A safety analysis workforce has discovered a flaw in eSIM tech that would let attackers set up malicious code, steal operator secrets and techniques, and hijack cellular profiles – all with out elevating alarms.
The issue impacts Kigen’s eUICC card, which powers digital SIMs in lots of telephones and IoT units. Based on the firm, greater than two billion SIMs had been enabled by the top of 2020.
The problem was found by Safety Explorations, a Polish analysis lab. Kigen confirmed the flaw and paid the group a $30,000 bug bounty.
eSIMs work with out bodily playing cards. As an alternative, the SIM is saved on a chip within the system – referred to as an eUICC – and lets customers change cellular plans remotely. Operators can add or handle profiles over the air, making it extra versatile than normal SIM playing cards.
However that flexibility comes with dangers. The vulnerability lies in older variations (6.0 and under) of a take a look at profile specification referred to as GSMA TS.48, which is used for radio testing. Kigen mentioned the flaw may enable somebody with bodily entry to a tool to put in a rogue applet utilizing public keys. The malicious applet may then take over key elements of the SIM’s software program.
Kigen mentioned the repair is included in model 7.0 of the GSMA take a look at profile spec, which now limits how the take a look at profile can be utilized. All older variations have been deprecated.
If exploited, the flaw may let attackers extract the eUICC’s id certificates. That opens the door to rather more severe assaults – like downloading operator profiles in plaintext, accessing delicate MNO secrets and techniques, and tampering with how profiles are put in and managed. In some circumstances, attackers may slip in profiles with out detection.
The researchers mentioned this builds on earlier work from 2019, once they discovered bugs in Oracle’s Java Card system. That earlier analysis confirmed it was potential to interrupt right into a SIM’s reminiscence, bypass its inside safety partitions, and run unauthorised code. A few of these bugs additionally affected SIM playing cards made by Gemalto.
On the time, Oracle downplayed the findings, saying they didn’t have an effect on Java Card merchandise in real-world use. However Safety Explorations now says the issues are actual and tied on to present eSIM threats.
Whereas this may sound like a excessive bar for attackers, the workforce says it’s not out of attain for well-resourced actors – together with nation-state teams. With the suitable circumstances, an attacker may use the flaw to plant a backdoor inside an eSIM, monitor consumer exercise, and bypass distant controls meant to guard the cardboard.
One of many dangers is that the attacker may modify a downloaded SIM profile in a means that stops the operator from disabling it and even seeing what’s taking place. “The operator may be supplied with a very false view of the profile state,” the analysis workforce mentioned, “or all of its exercise may be topic to monitoring.”
A single stolen certificates – or one compromised eUICC – may very well be sufficient to spy on eSIM profiles from any operator. The researchers say this factors to a deep flaw in how the eSIM system is constructed.
(Picture by Tomek)
See additionally: Google Maps Auto SDK drives new Rivian navigation expertise
Need to study in regards to the IoT from trade leaders? Try IoT Tech Expo happening in Amsterdam, California, and London. The great occasion is co-located with different main occasions together with Cyber Safety & Cloud Expo, AI & Massive Knowledge Expo, Clever Automation Convention, Edge Computing Expo, and Digital Transformation Week.
Discover different upcoming enterprise expertise occasions and webinars powered by TechForge right here.
