Jul 14, 2025Ravie LakshmananMobile Safety / Vulnerability
Cybersecurity researchers have found a brand new hacking approach that exploits weaknesses within the eSIM expertise utilized in fashionable smartphones, exposing customers to extreme dangers.
The problems influence the Kigen eUICC card. In accordance with the Irish firm’s web site, greater than two billion SIMs in IoT gadgets have been enabled as of December 2020.
The findings come from Safety Explorations, a analysis lab of AG Safety Analysis firm. Kigen awarded the corporate a $30,000 bounty for his or her report.
An eSIM, or embedded SIM, is a digital SIM card that is embedded immediately into a tool as software program put in onto an Embedded Common Built-in Circuit Card (eUICC) chip.
eSIMs enable customers to activate a mobile plan from a provider with out the necessity for a bodily SIM card. eUICC software program provides the power to vary operator profiles, distant provisioning, and administration of SIM profiles.
“The eUICC card makes it doable to put in the so-called eSIM profiles into the goal chip,” Safety Explorations mentioned. “eSIM profiles are software program representations of cellular subscriptions.”
In accordance with an advisory launched by Kigen, the vulnerability is rooted within the GSMA TS.48 Generic Take a look at Profile, variations 6.0 and earlier, which is alleged for use in eSIM merchandise for radio compliance testing.
Particularly, the shortcoming permits for the set up of non-verified, and probably malicious applets. GSMA TS.48 v7.0, launched final month, mitigates the issue by proscribing using the check profile. All different variations of the TS.48 specification have been deprecated.
“Profitable exploitation requires a mix of particular circumstances. An attacker should first achieve bodily entry to a goal eUICC and use publicly recognized keys,” Kigen mentioned. “This permits the attacker to put in a malicious JavaCard applet.”
Moreover, the vulnerability may facilitate the extraction of the Kigen eUICC identification certificates, thereby making it doable to obtain arbitrary profiles from cellular community operators (MNOs) in cleartext, entry MNO secrets and techniques, and tamper with profiles and put them into an arbitrary eUICC with out being flagged by MNO.
Safety Explorations mentioned the findings construct upon its personal prior analysis from 2019, which discovered a number of safety vulnerabilities in Oracle Java Card that would pave the way in which for the deployment of a persistent backdoor within the card. One of many flaws additionally impacted Gemalto SIM, which depends on the Java Card expertise.
These safety defects might be exploited to “break reminiscence security of the underlying Java Card VM” and achieve full entry to the cardboard’s reminiscence, break the applet firewall, and probably even obtain native code execution.
Nevertheless, Oracle downplayed the potential influence and indicated that the “safety considerations” didn’t have an effect on their manufacturing of Java Card VM. Safety Explorations mentioned these “considerations” have now been confirmed to be “actual bugs.”
The assaults would possibly sound prohibitive to execute, however, on the contrary, they’re nicely inside the attain of succesful nation-state teams. They might enable the attackers to compromise an eSIM card and deploy a stealthy backdoor, successfully intercepting all communications.
“The downloaded profile might be probably modified in such a manner, in order that the operator loses management over the profile (no capability for distant management / no capability to disable/invalidate it, and many others.), the operator might be supplied with a very false view of the profile state or all of its exercise might be topic to monitoring,” the corporate added.
“In our opinion, the power for a single damaged eUICC / single eUICC GSMA cert theft to peek into (obtain in plaintext) eSIMs of arbitrary MNO constitutes a big eSIM structure weak level.”
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.
