A significant security flaw has been identified in Kigen’s embedded Universal Integrated Circuit Card (eUICC) technology, potentially exposing over two billion Internet of Things (IoT) devices to malicious attacks. This vulnerability allows attackers to clone eSIM profiles and hijack phone identities, leading to severe security implications.
Understanding eSIM and eUICC Technology
eSIMs, or embedded SIMs, are digital SIM cards integrated directly into devices, eliminating the need for physical SIM cards. They are installed onto eUICC chips, enabling users to activate cellular plans remotely and switch between carriers without changing physical cards. This technology is widely adopted in smartphones and IoT devices due to its convenience and flexibility.
Discovery of the Vulnerability
Security Explorations, a research lab under AG Security Research, uncovered a critical flaw in Kigen’s eUICC cards. The researchers successfully extracted private ECC keys from compromised eUICC cards, allowing them to download eSIM profiles from major mobile network operators, including AT&T, Vodafone, O2, Orange, and T-Mobile, in unencrypted formats. This breakthrough marks the first public hack against consumer GSMA eUICC and EAL-certified GSMA security chips.
Implications of the Security Breach
The ability to clone eSIM profiles poses significant risks:
– Phone Identity Hijacking: Attackers can intercept all calls, SMS messages, and two-factor authentication codes intended for the legitimate user without detection.
– Massive Exposure: With over two billion SIMs enabled by Kigen’s secure SIM OS, a single compromised certificate could grant access to any mobile operator’s eSIM profiles globally.
In a live demonstration, researchers cloned an Orange Poland eSIM profile, resulting in all communications being rerouted to the malicious device, leaving the legitimate user unaware of the hijacking.
Technical Details of the Exploit
The vulnerability stems from the GSMA TS.48 Generic Test Profile, versions 6.0 and earlier, used in eSIM products for radio compliance testing. This flaw allows for the installation of non-verified, potentially malicious JavaCard applets. By exploiting this weakness, attackers can:
– Extract the eUICC identity certificate.
– Download arbitrary eSIM profiles from mobile network operators in cleartext.
– Access sensitive operator information.
– Modify profiles and install them onto any eUICC without detection.
These actions can lead to unauthorized access to confidential data and the potential for widespread surveillance.
Industry Response and Mitigation Efforts
In response to the discovery:
– Kigen’s Actions: The company has implemented security patches across millions of eSIMs and issued a security bulletin detailing mitigation strategies.
– GSMA’s Measures: The GSMA has released TS.48 v7.0, which addresses the vulnerability by restricting the use of the test profile. All previous versions have been deprecated, and new application notes have been published to guide industry stakeholders.
These steps aim to enhance the security of the eSIM ecosystem and prevent future exploits.
Recommendations for Users and Operators
To mitigate the risks associated with this vulnerability:
– Device Updates: Users should ensure their devices are updated to the latest software versions that include security patches addressing this issue.
– Operator Communication: Mobile network operators should inform their customers about the vulnerability and the steps taken to secure their networks.
– Caution with eSIM Activation: Users should avoid installing new eSIM profiles until they have confirmed that their devices are updated and secure.
By taking these precautions, users and operators can reduce the risk of exploitation and protect sensitive communications.
Conclusion
The discovery of this eSIM vulnerability underscores the importance of continuous security assessments in emerging technologies. While eSIMs offer significant advantages in terms of convenience and flexibility, they also introduce new attack vectors that must be addressed proactively. The collaborative efforts of researchers, manufacturers, and industry organizations are crucial in safeguarding the integrity of mobile communications.
