ESIM Security

Summary

In a result of its research investigation efforts, Security Explorations, a research lab of AG Security Research company, conducted security analysis of eSIM technology. This section of our website presents initial information regarding the project. Notes We broke security of Kigen(*) eUICC card with GSMA consumer certificates installed into it. The eUICC card makes it possible to install the so called eSIM profiles into target chip. eSIM profiles are software representations of mobile subscriptions. For many years such mobile subscriptions had a form of a physical SIM card of various factors (SIM, microSIM, nonoSIM). With eSIM, the subscription can come in a pure digital form (as a software bundle), it can also carry Java Card applications. According to Kigen: 1) eSIMs are "as secure and interoperable as SIM cards [...] thanks to the multi-layered GSMA eSIM certification scheme that protects device makers, device owners and mobile network operators (MNOs)" (source) 2) "Kigen OS offers the highest level of logical security when employed on any SIM form factor, including a secure enclave" and "Kigen SIM OS features help differentiate, scale and grow revenues with zero compromise security" (source) The hack proves that our research on Java Card from 2019 did matter. Oracle indicated the vulnerabilities we reported to the company in 2019 were rather irrelevant (the company referred to them as "security concerns") / did not affect their production Java Card VM. These are now proved to be real bugs. This is likely the first successful public hack against: consumer GSMA eUICC Kigen eSIM (Kigen press releases and web pages implicate over 2 billion SIMs enabled by Kigen secure SIM OS) EAL(**) certified GSMA security chip (SLC37 chip based on 32-bit ARM SecurCore SC300 processor from Infineon) The attack against Kigen eUICC relies both on physical access to sample card along knowledge of the keys used for malicious Java app installation. The remote over-the-air (OTA) vector ...