mirror of
https://sharelatex.tu-darmstadt.de/git/681e0e7a3a9c7c9c6b8bb298
synced 2025-12-07 05:08:01 +00:00
Update on Overleaf.
This commit is contained in:
nb72soza Bittner
@@ -845,3 +845,46 @@ C compilers is available on the web.},
|
||||
doi = {10.14722/ndss.2014.23229},
|
||||
file = {Full Text PDF:/home/niklas/Zotero/storage/7DQ4M2PT/Zaddach et al. - 2014 - Avatar A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares.pdf:application/pdf},
|
||||
}
|
||||
|
||||
@misc{vervier_embedded_2023,
|
||||
title = {Embedded {Threats}: {A} {Deep} {Dive} into the {Attack} {Surface} and {Security} {Implications} of {eSIM} {Technology}},
|
||||
shorttitle = {Embedded {Threats}},
|
||||
url = {https://www.offensivecon.org/speakers/2023/markus-vervier.html},
|
||||
language = {en},
|
||||
urldate = {2025-07-08},
|
||||
author = {Vervier, Markus},
|
||||
month = may,
|
||||
year = {2023},
|
||||
file = {Markus Vervier | OffensiveCon:/home/niklas/Zotero/storage/XLIISWXK/markus-vervier.html:text/html},
|
||||
}
|
||||
|
||||
@misc{security_explorations_esim_2025,
|
||||
title = {{eSIM} security},
|
||||
url = {https://security-explorations.com/esim-security.html#info},
|
||||
language = {en},
|
||||
urldate = {2025-07-09},
|
||||
author = {{Security Explorations}},
|
||||
year = {2025},
|
||||
file = {Security Explorations - eSIM security:/home/niklas/Zotero/storage/J4QR5WQA/esim-security.html:text/html},
|
||||
}
|
||||
|
||||
@techreport{security_explorations_security_2019,
|
||||
type = {Security {Vulnerability} {Notice}},
|
||||
title = {Security vulnerabilities in {Java} {Card}},
|
||||
url = {https://security-explorations.com/materials/SE-2019-01-ORACLE.pdf},
|
||||
language = {en},
|
||||
number = {SE-2019-01-ORACLE},
|
||||
urldate = {2025-07-09},
|
||||
author = {{Security Explorations}},
|
||||
year = {2019},
|
||||
file = {PDF:/home/niklas/Zotero/storage/XBKC7FAX/SE-2019-01-ORACLE.pdf:application/pdf},
|
||||
}
|
||||
|
||||
@misc{gsma_ts48_2025,
|
||||
title = {{TS}.48 v7.0 {Generic} {eUICC} {Test} {Profile} for {Device} {Testing}},
|
||||
url = {https://www.gsma.com/get-involved/working-groups/gsma_resources/ts-48-v7-0-generic-euicc-test-profile-for-device-testing/},
|
||||
author = {{GSMA}},
|
||||
month = jan,
|
||||
year = {2025},
|
||||
file = {TS.48 v7.0 Generic eUICC Test Profile for DevicTesting:/home/niklas/Zotero/storage/P5EJRQQ7/TS.48 v7.0 Generic eUICC Test Profile for DevicTesting.docx:application/vnd.openxmlformats-officedocument.wordprocessingml.document},
|
||||
}
|
||||
|
||||
@@ -56,6 +56,35 @@ SPTP introduces two new entities: a private index service for managing \glspl{im
|
||||
% custom applet prevents user from leaving the STK until the next factory reset -> not a real vulnerability since this is intended behaviour
|
||||
% proposes c2 OOB channel via sms: PoC which would allow attackers to controle a windows pc via SMS OOB
|
||||
|
||||
% security exploriations demonstrate that they are able to break the security of Kigen euiccs with GSMA consumer certificates installed
|
||||
% relies on physical access to the card and knowledge of the keys required to install custom java applets
|
||||
% they show that using a malicious applet using the SMS-PP
|
||||
% they rely on a previous type confiusion vulnerability in java card vm architecture -> Kigen implemented a fix which did not prevent the vulnerability in its entirety
|
||||
% they were able to exploit this vulnerability to compromise the euicc and extract the euicc certs private keys
|
||||
% they notified Kigen, GSMA, and Oracle about their findings
|
||||
% as a result the GSMA address this issue in an updated TS.48 specification: prevent unauthorized actors from installing malicouse applets
|
||||
% security explorations fear that this might not be enough: argues that this doesn't fix the core problem in the java card vm architecture
|
||||
|
||||
A valuable resource for empirical research into \gls{euicc} behavior is the Osmocom \gls{euicc} Manual, a collaborative and community-maintained repository of technical knowledge \cite{welte_euicc_2024}. It aggregates details related to the \gls{sgp22} specification and serves as an empirical database of observed behavior across commercial \glspl{euicc}. The manual includes data such as known card Asnwer-To-Request (ATRs), supported \gls{lpa} implementations, available test profiles, and proprietary command sequences. Although not exhaustive, this knowledge base has proven instrumental in identifying inconsistencies and behavioral quirks in vendor-specific \gls{euicc} implementations.
|
||||
|
||||
In terms of adversarial perspectives, \textcite{vervier_embedded_2023} explored the potential misuse of \glspl{esim} from a red team viewpoint, particularly investigating their feasibility as covert command-and-control (C2) channels. While he did not uncover a direct vulnerability that would facilitate reliable C2 communication, he proposed several attack vectors:
|
||||
|
||||
\begin{itemize}
|
||||
\item \textbf{Phishing via Proactive Commands:} Leveraging the \gls{cat}, \textcite{vervier_embedded_2023} demonstrated how malicious profiles could issue proactive commands that render UI elements on the device, potentially tricking users into inputting sensitive data.
|
||||
\item \textbf{Malicious Java Applet for User Lockout:} A custom applet was developed that exploited \gls{stk} behavior to prevent users from exiting a malicious menu without performing a factory reset. Although this is technically compliant with the specification, it exemplifies how legitimate features may be repurposed for adversarial use.
|
||||
\item \textbf{SMS-based C2 Communication:} \textcite{vervier_embedded_2023} proposed an out-of-band C2 mechanism using SMS-PP (Point-to-Point) messages. A proof-of-concept was presented where an attacker could control a Windows machine via SMS relayed through an infected \gls{esim} card.
|
||||
\end{itemize}
|
||||
|
||||
A more serious security assessment was presented by \textcite{security_explorations_esim_2025}, who performed a low-level compromise of commercial Kigen \glspl{euicc}, including those with valid GSMA Consumer Profile certificates. Their attack relied on:
|
||||
|
||||
\begin{itemize}
|
||||
\item\textbf{Physical Access and Key Knowledge:} Required access to the physical \gls{euicc} and privileged provisioning keys to sideload custom Java applets.
|
||||
\item \textbf{Java Card VM Type Confusion Vulnerability:} They exploited a known type confusion vulnerability in the Java Card virtual machine architecture \cite{security_explorations_security_2019}. Although Kigen had implemented mitigations, Security Explorations demonstrated that these were insufficient, enabling them to install a malicious applet.
|
||||
\item \textbf{Private Key Extraction via SMS-PP:} Once compromised, the applet could misuse SMS-PP functionality to exfiltrate cryptographic material, including private Elliptic-curve cryptography (ECC) keys of the \gls{euicc} certificate chain.
|
||||
\end{itemize}
|
||||
|
||||
\textcite{security_explorations_esim_2025} responsibly disclosed the vulnerability to Kigen, GSMA, and Oracle. As a result, GSMA introduced additional restrictions in the updated TS.48 specification v7.0~\cite{gsma_ts48_2025}, aiming to prevent unauthorized applet installations. However, the researchers voiced concern that this measure only mitigated the symptoms rather than addressing the core vulnerability in the Java Card VM architecture.
|
||||
|
||||
\section{Software Implementations}
|
||||
|
||||
\paragraph{pySim}
|
||||
|
||||
Reference in New Issue
Block a user