niklas/master_thesis
1
0
Fork 0
mirror of https://sharelatex.tu-darmstadt.de/git/681e0e7a3a9c7c9c6b8bb298 synced 2025-12-07 13:18:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update on Overleaf.

Browse Source
This commit is contained in:
nb72soza Bittner
2025-07-09 13:26:26 +00:00
committed by node
parent a2c0d1e036
commit 04a77ee191
2 changed files with 72 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
Chapters/RelatedWork.tex
View File

@@ -56,6 +56,35 @@ SPTP introduces two new entities: a private index service for managing \glspl{im
% custom applet prevents user from leaving the STK until the next factory reset -> not a real vulnerability since this is intended behaviour
% proposes c2 OOB channel via sms: PoC which would allow attackers to controle a windows pc via SMS OOB
% security exploriations demonstrate that they are able to break the security of Kigen euiccs with GSMA consumer certificates installed
% relies on physical access to the card and knowledge of the keys required to install custom java applets
% they show that using a malicious applet using the SMS-PP
% they rely on a previous type confiusion vulnerability in java card vm architecture -> Kigen implemented a fix which did not prevent the vulnerability in its entirety
% they were able to exploit this vulnerability to compromise the euicc and extract the euicc certs private keys
% they notified Kigen, GSMA, and Oracle about their findings
% as a result the GSMA address this issue in an updated TS.48 specification: prevent unauthorized actors from installing malicouse applets
% security explorations fear that this might not be enough: argues that this doesn't fix the core problem in the java card vm architecture
A valuable resource for empirical research into \gls{euicc} behavior is the Osmocom \gls{euicc} Manual, a collaborative and community-maintained repository of technical knowledge \cite{welte_euicc_2024}. It aggregates details related to the \gls{sgp22} specification and serves as an empirical database of observed behavior across commercial \glspl{euicc}. The manual includes data such as known card Asnwer-To-Request (ATRs), supported \gls{lpa} implementations, available test profiles, and proprietary command sequences. Although not exhaustive, this knowledge base has proven instrumental in identifying inconsistencies and behavioral quirks in vendor-specific \gls{euicc} implementations.
In terms of adversarial perspectives, \textcite{vervier_embedded_2023} explored the potential misuse of \glspl{esim} from a red team viewpoint, particularly investigating their feasibility as covert command-and-control (C2) channels. While he did not uncover a direct vulnerability that would facilitate reliable C2 communication, he proposed several attack vectors:
\begin{itemize}
\item \textbf{Phishing via Proactive Commands:} Leveraging the \gls{cat}, \textcite{vervier_embedded_2023} demonstrated how malicious profiles could issue proactive commands that render UI elements on the device, potentially tricking users into inputting sensitive data.
\item \textbf{Malicious Java Applet for User Lockout:} A custom applet was developed that exploited \gls{stk} behavior to prevent users from exiting a malicious menu without performing a factory reset. Although this is technically compliant with the specification, it exemplifies how legitimate features may be repurposed for adversarial use.
\item \textbf{SMS-based C2 Communication:} \textcite{vervier_embedded_2023} proposed an out-of-band C2 mechanism using SMS-PP (Point-to-Point) messages. A proof-of-concept was presented where an attacker could control a Windows machine via SMS relayed through an infected \gls{esim} card.
\end{itemize}
A more serious security assessment was presented by \textcite{security_explorations_esim_2025}, who performed a low-level compromise of commercial Kigen \glspl{euicc}, including those with valid GSMA Consumer Profile certificates. Their attack relied on:
\begin{itemize}
\item\textbf{Physical Access and Key Knowledge:} Required access to the physical \gls{euicc} and privileged provisioning keys to sideload custom Java applets.
\item \textbf{Java Card VM Type Confusion Vulnerability:} They exploited a known type confusion vulnerability in the Java Card virtual machine architecture \cite{security_explorations_security_2019}. Although Kigen had implemented mitigations, Security Explorations demonstrated that these were insufficient, enabling them to install a malicious applet.
\item \textbf{Private Key Extraction via SMS-PP:} Once compromised, the applet could misuse SMS-PP functionality to exfiltrate cryptographic material, including private Elliptic-curve cryptography (ECC) keys of the \gls{euicc} certificate chain.
\end{itemize}
\textcite{security_explorations_esim_2025} responsibly disclosed the vulnerability to Kigen, GSMA, and Oracle. As a result, GSMA introduced additional restrictions in the updated TS.48 specification v7.0~\cite{gsma_ts48_2025}, aiming to prevent unauthorized applet installations. However, the researchers voiced concern that this measure only mitigated the symptoms rather than addressing the core vulnerability in the Java Card VM architecture.
\section{Software Implementations}
\paragraph{pySim}