SIMonline

Service receive & sending SMS

Many vulnerabilities discovered in Oracle Java Card technology

1842   |     /   Security

Many vulnerabilities discovered in Oracle Java Card technology
Oracle's Java Card technology is designed to provide a secure environment for applications that run on smart cards, SIM cards, embedded secure elements, and other trusted devices that have limited memory and processing capabilities. Oracle claims that technology is deployed on nearly six billion devices per year, including in the financial, telecommunications, and government sectors.




To keep your SIM card safe and protect against possible malicious SMS, a virtual SIM card on our SIMonline website will help.

Security researchers say they discovered 18 vulnerabilities in Oracle's reference Java Card implementation, along with one flaw in smart cards created by Gemalto whose products use Java Card technology. The flaws were reproduced on the Gemalto 3G USIMERA Prime and GemXplore 3G V3.0-256K 3G cards, as well as on Java Card 3.1 software, which Oracle released in January 2019.

Vulnerabilities in Oracle Java Card.
According to the company, these vulnerabilities can be used to “violate the security of the underlying Java Card VM memory” and gain full access to the card’s memory, crack the applet’s firewall, and possibly even achieve its own code execution. The Java Card virtual machine should typically protect the environment of the card and application from malicious applets.

However, exploiting flaws, which includes downloading a malicious applet to a target card, requires knowing the encryption keys used by the card issuer, or using some other method, which may include vulnerabilities in the card's operating system, installed applications, or exposed interfaces.

“These scenarios cannot be ruled out, as has been shown in the past,” said Adam Govdiak, CEO and founder of Security Explorations, SecurityWeek. “In 2013, Carsten Noll discovered a cryptographic vulnerability affecting a wide range of SIM cards, which allowed to remotely detect keys needed to load Java applets into cards (also from a remote computer). In 2015, there were reports of the alleged hacking of Gemalto (a major manufacturer of SIM cards) by the NSA and GCHQ. Hacking of special services, obviously, was aimed at the cryptographic keys of Gemalto SIM cards. ”

Goudiak says that although there is no reason to panic, the impact of the flaws of the Java cards discovered by his company will become more serious if someone finds an easy way to deploy Java applications on SIM cards - either remotely via NFC or using SMS messages. using SIM toolkits or device management interfaces or physical access to the SIM card.

Describing the theoretical attack scenarios, Gaudiak explained: “In the worst case scenario, you can imagine a malicious Java application that changes target operations with cards (banking, telecommunication or identification data) so that a hidden and permanent backdoor can be installed on the card. Our analysis of selected Gemalto SIM cards shows that the development of such a backdoor should be possible. ”

“With regard to bank cards / transport cards, it is likely that a malicious applet could interfere with payments made using the card or gain access to the private keys embedded in it,” he added.

The safety study provided only a brief description of the impact of its findings, but believes that this work can pave the way for future research in this area.

Security researchers sent their findings to Oracle and Gemalto on March 20, and both companies acknowledged receipt of the report. Goudiak says his company does not provide suppliers with a fixed deadline for patches to be released before details of the vulnerabilities are disclosed, given that some problems, especially those that affect the product architecture, can take a long time to fix. However, the company expects suppliers to acknowledge or deny the existence of problems and provide periodic status reports.


Similar news


Facebook pays $ 10,000 for DoS error in Fizz TLS library

Although Facebook’s error reward program usually does not cover Denial of Service (DoS) vulnerabilities, the social media giant has decided to award a significant reward for a serious flaw related to Fizz, its open source TLS library.

Fire Control: API Automation Risks

Consider trends in API attacks, such as current (and failed) architectural solutions to secure these API transactions.

Trojan SpeakUp threat to Linux server

Researchers believe the new trojan could be the catalyst for the upcoming major cyber attack, armed with an impressive package of exploits and other tricks to spread.



SIMONLINE.SU

This is not only a service for receiving and sending SMS messages to virtual numbers, but also a tutorial on user safety in the modern world, the latest developments in IT, social media security, fresh programs and lessons that simplify our lives. So are other issues encountered by the average user. In simple words, each user will find for themselves something interesting or answers to their questions.

SIMonline © 2018 - 2024

All rights reserved