Nokia Asha Lock Code Bypass
Posted on 18 September 2014
########################################################## # Vulnerability: Nokia Asha Platform Call Records access # Impact: Medium # AUthor: Muhammad Shahmeer # Company: Maads Security # Website: Maads-security.com ########################################################## Introduction: Mobile platforms being as convinient and felxible for developers to alter also have certain loopholes that can give the attacker an insight about the victim's information. Nokia Asha Phones have their own platform which is a GUI replica of most commonly used mobile phone platforms such as android, but these phones are provided at a relatively cheaper cost to the customer. The Asha platform has been diagnosed of having a number of vulnerabilities both logical and code based. The lock code of any phone software should ensure that no information on the phone should be visible to the bearer unless the correct code has been entered. However this is not the case with Nokia Asha platform enabled mobiles. Lock code bypass: There is a logical issue with the platform that allows a malicious user to access the previous call records as well the certain phonebook contacts that are present on the phone. It requires no more then a number of keys to be pressed on the phone lockpad. This issue requires the phone to be having Nokia Asha platform of any version Proof of concept: Below are the steps to access the call records on the Nokia Asha phone without having to put the lock code. Once the phone is locked, Enter any number of letter on the lockpad and touch the SOS key This takes to the dialer of the phone. Now in the dialer without entering any number you should press the "Phone YES" mark This will give you access to call records on that phone. Fix: SOS number should be saved by default in order to prevent this Comments: I have already sent this issue to Nokia for the fix. Let's see what they do about it
