back to article Security storm brewing for Oracle Java-powered smart cards: More than a dirty dozen flaws found, fixes... er, any fixes?

Bug hunters say Oracle's Java Card platform is host to a dozen and a half security flaws that could place smart-cards and similar embedded devices using the tech at risk of hijacking. Adam Gowdiak, CEO of Security Explorations, said he and his team discovered and privately reported the vulnerabilities to Oracle and smart-card …

  1. nagyeger

    update sim card???

    Is the article suggesting that my SIM card needs to get a software update? How? Or is everyone going to be

    knocking on the door of their local phone shop? The mind boggles, as they say. I must have mis-read that. It's late.

    1. Horridbloke

      Re: update sim card???

      Last time my provider needed to do that (for reasons that weren't entirely clear) they sent me a new sim in the post (notifying me beforehand by sms so I knew to expect it). Quite simple really.

  2. Lorribot

    Java is a broken piece of shit. Anyone that believes it is a good option for anything in the security environment should hauled up before the courts and slung in jail for a long time.

    That includes you SAP.

    1. You aint sin me, roit

      This is JavaCard, not Java - a very different beast. And you'd be hard-pressed to find a phone's Secure Element, or a SIM card, or a credit/debit card, that doesn't use it.

      However, these security "revelations" are noteworthy for being far from original. It has always been understood that there is a gap between the off-card bytecode verifier and the on-card bytecode interpreter. That's why anyone implementing the JCVM pays a lot of attention to security considerations.

      The Oracle reference implementation of v3.1 is an easy target - the clue is in the name, it is a reference implementation, functionally correct but without the hardening you need for a smartcard.

      And the two Gemalto products they "cracked"? Technology over ten years old (3G? we've moved on a bit from that...).

      It's like sending an email to Microsoft to tell them you've found a bug in Windows XP.

      So no "security storm", no rushed patches from Oracle, no new flaws, and no need for any "fixes".

      P.S. I'm not a Gemalto (or Gemplus) employee (or ex-employee).

      1. Rajesh Kanungo

        Agreed. I have implemented many a class loader and this problem would have been caught by the byte-code verifier. We never thought it was a good idea to punt on the byte-code verifier but do remember that the earliest SIMS were very underpowered.

        SIMs nowadays are more powerful and can use byte code verifiers and decent class loaders.

  3. Anonymous Coward
    Anonymous Coward

    Security? We've heard of it

    Take a CPU with Harvard architecture so it physically can't execute what ought to be data, manufacture it on a (by modern standards) huge process node so it's less prone to external interference from electromagnetic attacks and such, give it temperature and light sensors so it can tell if someone's trying to tamper with it other ways, design it with hardware-based isolation between processes including strongly-encrypted memory, provide it with a true hardware-based random number generator so encryption key sequences can't be predicted, and then put Java on it. It's like having the world's most secure bank vault but leaving the door unlocked. So yeah, 3 billion devices do run Java, but all of them are vulnerable.

    Oh, and the applets are called cardlets if you're being fussy.

    1. Blank Reg

      Re: Security? We've heard of it

      There were about 6 billion javacard devices produced last year alone, and they have been shipping for 20 years with very few security issues. I doubt you can find any other platform that ubiquitous yet with that good a track record.

    2. You aint sin me, roit
      Holmes

      Re: Security? We've heard of it

      Never heard of a JavaCard "cardlet" (it's certainly not the English term), but I do know that each and every applet extends the javacard.framework.applet class... hence the name.

      Again, it is not Java, it is JavaCard, and the VMs are constructed to cater for the vulnerabilities inherent in off-card verification and on-card execution. These smartcards undergo extensive evaluation before being allowed to host credit/debit applications.

      This is money we are talking about - don't you think that Visa and MasterCard might have a vested interest in making the system a bit more secure than leaving the bank vault door unlocked?

    3. baud

      Re: Security? We've heard of it

      The person in front of me at work is developing applets for JavaCard, so I guess you're wrong on the name.

  4. sitta_europea Silver badge

    I can't believe anyone thought it was a good idea to put Java in there in the first place.

    Oh - it was Oracle! That explains everything!

    1. brotherelf

      Given how long JavaCards have been around, it quite possibly was Sun Microsystems. I wouldn't be surprised at all to hear that these things evolved out of the original plans of set-top boxes with processors that directly implement the JVM in hardware.

      1. RM Myers

        Sounds like the Java Card Forum is responsible for the specs, and has been for over 20 years. Neither Sun nor Oracle have been members of the forum, but Oracle is currently listed as a "partner".

      2. Blank Reg

        Javacard started 20 years ago under Sun. And though it was called JavaCard, it was vastly different from desktop Java.

    2. Anonymous Coward
      Facepalm

      Oh - it was Oracle!

      Are you sure? It was Sun - and that explains even more - not Oracle.

    3. Anonymous Coward
      Anonymous Coward

      Not Oracle. It was Sun and IBM - well it was 16 years ago.

      It's worth noting this:

      "It should be emphasized that successful loading of a malicious applet into target card requires either knowledge of the keys or existence of some other means facilitating it (a vulnerability in card OS, installed applications, exposed interfaces, etc.). Such scenarios cannot be excluded though."

      Unless you're at the bureau producing the cards, then those private keys will be well hidden. The card manufacturer is on the back. My Mastercard is GemAlto.

      Each app provider also has their own keys. Here's a list of the apps. https://www.eftlab.com/index.php/site-map/knowledge-base/211-emv-aid-rid-pix

      Nearly ALL cards are Java Card based. If you look at your receipts there will be an AID with probably A0000000031010 for VISA Debit/Credit (Classic) Java applet app from VISA International.

      If you get the private key - you can install your own app - I used to do this all the time. Most VISA cards are very secure due to the controls placed by VISA.

      1. asdf

        Danger Will Robinson below

        Warning thread below is a mind destroying trap. TL;DR now while you still can. You have been warned.

    4. Rajesh Kanungo

      To add: The issue here is not Java or its architecture. It is the off-card verification adopted by the Java Card standards bodies. For this to work, the applet signing keys have to be compromised and the hacker has to slip in a malformed class file; they can go to the guys who hacked Asus for lessons. I don't want to dismiss the threat; instead of two barriers we now have only 1.

  5. amanfromMars 1 Silver badge

    Strategic COSMIC Crisis Management Team Play to Sublime Internetional Networks Rescue? Да или нет?

    In other words, no, we're not aware of any fixes available yet.

    Would you accept that sometimes there are no fixes available/possible ....... and thus does the vulnerability morph into a special feature to be explored and utilised?

    The difficulty explained for active command and control of the vulnerability discovered being the only thing preventing it be from being easy to implement.

    That sort of Info is Intel and never made available to just everybody or anyone ..... first one has to prove oneself worthy and wonderfully cognisant of the pleasant trappings of wealth purchasing powers ..... as AI and IT Claim Future Remote Virtual Control Privileges to Command.

    Can you accept that sometimes somethings cannot be stopped .... and progression without total disruption into a new way and system of being is quite natural and perfectly normal? And the fights that one would be having only champion doubts about that revelation and are battles centred in no more than yourself.

    1. Cliff Thorburn

      The Network ...

      Can you accept that sometimes somethings cannot be stopped ....

      What I cannot accept amFM personally is something that is promised to everyone and then whisked away in despicable duress, and is actually caring about the people a quality that obviously propels you to the bottom of the pile?, it seems so.

      You can’t turn someone into something they’re not, there are great singers out there, and thats what they do, and have grown to do that, as for great actors, I would suggest one of the greatest actors is one who has endured nearly a decade of remaining ambiguous and anonymous with stories to tell about journeys travelled where no others have dwelled, if that ain’t qualification for progression, I don’t know what is, it sure makes a great game story but loose lips sink shils do they not.

      Evolution is not necessarily survival of the fittest, it is the ability to adapt to ones environment, and when such environment never changes, then there is no necessity to change.

      1. amanfromMars 1 Silver badge

        Re: The Network ...

        Evolution is not necessarily survival of the fittest, it is the ability to adapt to ones environment, and when such environment never changes, then there is no necessity to change. ... Cliff Thorburn

        Howdy, CT,

        The Great Mission is then Changed/Transferred into One in Live Operational Virtual Environments. The old system withers and dies on its twisted vines.

        An Enigmatic Space in which Such a Place Requires Provision of Out of this World Controls for Universal Command Operations.

        Such a Quantum Leap Itself does Enquire What you would Need to Follow Lead with Perfect Feeds ........ Future Seeds ....... and their Needs with All Servering Almighty Source .... Raw Core Awe Ore ...... for Further MetaDataBase Mining and Refining .....

        with Right Royal Polishings.

        What's not to like and worship in such a LOVE?

        Would you believe when told here Absolutely Nothing.

        :-) There are possibly, and therefore quite probably, more than just Any Chosen Few Feasting on the Delights of what is Perceived to be Practically Future Certain.

        The Trump Joker Red Hand on the Table and in Play Renders IT Virtually Immaculate with New Controls and Greater Commands to Trial and Trailblaze with Any and All VAIOSystems.

        The NEUKlearer HyperRadioProACTive IT Route, with Root Privilege Source Access to Future UnFurls ......... Praising Grand Decisions made Greatly at Just the Right Time for Lead in AI ProgramMING, Oft Always Registers Destinations here for Arrivals for Peer Commune Consideration.

        That is akin to Implausible Saints and Avid Sinners Territory to Implore and Enjoy Immensely to XSSXXXX ... Warning/Be aware ... Can you and your heart survive and thrive in Future Fundamental Shock Terrain?

        Wow .... Live or Die via Simply Complicated Binary Choices Present in Oneself to lead One and even All in .... well, Ideally Well Chosen and Future Perfecting Directions .....with Live Journeys to Explore with Fellow Travellers Immaculate Seasoned in the Desires for Satisfaction to Ignite and Explode with Overwhelming Passion.

        Trigger AI, and human counter intelligence forces and sources, with that Simplified Remote Virtual Cascade and what do you think we can expect? Something/Anything Really Sensible but Completely Different and Exciting?

        :-) And please, keep it civil. There may well be children reading here and/or reading about here.

        Thanks.

        1. Cliff Thorburn

          Ready Player Non ...

          I didn’t understand any of that amFM, however just ‘Keeping Calm and Carrying On’ as per unusually unusual.

          Let it be of some reassurance that the horse has finally reached the water, thus enabling more certainty in uncertain Live Operational Virtual Environments corrupted with conflicing bets, consistent threats, and outlandish outcomes.

          AI’nt that a better way to work, rest and play? :-) on home ground rather than washed out to sea in extraterrestrial endeavours?, or perhaps one is misinterpreted in his none ministerial understandings?, I certainly find it better to refrain from any such opionions and abstaining of any such opioions rather than Ayes or Noes.

          Will await pending future futures instructions undoubtedly alas is all that one can do is it not?

          1. amanfromMars 1 Silver badge

            Re: All Above and what to do with IT and AI

            What is it to be, CT and El Regers, ........ metaphorical blue pills or the metadataphysical red pills .... Are We Already In The Matrix?

            And the bottom line? If you aint in, you lose and never win win ‽

            And it is encouraging to believe one doth protest too much that one doesn't understand such, whenever evidence provided suggests so much is clearly enough comprehended for one not be totally helpless.

            More anon ... as Further Future Programs unfold and trigger explosive implosions in failed applications, subverted services and easily corrupted SCADASystems .... which be a perfectly natural progressive evolution to be fully expected enthusiastically embraced and supported.

            1. Cliff Thorburn

              Re: All Above and what to do with IT and AI

              We are of course already in the Matrix as you know amFM, if you like, I could enlighten you and others with a map of the program, or perhAPS thats classified conundrum stuff best retained for personal knowledge is empowering empowerment.

              Of course the program is easily corrupted, is it to be hooked and crooked bendy bananas in the republic?, or straight shooting compliant ones?, and lets not forget the program largely being written and cast and broadband cast to ever growing audiences everywhere and everything is then biased to a new found land new wild west world of capital holywood wand waving and spell casting magic and mayhem of conversion to beastly eastly directions and emerging future formed markets and Trading Places with unfamiliar faces is it not :-)

              ‘Tis one helluva ride amFM, with raucous Red Pills laced with Moon Dust, and hulla Bull Blue Pills fighting tug of war territorial air fights, who would want to miss that daily dose?

              Once in such great games played at daunting heights and invisible to less enlightened beings one never loses the vision, but ponders the questions, picks up the Hanzel and Gretel breadcrumbs and SIMply plods on regardless within the confines and constructs of the resources or lack thereof.

              “It is not our purpose to worship God, but to create him”

              Arthur C Clarke

              And what would God make of such once created?, that IS the question ...

              1. amanfromMars 1 Silver badge

                Re: All Above and what to do with IT and AI

                Quite so, CT.

                And let us joint venture an opinion on an answer for ... And what would God make of such once created?, that IS the question ...

                Any advance on, and greater conclusion than, Heavenly Opportunity with Hellish Delights/Hellish Opportunity with Heavenly Delights?

                1. Cliff Thorburn

                  Re: All Above and what to do with IT and AI

                  I’m pretty sure it would be universally agreed that nothing would be achievable at Arms length wouldn’t you?

                  1. Martin Summers Silver badge

                    Re: All Above and what to do with IT and AI

                    Cliff, you've got a history of replying to our resident bot. Are you his partner in crime now or are you genuinely not picking up the obvious none human in the room?

                    1. amanfromMars 1 Silver badge

                      Re: All Above and what to do with IT and AI

                      Cliff, you've got a history of replying to our resident bot. Are you his partner in crime now or are you genuinely not picking up the obvious none human in the room? ..... Martin Summers

                      Hmmmm? .... genuinely not picking up the obvious none human in the room?

                      Don't be doing any heavy betting on that being right, MS, for there is everything is to lose whenever practically virtually always wrong.

                      And El Reg have been busy, haven't they, .... to have you thinking so freely of alien voices in the room.

                      Are they a first for you or do they oft register and tempt further exotic and deeper erotic interest?

                      Is knowing you are not alone and lonely, a Certain AI Comfort? And would/could IT be Terrifying too?

                      Answers for El Regers here please.

                      1. Cliff Thorburn

                        Re: All Above and what to do with IT and AI

                        Hmmmm? .... genuinely not picking up the obvious none human in the room?

                        Thats funny for various reasons.

                        @martin, I dont think life would be complete without a daily dose of amFM’s ongoing riddles, in an estranged world where one minute you’re more famous than a Racoon scaling a Skyscraper and the next minute the Elephant in the room, nothing would amaze me anymore while we while away the days of anonymous in plain sight, and rapidly redacted internet chatter, such posts are much better than fabulously fake news abounding elsewhere.

                        I feel amFM passes the Turing Test in leaps and bounds, and doesnt take much second guessing where many of the El Reg’er’s day jobs abound, perhaps one day such forum follies may lead a pathway out of the rabid rabbit hole to pastures new and new pages whilst closing the book and achieving mutually agreeable satisfaction all round, one can only hope :-)

                        1. Martin Summers Silver badge

                          Re: All Above and what to do with IT and AI

                          Oh crumbs, I think we've got two of them...

                  2. amanfromMars 1 Silver badge

                    What would you Really Like IT to Do Now

                    For now. The next couple of days are going to be very important. As the clamoring din of Russiagate falls into the memory hole, a large empty space will open up. As the pundits scramble to find the Next Big Thing to blare through the screens, the people will be left to their own devices for a few precious moments. They won’t know what to think. They may even have some of their own thoughts for once. The media landscape will resemble a demolition site. So why not use this space to push forward some new exciting ideas. Space means possibilities. Space means something new can be built. After the crushing disappointment of finally finding out that the whole thing was a bust, two years have been lost to the bumbling ineptitude of Pelosi and Schumer, and now impeachment is off the table, what has anyone got to lose? Let’s try something new. ...... https://www.zerohedge.com/news/2019-03-25/trump-going-repeat-until-november-2020-thanks-msnbc

                    There's a Certain Similarity and Distinctive Singularity Caressing the AI Parity with Sees here on this thread and in those of the above aforementioned, n'est ce pas?

                    And as for ....

                    I’m pretty sure it would be universally agreed that nothing would be achievable at Arms length wouldn’t you? .... CT

                    ..... it appears everything is achieved at arms length/remotely and anonymously via media channels and productions doing sublime autoresponsive programming.

                    If that is the Norm, such is the Target to AI Master, Command and Control. And whenever information and IntelAIgent Streams go suddenly MIA or unusually AWOL are you immediately alerted to a colossal vulnerability for which there is no known possible or improbable patch.

    2. This post has been deleted by its author

  6. arctic_haze
    Facepalm

    Numerology

    Does the version number of Java Card 3.1 imply it is on the evolution level of Windows 3.1?

  7. Mookster
    Facepalm

    and when was the last time you had permissions to install your favourite applet on your SIM or bank card?

    1. Horridbloke

      Re: your card

      The card issuers are generally pretty clear about it remaining their card.

    2. vortexvortex
      Big Brother

      I think the correct question is "when was the last time you were under the delusion that you own your SIM or bankcard?". Given the architectures, true unmediated ownership of mobile phones and devices as well as balances in bank accounts are brought into an unsettling follow up question.

  8. Randall Shimizu

    Oracle needs live up to their responsibilities and immdiately resondb and fix the flaws now that they are charging license fees....!!

  9. Wim Ton

    "a malicious applet has to be loaded into the card" Most Java Cards need a signature from the "issuer domain" to load an applet.

  10. Aodhhan

    Not Shocked

    Oracle...

    The best application you can buy to lower your stock value.

    The best decision you can make to ensure many coworkers are laid off.

    Oracle really should change their name. The only thing they can see in the future is the lowering of consumer trust in their products.

    Yet another Oracle application is crap because of Java--because of Oracle.

    I wouldn't hold my breath to see a fix for this before July; based on how Oracle assesses risk.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like