Statements, Motives & Impacts
Looks like we have official Nokia's statement about the firmware hacks - I suppose it doesn't get more official than this!
Nokia takes all security issues seriously. We are determined to be active in the development of security controls and preventive measures.
Nokia is aware that it may be possible to modify the software update package of a limited amount of device models. This type of intentional modification may make the mobile device inoperational. This issue has no impact to the user unless there's intention to do these modifications.
We have taken necessary steps to correct this issue, and it will be fixed in future releases. It's important to note that our latest device models are not impacted with this case.
(from gabor-toroks-forum-nokia-blog)
I don't know what are the latest models, and I guess it's limited - though so far it looks like almost all devices are modifiable in one way or the other.
As many of you have guessed, my focus is on other activities than "hacking" and I have no intentions to play game of cat and mouse with Nokia. My sole intention is to free myself (and the developers) from Nokia's control, as the capability restrictions are clearly placed for limiting the competition and to protect Nokia's own business.
And what ever your twisted press or Nokia tells you, the hacked firmware is not really a security exploit. It's not remotely exploitable and even locally, it practically requires you to code the program yourself. This is a new useful tool for Symbian developer's toolbox, opening new possibilities for the home based developers, working as subcontractors or looking for publisher.
Nokia's PR claims this hack opens door to piracy, viruses and malware. Not really. The "sensitive" capabilities give access mostly to phone's local features, like task management and multimedia features. The most dangerous capability (from phone bill point of view), NetworkServices, was already user grantable. In fact, using the described hack you could also remove that, making your phone more secure. Even if you intentionally make the hack, the software is still installed through same mechanism and user is notified of the possibly dangerous self-signed content.
Let me take an example about Nokia's protectionism: If you want to implement a new "Skype" type application, which uses Wi-Fi for audio transportation, you need to obtain MultimediaDD capability from Nokia. Without MultimediaDD capability, you cannot do full duplex audio, required for any sensible human conversation.
It's nice to present "open platform" to the press, but the reality is that Nokia is interested in any competition threats for it's current business, and by controlling the access to phone's APIs using capabilities, it can control who can develop and what kind of software.
In future, I'm concentrating on posting of developer related material enabled by this firmware hack - showing what you can do with those extra capabilities. I know there's other people working on the firmware front, but for me the only real issue is if *I* can take the control of the S60 device on my desk.
Stay tuned!
PS. Kids, remember to store your phone's ROM images after flashing, they might come handy someday...
Nokia takes all security issues seriously. We are determined to be active in the development of security controls and preventive measures.
Nokia is aware that it may be possible to modify the software update package of a limited amount of device models. This type of intentional modification may make the mobile device inoperational. This issue has no impact to the user unless there's intention to do these modifications.
We have taken necessary steps to correct this issue, and it will be fixed in future releases. It's important to note that our latest device models are not impacted with this case.
(from gabor-toroks-forum-nokia-blog)
I don't know what are the latest models, and I guess it's limited - though so far it looks like almost all devices are modifiable in one way or the other.
As many of you have guessed, my focus is on other activities than "hacking" and I have no intentions to play game of cat and mouse with Nokia. My sole intention is to free myself (and the developers) from Nokia's control, as the capability restrictions are clearly placed for limiting the competition and to protect Nokia's own business.
And what ever your twisted press or Nokia tells you, the hacked firmware is not really a security exploit. It's not remotely exploitable and even locally, it practically requires you to code the program yourself. This is a new useful tool for Symbian developer's toolbox, opening new possibilities for the home based developers, working as subcontractors or looking for publisher.
Nokia's PR claims this hack opens door to piracy, viruses and malware. Not really. The "sensitive" capabilities give access mostly to phone's local features, like task management and multimedia features. The most dangerous capability (from phone bill point of view), NetworkServices, was already user grantable. In fact, using the described hack you could also remove that, making your phone more secure. Even if you intentionally make the hack, the software is still installed through same mechanism and user is notified of the possibly dangerous self-signed content.
Let me take an example about Nokia's protectionism: If you want to implement a new "Skype" type application, which uses Wi-Fi for audio transportation, you need to obtain MultimediaDD capability from Nokia. Without MultimediaDD capability, you cannot do full duplex audio, required for any sensible human conversation.
It's nice to present "open platform" to the press, but the reality is that Nokia is interested in any competition threats for it's current business, and by controlling the access to phone's APIs using capabilities, it can control who can develop and what kind of software.
In future, I'm concentrating on posting of developer related material enabled by this firmware hack - showing what you can do with those extra capabilities. I know there's other people working on the firmware front, but for me the only real issue is if *I* can take the control of the S60 device on my desk.
Stay tuned!
PS. Kids, remember to store your phone's ROM images after flashing, they might come handy someday...
posted by manko at
Wednesday, October 31, 2007
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
Links to this post:
Create a Link
<< Home