A safety analysis workforce has discovered a flaw in eSIM tech that would let attackers set up malicious code, steal operator secrets and techniques, and hijack cellular profiles – all with out elevating alarms.
The issue impacts Kigen’s eUICC card, which powers digital SIMs in lots of telephones and IoT units. In keeping with the firm, greater than two billion SIMs had been enabled by the top of 2020.
The problem was found by Safety Explorations, a Polish analysis lab. Kigen confirmed the flaw and paid the group a $30,000 bug bounty.
eSIMs work with out bodily playing cards. As a substitute, the SIM is saved on a chip within the gadget – often known as an eUICC – and lets customers change cellular plans remotely. Operators can add or handle profiles over the air, making it extra versatile than commonplace SIM playing cards.
However that flexibility comes with dangers. The vulnerability lies in older variations (6.0 and under) of a take a look at profile specification often known as GSMA TS.48, which is used for radio testing. Kigen mentioned the flaw may permit somebody with bodily entry to a tool to put in a rogue applet utilizing public keys. The malicious applet may then take over key elements of the SIM’s software program.
Kigen mentioned the repair is included in model 7.0 of the GSMA take a look at profile spec, which now limits how the take a look at profile can be utilized. All older variations have been deprecated.
If exploited, the flaw may let attackers extract the eUICC’s id certificates. That opens the door to far more critical assaults – like downloading operator profiles in plaintext, accessing delicate MNO secrets and techniques, and tampering with how profiles are put in and managed. In some instances, attackers may slip in profiles with out detection.
The researchers mentioned this builds on earlier work from 2019, after they discovered bugs in Oracle’s Java Card system. That earlier analysis confirmed it was attainable to interrupt right into a SIM’s reminiscence, bypass its inner safety partitions, and run unauthorised code. A few of these bugs additionally affected SIM playing cards made by Gemalto.
On the time, Oracle downplayed the findings, saying they didn’t have an effect on Java Card merchandise in real-world use. However Safety Explorations now says the failings are actual and tied on to present eSIM threats.
Whereas this may sound like a excessive bar for attackers, the workforce says it’s not out of attain for well-resourced actors – together with nation-state teams. With the correct situations, an attacker may use the flaw to plant a backdoor inside an eSIM, monitor consumer exercise, and bypass distant controls meant to guard the cardboard.
One of many dangers is that the attacker may modify a downloaded SIM profile in a manner that stops the operator from disabling it and even seeing what’s taking place. “The operator could be supplied with a very false view of the profile state,” the analysis workforce mentioned, “or all of its exercise could be topic to monitoring.”
A single stolen certificates – or one compromised eUICC – might be sufficient to spy on eSIM profiles from any operator. The researchers say this factors to a deep flaw in how the eSIM system is constructed.
(Picture by Tomek)
See additionally: Google Maps Auto SDK drives new Rivian navigation expertise
Wish to study concerning the IoT from trade leaders? Try IoT Tech Expo going down in Amsterdam, California, and London. The excellent occasion is co-located with different main occasions together with Cyber Safety & Cloud Expo, AI & Huge Information Expo, Clever Automation Convention, Edge Computing Expo, and Digital Transformation Week.
Discover different upcoming enterprise know-how occasions and webinars powered by TechForge right here.
