This article is more than 1 year old

Security storm brewing for Oracle Java-powered smart cards: More than a dirty dozen flaws found, fixes... er, any fixes?

Vuln hunters warn malicious applets can bust through protections, snoop on or hijack access gizmos

Bug hunters say Oracle's Java Card platform is host to a dozen and a half security flaws that could place smart-cards and similar embedded devices using the tech at risk of hijacking.

Adam Gowdiak, CEO of Security Explorations, said he and his team discovered and privately reported the vulnerabilities to Oracle and smart-card hardware biz Gemalto. Neither vendor has responded to a request for comment on possible updates.

Designed for things like SIM cards, payment cards, and other embedded tech, Java Card lets snippets of code, dubbed applets, run within a small memory footprint on cards and similar gadgets using the minimal processing power available in the widgets.

The buttons on a mobile phone glow in the dark

How I hacked SIM cards with a single text - and the networks DON'T CARE


These applets can perform authentication checks, cryptography, and other sensitive operations within the cards, using things like secret keys stashed on the devices without having to disclose them. Oracle estimates around six billion pieces of kit use the Java Card operating system in some way, shape or form.

In an advisory describing the bugs, Gowdiak explained that the 18 different security issues found by his team would potentially open the door for everything from security bypasses to complete takeover of the gizmos. In order to exploit the flaws, a malicious applet has to be loaded into the card, perhaps by a compromised or dodgy card reader, and due to a lack of internal protections, this injected software nasty can then potentially take over the card or cause other mischief.

The bugs were verified to exist on the most current version of Java Card 3.1.

"There are ways for malformed applications loaded into a vulnerable Java Card to easily break memory safety," Gowdiak explained. "Such a breach directly leads to the security compromise of a Java Card VM, applet firewall breach and jeopardizes security of co-existing applications."

He went on:

Unfortunately, due to certain architectural choices from the past, it's hard to perceive Java Card technology in terms of security ... In some cases, whole card environment can be compromised, but that's dependant on the underlying OS / processor architecture (i.e. presence of the flat address space, isolation between tasks).

It should be emphasized that successful loading of a malicious applet into target card requires either knowledge of the keys or existence of some other means facilitating it (a vulnerability in card OS, installed applications, exposed interfaces, etc.). Such scenarios cannot be excluded though.

Gemalto is involved in the disclosure because one of the findings specifically impacts its GemXplore 3G V3.0-256K and 3G USIMERA Prime SIM card models.

While the vulnerabilities do pose a security risk, to realistically pull this off, you need to know firmware is running on the target card, and its architecture. That's not impossible to find out, of course. The vulnerabilities could provide the first step an attacker would need to perform a larger intrusion into a building or some other system. Given the high-value areas, such as finance and telecoms, where Java Card operates, such bugs could prove highly valuable should they not be properly patched.

Should a fix for the vulnerabilities come from Oracle, the most likely release date would be April 16, when Big Red's next quarterly patch dump is scheduled. In other words, no, we're not aware of any fixes available yet. ®

More about


Send us news

Other stories you might like