Cybersecurity researchers have discovered new hacking techniques that take advantage of the weaknesses of ESIM technology used in modern smartphones and put users at serious risk.
This issue affects Kigen EUICC cards. According to the Irish company’s website, as of December 2020, more than 1 billion SIMs are enabled for IoT devices.
The findings come from Security Explorations, the laboratory of AG Security Research Company. Kigen awarded the company a $30,000 reward for reporting.
An ESIM, or embedded SIM, is a digital SIM card embedded directly into the device as software installed as software on an embedded Universal Integrated Circuit Card (EUICC) chip.
ESIM allows users to activate mobile phone plans from carriers without the need for a physical SIM card. The EUICC software provides the ability to change the operator profile, remote provisioning, and management of SIM profiles.
“The EUICC card allows you to install so-called ESIM profiles on the target chip,” Security Exploration said. “ESIM profiles are software representations for mobile subscriptions.”
According to an advisory published by Kigen, the vulnerability is rooted in the GSMA Ts.48 generic test profile, version 6.0 or earlier, which is said to be used in ESIM products for wireless compliance testing.
Specifically, this drawback allows for the installation of non-validated and potentially malicious applets. Released last month, GSMA Ts.48 V7.0 reduces the issue by limiting the use of test profiles. All other versions of the Ts.48 specification have been deprecated.
“Successful exploitation requires a specific combination of conditions. Attackers must first gain physical access to the target EUICC and use publicly known keys,” Kigen said. “This allows an attacker to place a malicious Javacard applet.”
Furthermore, the vulnerability may facilitate the extraction of Kigen EUICC ID certificates, which allows you to download any profile from a cleartext mobile network operator (MNO), access the secrets of the MNO and put it in any EUICC without flagging the MNO.
Security Explorations says the findings are based on their own previous research since 2019. This reveals that multiple security vulnerabilities in Oracle Java cards could pave the way for permanent backdoor deployment to cards. One flaw also affected Gemalto Sim, which relies on Java card technology.
These security flaws are exploited to “break the memory safety of the underlying Java card VMs” and can even achieve native code execution by fully accessing the memory of the card, breaking the applet firewall.
However, Oracle downplayed the potential impact and showed that “security concerns” would not affect the production of Java Card VMs. Security research shows that these “concerns” are now proven to be “real bugs.”
Attacks may sound outrageous to carry out, but on the contrary, they fall within the bounds of a capable nation-state group. It allows attackers to compromise on ESIM cards, deploy stealth backdoors, and effectively intercept all communications.
“Downloaded profiles can be potentially modified in such a way. Therefore, operators lose control of the profile (e.g. the ability to remote control/disable/disable). Operators can provide a completely incorrect view of the profile state.
“In our opinion, the ability of a single broken EUICC/single EUICC GSMA certificate to peer into any MNO’s ESIMS constitutes a weakness in the important ESIM architecture.”
Source link
