Security Researchers Successfully Exploit GSMA-Certified eSIM Technology Vulnerabilities

The information security laboratory Security Explorations has discovered vulnerabilities in eSIM technology, specifically targeting the eUICC card produced by Kigen. This card, which uses Java Card and is certified to GSMA standards, was regarded as secure due to its EAL4+ certification, memory protection, and other security measures. However, researchers were able to gain control of the card.

Similar vulnerabilities had been known since 2019, linked to issues with Java Card bytecode. The errors arose when handling data types and were present in both Oracle’s implementation and the Kigen card.

Security Explorations employed their own tools to automatically check bytecode, memory, stack, and variables. These tools were used to analyze the Kigen card and conduct tests within various networks. The card’s architecture allowed for circumventing its security features.

Cybersecurity experts executed an attack by installing a malicious Java application via SMS. They managed to extract an ECC private key, granting access to eSIM profiles from various carriers including AT&T, Vodafone, Orange, T-Mobile, and others.

The stolen profiles contained network settings, OTA keys, identifiers, Java applications, and service data. Some of this information could be modified and reinstalled without detection by the mobile operators.

An attack on the Orange network demonstrated that it was possible to clone an eSIM, allowing the duplicate on another device to receive calls and SMS while the primary user would remain unaware. The network would register the deliveries as successful. Kigen acknowledged the vulnerability and rewarded the researchers with $30,000. Following this, GSMA updated specification TS.48 to prohibit the installation of Java applications on test profiles.

Other cards were also tested, with the Giesecke+Devrient chip proving resilient. The researchers did not have access to other vendors due to closed conditions or non-disclosure agreements (NDAs). Additionally, Security Explorations reported issues on the server side, where servers did not reject certificates from compromised cards, specifically for IDEMIA and Thales servers. Monitoring and verification mechanisms on these servers failed to function as intended.