In a startling revelation, security researchers have uncovered a significant vulnerability within eSIM technology that posed a risk to billions of devices worldwide. This flaw was detected in a test version of the embedded SIM (eSIM) utilized across smartphones, smartwatches, tablets, and Internet of Things (IoT) devices. Fortunately, the issue was swiftly resolved before any substantial damage could occur.
The vulnerability was identified in the GSMA TS.48 Generic Test Profile (versions 6.0 and earlier), which is specifically designed for device testing and certification. While this test profile isn’t employed in standard consumer scenarios, it is prevalent during the manufacturing and development stages of devices.
The discovery was made by Security Explorations, a Polish cybersecurity research team renowned for their expertise in uncovering hardware-level threats. They pinpointed the issue within Kigen’s eUICC technology, which powers eSIMs in more than 2 billion devices globally. In recognition of their critical findings, Security Explorations was awarded a $30,000 reward, highlighting the significance of their efforts in enhancing the security of billions of interconnected devices.
Kigen is a prominent player in the eSIM industry, with its platform widely used across numerous smartphones and connected devices around the globe.
This vulnerability allowed individuals with physical access to a device to install unauthorized applets (small programs) on the eSIM without appropriate safeguards. Such applets had the potential to steal sensitive information, intercept or manipulate network communications, inject malicious code, and bypass built-in security protocols.
The situation was particularly concerning in environments where eSIM test profiles were not adequately disabled after use, making this a high-risk vulnerability.
Despite the seriousness of the bug, exploiting it wasn’t straightforward. An attacker would require physical access to the device, the capability to activate test mode, a device operating on an outdated, unsecured test profile, and RAM keys that had not been cleared. In essence, while the potential risk was considerable, the actual number of vulnerable devices in real-world scenarios was likely minimal, primarily confined to development or testing environments.
Kigen acted promptly, rolling out a fix almost immediately. The newly released GSMA TS.48 v7.0 specification tackles all known vulnerabilities. The update includes measures such as blocking RAM key access in test profiles, prohibiting applet installations in test mode, randomizing keysets to prevent reuse, and fortifying the operating system against unauthorized remote loading.
Following these updates, security experts assert that executing an attack is now nearly impossible.
