Hello, Russel: Since the backdoor is mandated by the SIM standards, it is true of all standards-compliant Java Card SIMs.
ETSI TS 102 226 states: "The access rights granted to an application and defined in the access domain parameter shall be independent from the access rights granted at the UICC/Terminal interface. NOTE: This implies in particular that the status of a secret code (e.g. disabled PIN1, blocked PIN2, etc.) at the UICC/Terminal interface does not affect the access rights granted to an application. If an application with Access Domain Parameter 'FF' (i.e. No Access to the File System) tries to access a file the framework shall throw an exception. If an application has Access Domain Parameter '00' (i.e. Full Access to the File System), all actions can be performed on a file except the ones with NEVER access condition." As you point out this may not be true of non-standards compliant SIMs but I suspect there are few of those in use. You can imagine the surprise of a subscriber when PIN-protected data shows up on the screen courtesy of a Java applet and the subscriber knows that they haven't entered their PIN. Cheers, Scott -----Original Message----- From: Dr Russel Winder [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 11:56 AM To: MUSCLE_List Cc: [EMAIL PROTECTED] Subject: RE: [Muscle] Wireless Wallet - Already in Korea On Thu, 2004-03-11 at 12:26, Scott Guthery wrote: [ . . . ] > Did you know, for example, that the telecom operator can load an > applet into the SIM that can read PIN protected files even when the > PIN has not been entered? This is because of a backdoor in the smart > card operating system provided by the smart card manufacturers that > lets the Java Virtual Machine access files without access control checking. This is only true of some smart cards systems. Surely this is a reason to not use certain operating systems rather than a reason not to use a SIM at all? -- Russel. ==================================================================== Dr Russel Winder, Chief Technology Officer Tel: +44 20 8680 8712 OneEighty Software Ltd Fax: +44 20 8680 8453 Cygnet House, 12-14 Sydenham Road [EMAIL PROTECTED] Croydon, Surrey CR9 2ET, UK http://www.180sw.com _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
