- A test eSIM profile used by billions of devices carried a major flaw
- It allowed malicious actors with physical access the ability to deploy applets
- A patch is now available, so users should upgrade now
Security researchers have discovered a vulnerability in eSIM technology used in virtually all smartphones and many other internet-connected, smart devices.
In theory, the flaw could have been abused to intercept or manipulate communications, extract sensitive data, inject malicious applets, and more.
There are more than two billion eSIM-enabled devices that could be potentially impacted by this flaw, which includes smartphones, tablets, wearables, and countless IoT devices that rely on Kigen’s eUICC technology.
Updating the bug
The bug allowed anyone with physical access to the compromised device to install custom programs – applets – without proving they weren’t malicious.
Discovered by Security Explorations, a research lab of AG Security Research, the bug was discovered in the GSMA TS.48 Generic Test Profile (v6.0 and earlier), a standardized eSIM profile that supports device testing and certifications, especially for devices with non-removable embedded SIMs (eUICCs).
In other words, it was discovered in a test version of a SIM card, used just for checking if the device worked properly or not.
Kigen has released a patch to mitigate the issue, with the GSMA TS.48 v7.0 specification the first clean version – with the company saying the patch has already been distributed to all customers.
The silver lining here is that the bug was not that easy, or straightforward, to exploit. Besides having physical access to the device or eUICC, the attacker would also need a way to trigger test mode activation. Furthermore, the device would need to use unprotected, legacy test profiles, with RAM keys still intact.
Kigen’s patch and GSMA TS.48 v7.0 update now block RAM key access in test profiles by default, prohibit JavaCard applet installation altogether on test-mode profiles, randomize keysets for future RAM-enabled testing, and harden OS security against unauthorized remote loading. An attack should now be virtually impossible to execute.
Security Exploration was subsequently awarded $30,000 for its troubles.
Via The Hacker News