##########################################################
# Vulnerability: Nokia Asha Platform Call Records access
# Impact: Medium
# AUthor: Muhammad Shahmeer
# Company: Maads Security
# Website: Maads-security.com
##########################################################
Introduction:
Mobile platforms being as convinient and felxible for developers to alter also have certain loopholes that can give the attacker
an insight about the victim's information. Nokia Asha Phones have their own platform which is a GUI replica of most commonly used
mobile phone platforms such as android, but these phones are provided at a relatively cheaper cost to the customer. The Asha
platform has been diagnosed of having a number of vulnerabilities both logical and code based. The lock code of any phone software
should ensure that no information on the phone should be visible to the bearer unless the correct code has been entered. However this
is not the case with Nokia Asha platform enabled mobiles.
Lock code bypass:
There is a logical issue with the platform that allows a malicious user to access the previous call records as well the certain
phonebook contacts that are present on the phone. It requires no more then a number of keys to be pressed on the phone lockpad.
This issue requires the phone to be having Nokia Asha platform of any version
Proof of concept:
Below are the steps to access the call records on the Nokia Asha phone without having to put the lock code.
Once the phone is locked, Enter any number of letter on the lockpad and touch the SOS key
This takes to the dialer of the phone. Now in the dialer without entering any number you should press the "Phone YES" mark
This will give you access to call records on that phone.
Fix:
SOS number should be saved by default in order to prevent this
Comments:
I have already sent this issue to Nokia for the fix. Let's see what they do about it