eSIM Vulnerability in Kigen’s eUICC Cards Exposes Billions of IoT Devices to Malicious Attacks
Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks.
The issues impact the Kigen eUICC card. According to the Irish company’s website, more than two billion SIMs in IoT devices have been enabled as of December 2020.
The findings come from Security Explorations, a research lab of AG Security Research company. Kigen awarded the company a $30,000 bounty for their report.
An eSIM, or embedded SIM, is a digital SIM card that’s embedded directly into a device as software installed onto an Embedded Universal Integrated Circuit Card (eUICC) chip.
eSIMs allow users to activate a cellular plan from a carrier without the need for a physical SIM card. eUICC software offers the ability to change operator profiles, remote provisioning, and management of SIM profiles.
“The eUICC card makes it possible to install the so-called eSIM profiles into the target chip,” Security Explorations said. “eSIM profiles are software representations of mobile subscriptions.”
According to an advisory released by Kigen, the vulnerability is rooted in the GSMA TS.48 Generic Test Profile, versions 6.0 and earlier, which is said to be used in eSIM products for radio compliance testing.
Specifically, the shortcoming allows for the installation of non-verified, and potentially malicious applets. GSMA TS.48 v7.0, released last month, mitigates the problem by restricting the use of the test profile. All other versions of the TS.48 specification have been deprecated.
“Successful exploitation requires a combination of specific conditions. An attacker must first gain physical access to a target eUICC and use publicly known keys,” Kigen said. “This enables the attacker to install a malicious JavaCard applet.”
Furthermore, the vulnerability could facilitate the extraction of the Kigen eUICC identity certificate, thereby making it possible to download arbitrary profiles from mobile network operators (MNOs) in cleartext, access MNO secrets, and tamper with profiles and put them into an arbitrary eUICC without being flagged by MNO.
Security Explorations said the findings build upon its own prior research from 2019, which found multiple security vulnerabilities in Oracle Java Card that could pave the way for the deployment of a persistent backdoor in the card. One of the flaws also impacted Gemalto SIM, which relies on the Java Card technology.
These security defects can be exploited to “break memory safety of the underlying Java Card VM” and gain full access to the card’s memory, break the applet firewall, and potentially even achieve native code execution.
However, Oracle downplayed the potential impact and indicated that the “security concerns” did not affect their production of Java Card VM. Security Explorations said these “concerns” have now been proven to be “real bugs.”
The attacks might sound prohibitive to execute, but, to the contrary, they are well within the reach of capable nation-state groups. They could allow the attackers to compromise an eSIM card and deploy a stealthy backdoor, effectively intercepting all communications.
“The downloaded profile can be potentially modified in such a way, so that the operator loses control over the profile (no ability for remote control / no ability to disable/invalidate it, etc.), the operator can be provided with a completely false view of the profile state or all of its activity can be subject to monitoring,” the company added.
“In our opinion, the ability for a single broken eUICC / single eUICC GSMA cert theft to peek into (download in plaintext) eSIMs of arbitrary MNO constitutes a significant eSIM architecture weak point.”
