €20,000 (A$34,000) to see his proof and amend the flaws, but has not ruled out selling it to third parties.
“We plan to deal with professional and serious companies from the security, telecommunication, anti-virus and government industries. Thus, we will not fulfil every single party's request for early access to our research material,” he says on his site.
“We can't do anything about the leak occurring at one of these companies. In case of a leak, we will immediately inform the public about its occurrence.”
Gowdiak claims in the forward to his paper that the flaws would allow a hacker to control certain functions of a mobile phone running Nokia’s Series 40 operating system just by knowing the phone number the phone is using.
Once into the phone it could be programmed to call high cost phone services or send duplicate copies of SMS’ or even turn the phone into a sound recorder.
The move is a break from standard security research, where vendors are informed of any flaws and researchers make their money from consultancy. Gowdiak says that would not give him the freedom to do the research he wants but that he had given the companies a brief update on the flaws.
“If one takes into account that experienced and skilled 3rd parties charge between US$200-250 per hour for security evaluation services, €20, 000 ($A34,0000) is equal to 3-4 weeks of work. So, you get the 6 months of work for the price of one month,” he says.
Researcher wants cash for flaws
By Iain Thomson on Aug 14, 2008 10:17AM