Security Experts:

Oracle, Gemalto Downplay Java Card Vulnerabilities

A cybersecurity research company has uncovered over 30 security issues in Java Card technology, but Oracle and Gemalto appear to downplay the impact of the flaws.

In March, Poland-based Security Explorations reported identifying nearly 20 vulnerabilities in the latest version of Oracle Java Card (version 3.1), including weaknesses that can be exploited to compromise the security of chips using this technology. The firm has continued analyzing the software and it now claims to have found 34 issues.

Java Card technology is designed to provide a secure environment for applications running on smart cards, SIM cards and other trusted devices that have limited memory and processing capabilities. Oracle says the technology is deployed on nearly six billion devices every year, including in the financial, telecoms, and government sectors.

Java Card is used by several major companies for their products, including Gemalto, the world's largest manufacturer of SIM cards. Security Explorations has managed to reproduce the vulnerabilities on some Gemalto SIM cards and has even identified several flaws that are specific to Gemalto’s implementation.

Java Card vulnerabilitiesThe vulnerabilities can be exploited to gain full access to a card’s memory and possibly achieve native code execution.

Security Explorations admits that the flaws are not easy to exploit as they involve loading a malicious applet onto a targeted card -- an attack requires knowledge of the encryption keys used by the card issuer or the exploitation of vulnerabilities in the cardThe organization says its work lays the groundwork for future research in this field.

“In the worst case scenario, one can imagine a malicious Java application modifying targeted card operations (banking, telecom or identity) in such a way that a stealthy and persistent backdoor could be installed into the card. Our analysis of selected SIM cards from Gemalto indicate that development of such a backdoor should be possible,” Adam Gowdiak, CEO and founder of Security Explorations, told SecurityWeek last month.

“For banking cards / transportation cards, there is a potential for a malicious applet to interfere with payments conducted with the use of a card or to get access to secret keys deployed into it,” he added.

Both Oracle and Gemalto have been notified, but they don’t appear to take the findings too seriously. Oracle claims the Java Card Reference Implementation (RI), in which the vulnerabilities were uncovered, is not intended for production environments and suggested that it’s up to third-party vendors to ensure the security of their implementations.

“Oracle's claim that its Java Card RI is not intended to be used in a real life product implicates that the licensee is either supposed to go to some other vendor for a reference implementation of Java Card VM or to build its own VM in order to implement and deploy Java Card code for its products. And this doesn't make sense as the licensing is usually about acquiring both permission to use a given tech along the tech itself,” Security Explorations noted on its website.

“In that context, it would be natural for major hardware vendors such as STMicroelectronics (with dozens of various Java card chips in its product portfolio), Giesecke & Devrient, NXP and Infineon or a printing company such as Dai Nippon Printing to take a reference implementation from Oracle, customize it a little bit to fit its needs and then put it into its products (chips, smartcards, SIMs, government IDs, passports, etc.),” the company added.

Oracle also claims that its Java Card off-card verifier, which is used to evaluate files before they are loaded onto a smart card, can prevent exploitation of the flaws. However, as Security Exploration points out, this mechanism is designed for testing files on a desktop environment before they are loaded onto the card, which makes it ineffective if the attacker launches the attack directly against the card.

Gemalto told Security Explorations that its products don’t use the Java Card 3.1 reference implementation from Oracle. The vendor said the first issue specific to its products is not considered a vulnerability due to the fact that exploitation requires loading a malicious applet onto a targeted card.

Security Explorations later reported two other bugs specific to Gemalto products, including one that allows “unauthenticated, over-the-air loading of arbitrary Java applet code into company's Java-based SIM card.” These problems are apparently still under investigation by Gemalto.

The cybersecurity research firm says it has successfully reproduced the exploitation of serious flaws on Gemalto products and is surprised that the vendor has not taken its report more seriously.

“It's surprising to learn that one of the world's top SIM card vendors dismisses a threat reported with respect to company's products, which are potentially used to safeguard security and privacy of hundreds of millions of people around the globe,” Security Explorations said.

SecurityWeek has reached out to both Oracle and Gemalto, but neither of the companies provided any comments or clarifications.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.