To keep your SIM card safe and protect against possible malicious SMS, a virtual SIM card on our SIMonline website will help.
Security researchers say they discovered 18 vulnerabilities in Oracle's reference Java Card implementation, along with one flaw in smart cards created by Gemalto whose products use Java Card technology. The flaws were reproduced on the Gemalto 3G USIMERA Prime and GemXplore 3G V3.0-256K 3G cards, as well as on Java Card 3.1 software, which Oracle released in January 2019.
Vulnerabilities in Oracle Java Card.
According to the company, these vulnerabilities can be used to “violate the security of the underlying Java Card VM memory” and gain full access to the card’s memory, crack the applet’s firewall, and possibly even achieve its own code execution. The Java Card virtual machine should typically protect the environment of the card and application from malicious applets.
However, exploiting flaws, which includes downloading a malicious applet to a target card, requires knowing the encryption keys used by the card issuer, or using some other method, which may include vulnerabilities in the card's operating system, installed applications, or exposed interfaces.
“These scenarios cannot be ruled out, as has been shown in the past,” said Adam Govdiak, CEO and founder of Security Explorations, SecurityWeek. “In 2013, Carsten Noll discovered a cryptographic vulnerability affecting a wide range of SIM cards, which allowed to remotely detect keys needed to load Java applets into cards (also from a remote computer). In 2015, there were reports of the alleged hacking of Gemalto (a major manufacturer of SIM cards) by the NSA and GCHQ. Hacking of special services, obviously, was aimed at the cryptographic keys of Gemalto SIM cards. ”
Goudiak says that although there is no reason to panic, the impact of the flaws of the Java cards discovered by his company will become more serious if someone finds an easy way to deploy Java applications on SIM cards - either remotely via NFC or using SMS messages. using SIM toolkits or device management interfaces or physical access to the SIM card.
Describing the theoretical attack scenarios, Gaudiak explained: “In the worst case scenario, you can imagine a malicious Java application that changes target operations with cards (banking, telecommunication or identification data) so that a hidden and permanent backdoor can be installed on the card. Our analysis of selected Gemalto SIM cards shows that the development of such a backdoor should be possible. ”
“With regard to bank cards / transport cards, it is likely that a malicious applet could interfere with payments made using the card or gain access to the private keys embedded in it,” he added.
The safety study provided only a brief description of the impact of its findings, but believes that this work can pave the way for future research in this area.
Security researchers sent their findings to Oracle and Gemalto on March 20, and both companies acknowledged receipt of the report. Goudiak says his company does not provide suppliers with a fixed deadline for patches to be released before details of the vulnerabilities are disclosed, given that some problems, especially those that affect the product architecture, can take a long time to fix. However, the company expects suppliers to acknowledge or deny the existence of problems and provide periodic status reports.