A safety analysis crew has discovered a flaw in eSIM tech that might let attackers set up malicious code, steal operator secrets and techniques, and hijack cell profiles – all with out elevating alarms.
The issue impacts Kigen’s eUICC card, which powers digital SIMs in lots of telephones and IoT gadgets. In accordance with the firm, greater than two billion SIMs had been enabled by the top of 2020.
The problem was found by Safety Explorations, a Polish analysis lab. Kigen confirmed the flaw and paid the group a $30,000 bug bounty.
eSIMs work with out bodily playing cards. As a substitute, the SIM is saved on a chip within the machine – referred to as an eUICC – and lets customers change cell plans remotely. Operators can add or handle profiles over the air, making it extra versatile than commonplace SIM playing cards.
However that flexibility comes with dangers. The vulnerability lies in older variations (6.0 and beneath) of a check profile specification referred to as GSMA TS.48, which is used for radio testing. Kigen stated the flaw might permit somebody with bodily entry to a tool to put in a rogue applet utilizing public keys. The malicious applet might then take over key components of the SIM’s software program.
Kigen stated the repair is included in model 7.0 of the GSMA check profile spec, which now limits how the check profile can be utilized. All older variations have been deprecated.
If exploited, the flaw might let attackers extract the eUICC’s id certificates. That opens the door to way more severe assaults – like downloading operator profiles in plaintext, accessing delicate MNO secrets and techniques, and tampering with how profiles are put in and managed. In some circumstances, attackers might slip in profiles with out detection.
The researchers stated this builds on earlier work from 2019, after they discovered bugs in Oracle’s Java Card system. That earlier analysis confirmed it was attainable to interrupt right into a SIM’s reminiscence, bypass its inner safety partitions, and run unauthorised code. A few of these bugs additionally affected SIM playing cards made by Gemalto.
On the time, Oracle downplayed the findings, saying they didn’t have an effect on Java Card merchandise in real-world use. However Safety Explorations now says the failings are actual and tied on to present eSIM threats.
Whereas this may sound like a excessive bar for attackers, the crew says it’s not out of attain for well-resourced actors – together with nation-state teams. With the suitable circumstances, an attacker might use the flaw to plant a backdoor inside an eSIM, monitor consumer exercise, and bypass distant controls meant to guard the cardboard.
One of many dangers is that the attacker might modify a downloaded SIM profile in a means that stops the operator from disabling it and even seeing what’s taking place. “The operator will be supplied with a very false view of the profile state,” the analysis crew stated, “or all of its exercise will be topic to monitoring.”
A single stolen certificates – or one compromised eUICC – could possibly be sufficient to spy on eSIM profiles from any operator. The researchers say this factors to a deep flaw in how the eSIM system is constructed.
(Picture by Tomek)
See additionally: Google Maps Auto SDK drives new Rivian navigation expertise
Wish to be taught concerning the IoT from business leaders? Take a look at IoT Tech Expo happening in Amsterdam, California, and London. The excellent occasion is co-located with different main occasions together with Cyber Safety & Cloud Expo, AI & Huge Information Expo, Clever Automation Convention, Edge Computing Expo, and Digital Transformation Week.
Discover different upcoming enterprise know-how occasions and webinars powered by TechForge right here.