Java Card++ ?

I was part of the team that defined the binary format that has been in use since the end of the 1990’s. The selected solution was not my preferred one, as I preferred a pre-linked version. At the time, everybody agreed that on-card verification was too ambitious, so this was never considered for Java Card 2.1, the ancestor of today’s Java Card specification.

In the following years, we wasted a lot of time working on a much more ambitious version of Java Card, which never made it, but we never worked on addressing this issue of unverified bytecode, mostly because we had the cryptographic protections provided by GlobalPlatform. If nobody can load unverified bytecode, where is the problem?

As an evaluator, this allowed me to reverse engineer many types of Java Card, as I was allowed to download unverified (and very much illegal) bytecode into cards. Over time, most virtual machines have included runtime countermeasures, and some implementations have been difficult to attack with illegal bytecode for quite a while.

Yet, Java Card has become an industry standard. Strong implementations exist, in which loading unverified bytecode is about impossible, and then, exploiting unverified bytecode is challenging. But on the other hand, weaker platforms also exist, and recently, following a combination of mistakes from various stakeholders, one of them was broken; luckily, by a researcher, not by a criminal.

The real surprise is not that this has happened. It is that it took over 25 years for it to happen. The lack of on-card verification has always been a weakness in the Java Card story. Over the past 25 years, there have been a few attempts to address the issue, but the industry never adopted them. Isn’t a solution to this issue a bit overdue?

The smart card industry is a small industry, with few actors, and Java Card has been a great success, its interoperability providing the basis for the deployment of billions of products every year. But the industry has been complacent, and although I am not part of it any more, I bear some of this responsibility since I have headed the Java Card Forum’s Technical Committee for a few years. I defended off-card bytecode verification many times, for instance in 2011 and quite vehemently in 2013.

But that was over 10 years ago, and I would now argue that it’s time to fix this issue. Despite minor updates, the core Java Card technology is over 25 years old. The similarity between the latest version of the Java Card Virtual Machine specification with its first interoperable version is striking. There have been almost no changes. The CAP file format is antiquated, and an update could allow all vendors to ensure that no illegal bytecode is allowed to run on the any card.

From a now outsider’s viewpoint, I believe that after the recent developments and an issue impacting the security of millions of unsuspecting users, the usual denials sound really out of touch with reality, so I am asking the Java Card community a simple question: Since you are pushing for Java Card to be the basis for our personal security, and asking us to trust you with our sensitive data, including our identity, isn’t it now the right time to put this bytecode issue behind us once and for all?

August 18, 2025 – 7:47 | By Eric Vétillard | Posted in Java Card 2.x, News, Security | Comments (0)

Uh oh, Google just stopped updating my kids’ phones

So, Google has revoked Huawei’s Android license. Huawei’s new phones won’t get any of the nice Google features like Google’s store, Gmail, and more. But also, all existing Huawei phones will stop receiving updates from Google. What? This includes my kids’ Honor-branded phones, and as far as I know, a significant portion of the kids […]

Read More

May 20, 2019 – 21:13 | By Eric Vétillard | Posted in Discussions, Mobile Security, News | Tagged | Comments (0)

Is the IoT apocalypse coming, or not?

There is a wide agreement on the fact that IoT is much more vulnerable to attacks than traditional internet, and even on the fact that IoT attacks could lead to considerable damage to all kinds of assets, logical and physical. But risk is not just about vulnerability level and potential consequences. There is also intent. […]

Read More

January 6, 2019 – 20:08 | By Eric Vétillard | Posted in Economics, IoT Security | Comments (0)

We’re back for 2019!

It’s 2019, and it took me 2 months (including a great deal of procrastination) to fix a PHP version issue after a site migration. My hate of PHP just grew a bit more… In this early 2019, the Road to Bandol can be quite dangerous, as exemplified by the video below: Yep, that’s the Bandol […]

Read More

January 6, 2019 – 17:01 | By Eric Vétillard | Posted in Discussions, Open issues | Comments (0)

Time bombs, from climate to IoT security

The comparison between IoT security and climate change is getting better every single day, and I am not sure that this is good news. A few minutes ago, a tweet on climate change got my attention: This is not the new normal, just a pit stop on the way to decades and decades of deteriorating […]

Read More

August 10, 2018 – 16:23 | By Eric Vétillard | Posted in IoT Security | Comments (0)

The Collective Risk of IoT

One of the favorite activities of certification experts is to define security levels based on risks. Such levels allow us to put the items to be certified in well-defined boxes. Then, we can certify them according to the rules on that box/level. Until recently, life was easy, and we could define levels easily. Since 3 […]

Read More

April 3, 2018 – 16:19 | By Eric Vétillard | Posted in Economics, IoT Security | Comments (0)

Should we Protect Cars from Terrorists?

Some days ago, Mark Cuban published on LinkedIn a question about weaponized cars: who has developed solutions to detect/prevent such events? I live close to Nice, so I would definitely extend the question to trucks, and basically to anything heavy that moves faster tn humans. Terrorists are not easy to distinguish from normal drivers before […]

Read More

September 5, 2017 – 16:07 | By Eric Vétillard | Posted in News | Comments (0)

Is it Reasonable to Own a Connected Car?

I have been hearing for a while that « cybersecurity is a process » and that one of the issues with executives is that they don’t understand that: most of them think that cybersecurity is a problem that should be solved by engineering. When you think about an online service’s lifecycle, it all makes sense. […]

Read More

August 16, 2017 – 16:01 | By Eric Vétillard | Posted in IoT Security | Comments (0)

Des contraintes naît la beauté

This quote from Leonardo da Vinci “Beauty is born from constraints” was chosen by Alain Colmerauer as the motto for Prolog IV, the last iteration (for now) of the Prolog language, déveloped by Prologia in the early 1990’s. Alain Colmerauer passed away this week. I have plenty of memories about him, starting from classes with […]

Read More

May 16, 2017 – 22:37 | By Eric Vétillard | Posted in News | Comments (1)

Think like an attacker with a bottom-up threat analysis

A risk analysis is a great tool when planning the security of a product. This is typically done with a top-down methodology: You first define assets, then identify threats or risks on these assets, followed by attack strategies and attack objectives, countermeasures, getting finer and finer. These methodologies present many advantages, and one of the […]

Read More

March 22, 2017 – 15:48 | By Eric Vétillard | Posted in IoT Security | Comments (0)