Key Takeaways

• A vulnerability in eSIM technology could allow attackers to install malicious code and compromise mobile profiles.
• The flaw affects the Kigen eUICC card, used in many smartphones and IoT devices, and has been acknowledged with a $30,000 bug bounty.
• Exploitation of this vulnerability could lead to severe breaches, including unauthorized access to sensitive mobile operator secrets.

Vulnerability in eSIM Technology Exposed

A recent discovery by Security Explorations, a Polish security research laboratory, unveiled a significant flaw in eSIM technology, specifically impacting Kigen’s eUICC card. This card is responsible for enabling digital SIMs in numerous phones and IoT devices, with over two billion eSIMs activated by 2020. Kigen has confirmed the vulnerability and rewarded the researchers with a $30,000 bug bounty.

eSIMs operate without physical cards by storing a digital SIM on a chip, allowing users to switch mobile plans remotely. This method of operation offers increased flexibility, but it also presents serious security risks. The identified vulnerability pertains to older versions (6.0 and below) of the GSMA TS.48 test profile specification, which is utilized for radio testing. The exploit could potentially allow anyone with physical access to a device to install unauthorized applets using public keys, thereby compromising key software components of the SIM.

A patch has been incorporated into the GSMA test profile version 7.0, which addresses these concerns by restricting how older test profiles can be used. All previous versions have been deprecated to enhance security.

If leveraged, this flaw can enable attackers to extract the eUICC’s identity certificate. This access might lead to more dangerous scenarios, such as downloading operator profiles in plaintext, gaining access to sensitive mobile network operator (MNO) secrets, and manipulating profile installations and management. Alarmingly, attackers could insert profiles without arousing any suspicion.

The findings build upon previous research conducted in 2019, where vulnerabilities in Oracle’s Java Card system were exposed. This earlier work demonstrated that unauthorized code could break into a SIM’s memory and bypass essential security measures, raising significant alarm regarding the security of eSIM technology. While Oracle had dismissed those vulnerabilities as not affecting real-world use, Security Explorations now asserts that the risks are substantial and directly related to contemporary threats facing eSIMs.

Though it may seem challenging to exploit this vulnerability, well-resourced malicious actors, including nation-state entities, could pose a serious threat. Under specific conditions, attackers might successfully embed a backdoor in an eSIM, allowing them to monitor user activities while avoiding detection by the remote control safeguards intended to protect the system.

One significant risk associates with this vulnerability is the potential for an attacker to modify a downloaded SIM profile, making it impossible for operators to disable or monitor the profile’s activities effectively. The research team indicated, “The operator can be provided with a completely false view of the profile state,” emphasizing the severity of the issue.

Ultimately, a single compromised eUICC or a stolen certificate could grant unauthorized surveillance over eSIM profiles across various operators, pointing to a deep-seated flaw within the eSIM infrastructure itself.

The content above is a summary. For more details, see the source article.