Security Explorations conducted security analysis of eSIM technology. They broke the security of Kigen eUICC cards with GSMA consumer certificates. The eUICC card allows installation of eSIM profiles in the target chip. Kigen claims eSIMs are as secure as SIM cards but the hack shows otherwise. This is likely the first public hack against consumer GSMA eUICC, Kigen eSIM, and EAL-certified GSMA security chip.
The attack relies on physical access and knowledge of keys. It proves no security/isolation for eSIM profiles and Java apps. The hack brings eSIM security to focus. Crypto proof shows extraction of private ECC key. Demonstration movies show app install and key extraction. GSMA certificate theft implies downloading profiles in cleartext and more. Kigen was notified and provided with technical documents. A reward of $30K was paid.
The core issues exploited in the attack are similar to 2019 issues. Kigen's "mitigation" was ineffective. GSMA and Oracle were notified. GSMA acknowledged the research but didn't make it a CVD case. Vulnerable Kigen products and fixing status were provided. Kigen's security bulletin was confusing. Incorrect vulnerability impact information was found. Obstacles in patches investigation occurred. A new security report was provided. Kigen did not revoke certificates.
The research questions certification schemes and shows eSIM hacking is easier. It serves as a warning for mobile phone vendors. GSMA inquired about eUICC/eSA certification. GSMA changed specs to prevent malicious Java app installation. Guidance for the industry was published. A telecom expert's opinion was shared. An eUICC/Java Card exploitation toolkit was developed. Remote SIM provisioning servers were tested. Orange Poland mirrored eSIMs test showed eSIM cloning is possible.
The ultimate goal was to find a remote vulnerability for mass-market mobile phones. Other eUICC vendors' products' security is uncertain. NXP communication was limited. G&D eUICC was tested. Comprion's eTPS service faced issues. Summary of security mechanisms shows some implemented but ineffective. Research complexity was high. Backdoor feasibility was possible. Technology vendor's responsibility was discussed. Independent security research's value was emphasized. Recommendations for MNOs and vendors were given. MNOs took precautions. The project received a lot of attention.