Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Oracle, Gemalto Downplay Java Card Vulnerabilities

A cybersecurity research company has uncovered over 30 security issues in Java Card technology, but Oracle and Gemalto appear to downplay the impact of the flaws.

A cybersecurity research company has uncovered over 30 security issues in Java Card technology, but Oracle and Gemalto appear to downplay the impact of the flaws.

In March, Poland-based Security Explorations reported identifying nearly 20 vulnerabilities in the latest version of Oracle Java Card (version 3.1), including weaknesses that can be exploited to compromise the security of chips using this technology. The firm has continued analyzing the software and it now claims to have found 34 issues.

Java Card technology is designed to provide a secure environment for applications running on smart cards, SIM cards and other trusted devices that have limited memory and processing capabilities. Oracle says the technology is deployed on nearly six billion devices every year, including in the financial, telecoms, and government sectors.

Java Card is used by several major companies for their products, including Gemalto, the world’s largest manufacturer of SIM cards. Security Explorations has managed to reproduce the vulnerabilities on some Gemalto SIM cards and has even identified several flaws that are specific to Gemalto’s implementation.

Java Card vulnerabilitiesThe vulnerabilities can be exploited to gain full access to a card’s memory and possibly achieve native code execution.

Security Explorations admits that the flaws are not easy to exploit as they involve loading a malicious applet onto a targeted card — an attack requires knowledge of the encryption keys used by the card issuer or the exploitation of vulnerabilities in the cardThe organization says its work lays the groundwork for future research in this field.

“In the worst case scenario, one can imagine a malicious Java application modifying targeted card operations (banking, telecom or identity) in such a way that a stealthy and persistent backdoor could be installed into the card. Our analysis of selected SIM cards from Gemalto indicate that development of such a backdoor should be possible,” Adam Gowdiak, CEO and founder of Security Explorations, told SecurityWeek last month.

“For banking cards / transportation cards, there is a potential for a malicious applet to interfere with payments conducted with the use of a card or to get access to secret keys deployed into it,” he added.

Both Oracle and Gemalto have been notified, but they don’t appear to take the findings too seriously. Oracle claims the Java Card Reference Implementation (RI), in which the vulnerabilities were uncovered, is not intended for production environments and suggested that it’s up to third-party vendors to ensure the security of their implementations.

Advertisement. Scroll to continue reading.

“Oracle’s claim that its Java Card RI is not intended to be used in a real life product implicates that the licensee is either supposed to go to some other vendor for a reference implementation of Java Card VM or to build its own VM in order to implement and deploy Java Card code for its products. And this doesn’t make sense as the licensing is usually about acquiring both permission to use a given tech along the tech itself,” Security Explorations noted on its website.

“In that context, it would be natural for major hardware vendors such as STMicroelectronics (with dozens of various Java card chips in its product portfolio), Giesecke & Devrient, NXP and Infineon or a printing company such as Dai Nippon Printing to take a reference implementation from Oracle, customize it a little bit to fit its needs and then put it into its products (chips, smartcards, SIMs, government IDs, passports, etc.),” the company added.

Oracle also claims that its Java Card off-card verifier, which is used to evaluate files before they are loaded onto a smart card, can prevent exploitation of the flaws. However, as Security Exploration points out, this mechanism is designed for testing files on a desktop environment before they are loaded onto the card, which makes it ineffective if the attacker launches the attack directly against the card.

Gemalto told Security Explorations that its products don’t use the Java Card 3.1 reference implementation from Oracle. The vendor said the first issue specific to its products is not considered a vulnerability due to the fact that exploitation requires loading a malicious applet onto a targeted card.

Security Explorations later reported two other bugs specific to Gemalto products, including one that allows “unauthenticated, over-the-air loading of arbitrary Java applet code into company’s Java-based SIM card.” These problems are apparently still under investigation by Gemalto.

The cybersecurity research firm says it has successfully reproduced the exploitation of serious flaws on Gemalto products and is surprised that the vendor has not taken its report more seriously.

“It’s surprising to learn that one of the world’s top SIM card vendors dismisses a threat reported with respect to company’s products, which are potentially used to safeguard security and privacy of hundreds of millions of people around the globe,” Security Explorations said.

SecurityWeek has reached out to both Oracle and Gemalto, but neither of the companies provided any comments or clarifications.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.