Cyber security researchers have discovered a new hacking technique that exploits weaknesses in ESIM technology used in modern smartphones, exposing serious risks to users.
Issues affect the Kigen EUICC card. According to the Irish company’s website, more than two billion Sims in IOT devices have been enabled by December 2020.
Conclusions come from AG Security Research Company’s research lab security exploration. Kigenn gave a reward of $ 30,000 to the company for its report.
An ESIM, or embedded SIM, is a digital SIM card that is embedded directly into a device, an embedded universal integrated circuit card (EUIC) as software installed on the chip.
ESIMS allows users to activate a cellular plan from a carrier without the requirement of a physical SIM card. The EUICC software operator provides the ability to change the management of profiles, remote provisioning and SIM profiles.
“The EUICC card makes it possible to install the so -called ESIM profile in the target chip,” said security exploration. “ESIM profiles are software representation of mobile membership.”
According to a advisor issued by Kigenne, vulnerability lies in GSMA TS.48 generic test profile, version 6.0 and earlier, which is used in ESIM products for radio compliance testing.
In particular, the decrease allows for the installation of non-satisfied, and potentially malicious applates. GSMA TS.48 V7.0, released last month, reduces the problem by restricting the use of test profiles. All other versions of the TS.48 specification have been removed.
“Successful exploitation requires a combination of specific situations. An attacker must first achieve physical access to a target EUIC and use the publicly known key,” Kigen said. “This enables the attacker to install a malicious Javacd applet.”
In addition, the vulnerability can facilitate the extraction of the Kigen EUICC Identification Certificate, making it possible to download the profiles arbitrarily from the mobile network operators (MNO) in the cleate, MNO secret is used, and the profiles are tampered with and put them in aansly euicc without flagged by MNO.
Security investigations said that since 2019, findings have been created on their own pre -research, which found several security weaknesses in the Oracle Java card that may continuously pave the way for the deployment of the back door in the card. One of the flaws also influenced the Gymelto SIM, which depends on the Java card technology.
These safety defects can be exploited to “break the memory of the underlying Java card VM’s memory security” and get full access to the card’s memory, break the Applet firewall and possibly achieve native code execution.
However, Oracle reduced the potential impact and indicated that “safety concerns” did not affect Java card VM’s production. Security investigations stated that these “concerns” have now proved to be “real insects”.
The attacks may seem prohibitory to execute, but, by contrast, they are well within the reach of competent nation-state groups. They can allow the attackers to compromise an ESIM card and deploy the back door, effectively prevent all communications.
“The downloaded profile can be potentially modified in this way, so that the operator loses control of the profile (no ability for remote control / ability to disable it / does not have the ability to reject it, etc.), the operator can be provided with a completely incorrect view of the profile state or all its activity,” the company said.
“In our opinion, a single broken EUICC / Single EUICC GSMA Certificate ability (download in planetxt) arbitrarily MNO’s ESIMS forms an important ESIM architecture weak point.”
