Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Oracle, Gemalto Downplay Java Card Vulnerabilities

A cybersecurity research company has uncovered over 30 security issues in Java Card technology, but Oracle and Gemalto appear to downplay the impact of the flaws.

A cybersecurity research company has uncovered over 30 security issues in Java Card technology, but Oracle and Gemalto appear to downplay the impact of the flaws.

In March, Poland-based Security Explorations reported identifying nearly 20 vulnerabilities in the latest version of Oracle Java Card (version 3.1), including weaknesses that can be exploited to compromise the security of chips using this technology. The firm has continued analyzing the software and it now claims to have found 34 issues.

Java Card technology is designed to provide a secure environment for applications running on smart cards, SIM cards and other trusted devices that have limited memory and processing capabilities. Oracle says the technology is deployed on nearly six billion devices every year, including in the financial, telecoms, and government sectors.

Java Card is used by several major companies for their products, including Gemalto, the world’s largest manufacturer of SIM cards. Security Explorations has managed to reproduce the vulnerabilities on some Gemalto SIM cards and has even identified several flaws that are specific to Gemalto’s implementation.

Java Card vulnerabilitiesThe vulnerabilities can be exploited to gain full access to a card’s memory and possibly achieve native code execution.

Security Explorations admits that the flaws are not easy to exploit as they involve loading a malicious applet onto a targeted card — an attack requires knowledge of the encryption keys used by the card issuer or the exploitation of vulnerabilities in the cardThe organization says its work lays the groundwork for future research in this field.

“In the worst case scenario, one can imagine a malicious Java application modifying targeted card operations (banking, telecom or identity) in such a way that a stealthy and persistent backdoor could be installed into the card. Our analysis of selected SIM cards from Gemalto indicate that development of such a backdoor should be possible,” Adam Gowdiak, CEO and founder of Security Explorations, told SecurityWeek last month.

“For banking cards / transportation cards, there is a potential for a malicious applet to interfere with payments conducted with the use of a card or to get access to secret keys deployed into it,” he added.

Both Oracle and Gemalto have been notified, but they don’t appear to take the findings too seriously. Oracle claims the Java Card Reference Implementation (RI), in which the vulnerabilities were uncovered, is not intended for production environments and suggested that it’s up to third-party vendors to ensure the security of their implementations.

“Oracle’s claim that its Java Card RI is not intended to be used in a real life product implicates that the licensee is either supposed to go to some other vendor for a reference implementation of Java Card VM or to build its own VM in order to implement and deploy Java Card code for its products. And this doesn’t make sense as the licensing is usually about acquiring both permission to use a given tech along the tech itself,” Security Explorations noted on its website.

“In that context, it would be natural for major hardware vendors such as STMicroelectronics (with dozens of various Java card chips in its product portfolio), Giesecke & Devrient, NXP and Infineon or a printing company such as Dai Nippon Printing to take a reference implementation from Oracle, customize it a little bit to fit its needs and then put it into its products (chips, smartcards, SIMs, government IDs, passports, etc.),” the company added.

Oracle also claims that its Java Card off-card verifier, which is used to evaluate files before they are loaded onto a smart card, can prevent exploitation of the flaws. However, as Security Exploration points out, this mechanism is designed for testing files on a desktop environment before they are loaded onto the card, which makes it ineffective if the attacker launches the attack directly against the card.

Gemalto told Security Explorations that its products don’t use the Java Card 3.1 reference implementation from Oracle. The vendor said the first issue specific to its products is not considered a vulnerability due to the fact that exploitation requires loading a malicious applet onto a targeted card.

Security Explorations later reported two other bugs specific to Gemalto products, including one that allows “unauthenticated, over-the-air loading of arbitrary Java applet code into company’s Java-based SIM card.” These problems are apparently still under investigation by Gemalto.

The cybersecurity research firm says it has successfully reproduced the exploitation of serious flaws on Gemalto products and is surprised that the vendor has not taken its report more seriously.

“It’s surprising to learn that one of the world’s top SIM card vendors dismisses a threat reported with respect to company’s products, which are potentially used to safeguard security and privacy of hundreds of millions of people around the globe,” Security Explorations said.

SecurityWeek has reached out to both Oracle and Gemalto, but neither of the companies provided any comments or clarifications.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.