Cybersecurity researchers have uncovered a new hacking method that takes advantage of vulnerabilities in eSIM technology, which is currently employed in modern smartphones. This worrying revelation heightens security concerns for the billions of users utilizing these embedded SIM cards, particularly those powered by Kigen’s eUICC cards, which according to Kigen’s website have been integrated into over two billion IoT devices as of December 2020.
The findings were released by Security Explorations, a security research lab that received a $30,000 bounty from Kigen for their comprehensive security report. As noted, the eSIM, or embedded SIM, is a digital SIM card installed directly into the device, allowing users to activate a cellular plan without the necessity for a physical SIM card.
In a recent advisory, Kigen revealed that the vulnerability stems from the GSMA TS.48 Generic Test Profile, which is utilized for testing radio compliance in eSIM products. Specifically, the vulnerability permits the installation of non-verified, potentially malicious applets.
The latest update, GSMA TS.48 v7.0, which was released last month, aims to mitigate this vulnerability by imposing restrictions on the testing profile’s use. Security Explorations elaborates that an attacker would need physical access to the eUICC and the use of publicly available keys to successfully exploit this weakness, paving the way for the installation of harmful JavaCard applets that could jeopardize user security.
Moreover, the vulnerability could enable attackers to extract identity certificates from Kigen’s eUICC, allowing them to download arbitrary profiles from mobile network operators in cleartext. This significantly raises the stakes, as it could lead to unauthorized access to MNO secrets and malicious tampering of operator profiles.
Security Explorations builds upon previous research from 2019 which identified various security flaws in Oracle Java Card technology, which also posed risks for Gemalto SIM cards. The potential impact of these vulnerabilities may allow attackers to break the memory safety of the Java Card VM, gain full access to its memory, and even execute native code, despite Oracle downplaying the severity of these security concerns.
While executing such attacks may seem formidable, skilled nation-state groups could feasibly carry out these exploits. They could potentially employ a backdoor to eSIM cards, thereby intercepting communication while rendering operators powerless to control or invalidate malicious profiles.
Ultimately, the successful theft and misuse of a single eUICC or GSMA certification represent a serious security flaw within the eSIM architecture, a concern highlighted by Security Explorations.