Security storm brewing for Oracle Java-powered smart cards: More than a dirty dozen flaws found, fixes... er, any fixes?

By Shaun Nichols in San Francisco 22 Mar 2019 at 22:08

Bug hunters say Oracle's Java Card platform is host to a dozen and a half security flaws that could place smart-cards and similar embedded devices using the tech at risk of hijacking.

Adam Gowdiak, CEO of Security Explorations, said he and his team discovered and privately reported the vulnerabilities to Oracle and smart-card hardware biz Gemalto. Neither vendor has responded to a request for comment on possible updates.

Designed for things like SIM cards, payment cards, and other embedded tech, Java Card lets snippets of code, dubbed applets, run within a small memory footprint on cards and similar gadgets using the minimal processing power available in the widgets.

The buttons on a mobile phone glow in the dark READ MORE

These applets can perform authentication checks, cryptography, and other sensitive operations within the cards, using things like secret keys stashed on the devices without having to disclose them. Oracle estimates around six billion pieces of kit use the Java Card operating system in some way, shape or form.

In an advisory describing the bugs, Gowdiak explained that the 18 different security issues found by his team would potentially open the door for everything from security bypasses to complete takeover of the gizmos. In order to exploit the flaws, a malicious applet has to be loaded into the card, perhaps by a compromised or dodgy card reader, and due to a lack of internal protections, this injected software nasty can then potentially take over the card or cause other mischief.

The bugs were verified to exist on the most current version of Java Card 3.1.

"There are ways for malformed applications loaded into a vulnerable Java Card to easily break memory safety," Gowdiak explained. "Such a breach directly leads to the security compromise of a Java Card VM, applet firewall breach and jeopardizes security of co-existing applications."

He went on:

Gemalto is involved in the disclosure because one of the findings specifically impacts its GemXplore 3G V3.0-256K and 3G USIMERA Prime SIM card models.

While the vulnerabilities do pose a security risk, to realistically pull this off, you need to know firmware is running on the target card, and its architecture. That's not impossible to find out, of course. The vulnerabilities could provide the first step an attacker would need to perform a larger intrusion into a building or some other system. Given the high-value areas, such as finance and telecoms, where Java Card operates, such bugs could prove highly valuable should they not be properly patched.

Should a fix for the vulnerabilities come from Oracle, the most likely release date would be April 16, when Big Red's next quarterly patch dump is scheduled. In other words, no, we're not aware of any fixes available yet. ®

Sponsored: Becoming a Pragmatic Security Leader