This service is dedicated for companies and organizations from financial, government, transportation and
telecommunication sectors in particular. It is being offered as a direct follow up of discovering multiple security issues
in Java Card technology by our company.
This service combines the best of our skills and experience acquired over 20+ years of breaking Java security and reverse engineering binary code.
As part of the service the following analyses are conducted with respect to Java based cards of a customer choice such as SIM, banking, transportation or identity cards:
- reverse engineering of card's internals
- verification if any remote (exploitable over the air / contactless interface) vulnerabilities could be found in various interfaces implemented by a card
- verification if any unpublished / dangerous APDU commands are implemented by a card
- verification if any unpublished / dangerous applications are preinstalled on a card
- verification if any "local" vulnerabilities could be found that would make it possible to gain access / install backdoor code onto a card upon physical access to it (while the card / phone is left unattended)
- verification if any backdoor like functionality was built into a card
- verification if any configuration / file system settings can jeopardize card's security
- verification of a feasibility to implement a stealth and persistent backdoor code in the environment of a specific card (such as SIM)
Sample know-how acquired as part of the reverse engineering phase of the service conducted for Java based SIM cards is provided in this document