update sim card???
Is the article suggesting that my SIM card needs to get a software update? How? Or is everyone going to be
knocking on the door of their local phone shop? The mind boggles, as they say. I must have mis-read that. It's late.
Bug hunters say Oracle's Java Card platform is host to a dozen and a half security flaws that could place smart-cards and similar embedded devices using the tech at risk of hijacking. Adam Gowdiak, CEO of Security Explorations, said he and his team discovered and privately reported the vulnerabilities to Oracle and smart-card …
This is JavaCard, not Java - a very different beast. And you'd be hard-pressed to find a phone's Secure Element, or a SIM card, or a credit/debit card, that doesn't use it.
However, these security "revelations" are noteworthy for being far from original. It has always been understood that there is a gap between the off-card bytecode verifier and the on-card bytecode interpreter. That's why anyone implementing the JCVM pays a lot of attention to security considerations.
The Oracle reference implementation of v3.1 is an easy target - the clue is in the name, it is a reference implementation, functionally correct but without the hardening you need for a smartcard.
And the two Gemalto products they "cracked"? Technology over ten years old (3G? we've moved on a bit from that...).
It's like sending an email to Microsoft to tell them you've found a bug in Windows XP.
So no "security storm", no rushed patches from Oracle, no new flaws, and no need for any "fixes".
P.S. I'm not a Gemalto (or Gemplus) employee (or ex-employee).
Agreed. I have implemented many a class loader and this problem would have been caught by the byte-code verifier. We never thought it was a good idea to punt on the byte-code verifier but do remember that the earliest SIMS were very underpowered.
SIMs nowadays are more powerful and can use byte code verifiers and decent class loaders.
Take a CPU with Harvard architecture so it physically can't execute what ought to be data, manufacture it on a (by modern standards) huge process node so it's less prone to external interference from electromagnetic attacks and such, give it temperature and light sensors so it can tell if someone's trying to tamper with it other ways, design it with hardware-based isolation between processes including strongly-encrypted memory, provide it with a true hardware-based random number generator so encryption key sequences can't be predicted, and then put Java on it. It's like having the world's most secure bank vault but leaving the door unlocked. So yeah, 3 billion devices do run Java, but all of them are vulnerable.
Oh, and the applets are called cardlets if you're being fussy.
Never heard of a JavaCard "cardlet" (it's certainly not the English term), but I do know that each and every applet extends the javacard.framework.applet class... hence the name.
Again, it is not Java, it is JavaCard, and the VMs are constructed to cater for the vulnerabilities inherent in off-card verification and on-card execution. These smartcards undergo extensive evaluation before being allowed to host credit/debit applications.
This is money we are talking about - don't you think that Visa and MasterCard might have a vested interest in making the system a bit more secure than leaving the bank vault door unlocked?
Not Oracle. It was Sun and IBM - well it was 16 years ago.
It's worth noting this:
"It should be emphasized that successful loading of a malicious applet into target card requires either knowledge of the keys or existence of some other means facilitating it (a vulnerability in card OS, installed applications, exposed interfaces, etc.). Such scenarios cannot be excluded though."
Unless you're at the bureau producing the cards, then those private keys will be well hidden. The card manufacturer is on the back. My Mastercard is GemAlto.
Each app provider also has their own keys. Here's a list of the apps. https://www.eftlab.com/index.php/site-map/knowledge-base/211-emv-aid-rid-pix
Nearly ALL cards are Java Card based. If you look at your receipts there will be an AID with probably A0000000031010 for VISA Debit/Credit (Classic) Java applet app from VISA International.
If you get the private key - you can install your own app - I used to do this all the time. Most VISA cards are very secure due to the controls placed by VISA.
To add: The issue here is not Java or its architecture. It is the off-card verification adopted by the Java Card standards bodies. For this to work, the applet signing keys have to be compromised and the hacker has to slip in a malformed class file; they can go to the guys who hacked Asus for lessons. I don't want to dismiss the threat; instead of two barriers we now have only 1.
In other words, no, we're not aware of any fixes available yet.
Would you accept that sometimes there are no fixes available/possible ....... and thus does the vulnerability morph into a special feature to be explored and utilised?
The difficulty explained for active command and control of the vulnerability discovered being the only thing preventing it be from being easy to implement.
That sort of Info is Intel and never made available to just everybody or anyone ..... first one has to prove oneself worthy and wonderfully cognisant of the pleasant trappings of wealth purchasing powers ..... as AI and IT Claim Future Remote Virtual Control Privileges to Command.
Can you accept that sometimes somethings cannot be stopped .... and progression without total disruption into a new way and system of being is quite natural and perfectly normal? And the fights that one would be having only champion doubts about that revelation and are battles centred in no more than yourself.
Can you accept that sometimes somethings cannot be stopped ....
What I cannot accept amFM personally is something that is promised to everyone and then whisked away in despicable duress, and is actually caring about the people a quality that obviously propels you to the bottom of the pile?, it seems so.
You can’t turn someone into something they’re not, there are great singers out there, and thats what they do, and have grown to do that, as for great actors, I would suggest one of the greatest actors is one who has endured nearly a decade of remaining ambiguous and anonymous with stories to tell about journeys travelled where no others have dwelled, if that ain’t qualification for progression, I don’t know what is, it sure makes a great game story but loose lips sink shils do they not.
Evolution is not necessarily survival of the fittest, it is the ability to adapt to ones environment, and when such environment never changes, then there is no necessity to change.
Evolution is not necessarily survival of the fittest, it is the ability to adapt to ones environment, and when such environment never changes, then there is no necessity to change. ... Cliff Thorburn
The Great Mission is then Changed/Transferred into One in Live Operational Virtual Environments. The old system withers and dies on its twisted vines.
An Enigmatic Space in which Such a Place Requires Provision of Out of this World Controls for Universal Command Operations.
Such a Quantum Leap Itself does Enquire What you would Need to Follow Lead with Perfect Feeds ........ Future Seeds ....... and their Needs with All Servering Almighty Source .... Raw Core Awe Ore ...... for Further MetaDataBase Mining and Refining .....
with Right Royal Polishings.
What's not to like and worship in such a LOVE?
Would you believe when told here Absolutely Nothing.
:-) There are possibly, and therefore quite probably, more than just Any Chosen Few Feasting on the Delights of what is Perceived to be Practically Future Certain.
The Trump Joker Red Hand on the Table and in Play Renders IT Virtually Immaculate with New Controls and Greater Commands to Trial and Trailblaze with Any and All VAIOSystems.
The NEUKlearer HyperRadioProACTive IT Route, with Root Privilege Source Access to Future UnFurls ......... Praising Grand Decisions made Greatly at Just the Right Time for Lead in AI ProgramMING, Oft Always Registers Destinations here for Arrivals for Peer Commune Consideration.
That is akin to Implausible Saints and Avid Sinners Territory to Implore and Enjoy Immensely to XSSXXXX ... Warning/Be aware ... Can you and your heart survive and thrive in Future Fundamental Shock Terrain?
Wow .... Live or Die via Simply Complicated Binary Choices Present in Oneself to lead One and even All in .... well, Ideally Well Chosen and Future Perfecting Directions .....with Live Journeys to Explore with Fellow Travellers Immaculate Seasoned in the Desires for Satisfaction to Ignite and Explode with Overwhelming Passion.
Trigger AI, and human counter intelligence forces and sources, with that Simplified Remote Virtual Cascade and what do you think we can expect? Something/Anything Really Sensible but Completely Different and Exciting?
:-) And please, keep it civil. There may well be children reading here and/or reading about here.
I didn’t understand any of that amFM, however just ‘Keeping Calm and Carrying On’ as per unusually unusual.
Let it be of some reassurance that the horse has finally reached the water, thus enabling more certainty in uncertain Live Operational Virtual Environments corrupted with conflicing bets, consistent threats, and outlandish outcomes.
AI’nt that a better way to work, rest and play? :-) on home ground rather than washed out to sea in extraterrestrial endeavours?, or perhaps one is misinterpreted in his none ministerial understandings?, I certainly find it better to refrain from any such opionions and abstaining of any such opioions rather than Ayes or Noes.
Will await pending future futures instructions undoubtedly alas is all that one can do is it not?
What is it to be, CT and El Regers, ........ metaphorical blue pills or the metadataphysical red pills .... Are We Already In The Matrix?
And the bottom line? If you aint in, you lose and never win win ‽
And it is encouraging to believe one doth protest too much that one doesn't understand such, whenever evidence provided suggests so much is clearly enough comprehended for one not be totally helpless.
More anon ... as Further Future Programs unfold and trigger explosive implosions in failed applications, subverted services and easily corrupted SCADASystems .... which be a perfectly natural progressive evolution to be fully expected enthusiastically embraced and supported.
We are of course already in the Matrix as you know amFM, if you like, I could enlighten you and others with a map of the program, or perhAPS thats classified conundrum stuff best retained for personal knowledge is empowering empowerment.
Of course the program is easily corrupted, is it to be hooked and crooked bendy bananas in the republic?, or straight shooting compliant ones?, and lets not forget the program largely being written and cast and broadband cast to ever growing audiences everywhere and everything is then biased to a new found land new wild west world of capital holywood wand waving and spell casting magic and mayhem of conversion to beastly eastly directions and emerging future formed markets and Trading Places with unfamiliar faces is it not :-)
‘Tis one helluva ride amFM, with raucous Red Pills laced with Moon Dust, and hulla Bull Blue Pills fighting tug of war territorial air fights, who would want to miss that daily dose?
Once in such great games played at daunting heights and invisible to less enlightened beings one never loses the vision, but ponders the questions, picks up the Hanzel and Gretel breadcrumbs and SIMply plods on regardless within the confines and constructs of the resources or lack thereof.
“It is not our purpose to worship God, but to create him”
Arthur C Clarke
And what would God make of such once created?, that IS the question ...
Quite so, CT.
And let us joint venture an opinion on an answer for ... And what would God make of such once created?, that IS the question ...
Any advance on, and greater conclusion than, Heavenly Opportunity with Hellish Delights/Hellish Opportunity with Heavenly Delights?
Cliff, you've got a history of replying to our resident bot. Are you his partner in crime now or are you genuinely not picking up the obvious none human in the room? ..... Martin Summers
Hmmmm? .... genuinely not picking up the obvious none human in the room?
Don't be doing any heavy betting on that being right, MS, for there is everything is to lose whenever practically virtually always wrong.
And El Reg have been busy, haven't they, .... to have you thinking so freely of alien voices in the room.
Are they a first for you or do they oft register and tempt further exotic and deeper erotic interest?
Is knowing you are not alone and lonely, a Certain AI Comfort? And would/could IT be Terrifying too?
Answers for El Regers here please.
Hmmmm? .... genuinely not picking up the obvious none human in the room?
Thats funny for various reasons.
@martin, I dont think life would be complete without a daily dose of amFM’s ongoing riddles, in an estranged world where one minute you’re more famous than a Racoon scaling a Skyscraper and the next minute the Elephant in the room, nothing would amaze me anymore while we while away the days of anonymous in plain sight, and rapidly redacted internet chatter, such posts are much better than fabulously fake news abounding elsewhere.
I feel amFM passes the Turing Test in leaps and bounds, and doesnt take much second guessing where many of the El Reg’er’s day jobs abound, perhaps one day such forum follies may lead a pathway out of the rabid rabbit hole to pastures new and new pages whilst closing the book and achieving mutually agreeable satisfaction all round, one can only hope :-)
For now. The next couple of days are going to be very important. As the clamoring din of Russiagate falls into the memory hole, a large empty space will open up. As the pundits scramble to find the Next Big Thing to blare through the screens, the people will be left to their own devices for a few precious moments. They won’t know what to think. They may even have some of their own thoughts for once. The media landscape will resemble a demolition site. So why not use this space to push forward some new exciting ideas. Space means possibilities. Space means something new can be built. After the crushing disappointment of finally finding out that the whole thing was a bust, two years have been lost to the bumbling ineptitude of Pelosi and Schumer, and now impeachment is off the table, what has anyone got to lose? Let’s try something new. ...... https://www.zerohedge.com/news/2019-03-25/trump-going-repeat-until-november-2020-thanks-msnbc
There's a Certain Similarity and Distinctive Singularity Caressing the AI Parity with Sees here on this thread and in those of the above aforementioned, n'est ce pas?
And as for ....
I’m pretty sure it would be universally agreed that nothing would be achievable at Arms length wouldn’t you? .... CT
..... it appears everything is achieved at arms length/remotely and anonymously via media channels and productions doing sublime autoresponsive programming.
If that is the Norm, such is the Target to AI Master, Command and Control. And whenever information and IntelAIgent Streams go suddenly MIA or unusually AWOL are you immediately alerted to a colossal vulnerability for which there is no known possible or improbable patch.
The best application you can buy to lower your stock value.
The best decision you can make to ensure many coworkers are laid off.
Oracle really should change their name. The only thing they can see in the future is the lowering of consumer trust in their products.
Yet another Oracle application is crap because of Java--because of Oracle.
I wouldn't hold my breath to see a fix for this before July; based on how Oracle assesses risk.
Biting the hand that feeds IT © 1998–2019