Category Archives: News

All kinds of news about Java Card, including new research, new products, conferences, etc.

Attacking IoT is really easy

A few days ago, Metasploit has announced that their famous tool is now available to car hackers, and soon for any connected object. Metasploit is a well-known tool for web apps, and extending it to objects simply makes these objects as easy to hack as web apps. Indeed, there are many aspects in common between […]

Fighting poker-winning AIs on IoT Security

Published attacks tend to repeat themselves this year, but in the last few days, there has been a few interesting events and publications, in particular: Adi Shamir has made gloomy predictions about security in the next 15 years. Bruce Schneier has published a long essay about IoT security, with a vibrant and desperate call for […]

Traffic cameras, legal rules, and accusers

A few days ago, I watched Gone Girl on TV, a story about mounting evidence against an innocent person. And then, I looked at an article about challenging a traffic camera citation (in the US). The link between the two stories is evidence, of course. Traffic camera evidence incriminates a car, not a driver. The […]

The lowest hanging card

The latest news on six second card hacking is very entertaining, and frankly, not reassuring. This thing is just as simple that it is stupid. The CVV2/CVC2 is a secret number computed by banks using a secret key, so they are validated by the issuing bank. Apparently, most (all?) of them have chosen not to […]

IoT Security as Externality: Cluelessness, Denial, and more

Not my problem. That’s the 3-word definition of an externality: something that you don’t need to deal with, because the adverse consequences are not affecting you directly. This has been an issue for cybersecurity forever (Schneier, 2007), and it is widely known that the issue is particularly pressing with IoT (Schneier again, 2016). I have […]

Logical Attacks in the Java Card security landscape

Logical attacks on Java Card have been known for a long time, and they have also been a focus of a lot of academic research, which still continues today. Earlier this week at Cardis 2016, there have been two presentations on logical attacks. I will not discuss the details of the attacks that are being […]

SMS-based 2-factor: Good or Bad?

Wired published recently an article about how SMS-based 2-factor authentication is not good. This article is making a buzz, and an article appeared on that topic in Fortune. The basis for these articles is that SMS-based authentication is not associated to something you have (your phone), but with something you are loosely associated to (your […]

Java Card software attacks

There have been two papers at SSTIC’16 that outline the limits of bytecode verification in the context of Java Card. One of the papers, by Guillaume Bouffard and Julien Lancia, describes a bug found in Oracle’s bytecode verifier through fuzzing (yes, it’s been fixed). The second one, by Jean Dubreuil, outlines several logical and combined […]

Java Card LinkedIn stats

I was looking for updated statistics on Java Card, so I turned to LinkedIn to look at the Java Card skill. The information available is declining a bit (for instance, there is no trend or relationship to age any more, or at least I couldn’t find it). Yet, it reveals interesting information. Over 3000 people […]

Fiction (maybe): Who will refuse to break a secure element?

Apple is refusing to break an iPhone for the FBI. I believe that they are right to do so, but also that this position isn’t that easy to stand for everybody. So, here is a little fiction (well, I think it is fiction) about this. The iPhone is a secure device, so the best way […]