Experts question Java mobile smartcard security

Few people trying to hack into Java smartcards now, but that will change as the technology becomes more common experts say

Security experts have questioned whether the JavaCard technology that has been adopted as the standard for securing GSM (Global System for Mobile Communications) mobile phone communications is actually so secure.

Sun Microsystems revealed Tuesday that its JavaCard architecture is to be applied by mobile phone manufacturers across Europe to enable users to experience mobile banking and e-commerce through the security of Java's architecture.

JavaCard is already used widely throughout the smartcard industry and is touted as a highly secure hardwired solution. Java may be an inherently secure programming language, but security expert Neil Barrett of Information Risk Management believes that this should not fool us into assuming that Java-based smartcard security is infallible. "Part of the reason a smartcard is more secure than a PC is that it's more difficult to get software onto a card than a PC. When you use Java you have a better chance of getting malicious software onto a card. There are any number of malicious applets already out there."

Barrett confirms that few people are trying to hack into smartcards at the moment but says that hackers and phone phreakers are likely to get more involved in this as the technology becomes more common. "The more prevalent a system is, and especially if people are relying on it for things like banking transactions, the more people are going to try to hack, break into and manipulate it."

One ex-phone hacker agrees that this issue should by no means be overlooked. "Java has got things going for it and against it. It wasn't actually designed with security in mind, it was designed to be robust. You can't gain access to hardware that the Java virtual machine says you can't, but most mobile phone manufacturers probably don't manufacture with that in mind. You also have to remember that everything has security weaknesses, some of them just haven't been discovered yet."

A spokesperson for ActiveCard, which develops part of the software architecture of JavaCard technology, claims that JavaCard should be considered solid. He says, "GSM phones featuring JavaCard technology with ActiveCard's digital identity applets put secure, convenient access to e-business transactions. As the mobile commerce market expands, users will require secure authentication solutions."

Sun Microsystems was unavailable for comment.

Take me to Hackers