% !TeX root = ../Thesis.tex

%************************************************
\chapter{Introduction}\label{ch:introduction}
%************************************************
\glsresetall % Resets all acronyms to not used

% todays society is connected
% all devices i.e Smartphones, iot devices, vehicles are connected and often have an SIM -> connect to cellular networks
% gsma released first version of the SGP.21 specification in 2015: outlines how profiles should be provisioned to consumer esims -> baseline to support esims in smartphones (cite SGP.21 v1.0)
% earlier versions for esim support exists (spec v1 released in 2014 but focused on machine to machine communication in industrial context 
% The first phones supporting esims released in 2016 with the first iphone that supports esim being released in 2018
% in recent years: esims became more and more popular in such applications
% advantages: no need to switch out hardware when getting a new phone contract, easier to switch out the profile when going to a foreign country an getting a temporary phone contract (or something similar)
% adoption of eSIM technology is increasing rapidly due to its flexibility, remote provisioning capability, and suitability for IoT and mobile devices
% most newly released phone support esims -> new attack vector for adversaries
% people with older hardware i.e no esim support by their phone are left out -> introduction of eSIM on SIM
% eSIM chips in the form factor of normal SIMs -> can be inserted in normal SIM slots and behave like normal SIM cards but with extra features
% esim.me marketed their esim on sim as "world’s first eSIM Card" with their launch in 2020
% esim on sim enable old phones to use eSIM via sim slot or other applications


In today's hyper-connected society, smartphones, \gls{iot} devices, and vehicles rely on cellular networks for a wide range of functionalities. These devices typically authenticate to mobile networks using \gls{sim} cards. To keep pace with growing connectivity needs and reduce reliance on physical \gls{sim} provisioning, the GSMA released the first version of the SGP.21 specification in 2015 \cite{gsma_sgp21_2015}. This specification defines how profiles should be securely provisioned onto \glspl{esim}, laying the foundation for \gls{esim} integration in consumer devices.

Although an earlier specification focusing on M2M (Machine-to-Machine) use cases was released in 2014~\cite{gsma_sgp01_2014}, it was mainly targeted at industrial deployments. Consumer adoption started in 2016 with the release of the first device supporting \gls{esim}~\cite{vincent_samsungs_2016} and gained further traction with Apple's inclusion of \gls{esim} functionality in the iPhone lineup in 2018~\cite{apple_apple_2018}. Since then, \gls{esim} technology has become increasingly popular due to its flexibility, remote provisioning capabilities, and suitability for compact or embedded hardware. It simplifies processes such as switching mobile carriers or activating local profiles when traveling.

As \gls{esim} support becomes standard in newly released phones, it also introduces a new attack surface. Notably, older devices without native \gls{esim} support are excluded from this technological shift. In response, several vendors have introduced eSIM-on-SIM chips embedded in a traditional \gls{esim} card form factor. These allow older phones to access \gls{esim} functionality via the existing \gls{sim} slot. For example, esim.me marketed their solution in 2020 as the “world’s first \gls{esim} card”~\cite{esimme_esimme_2025}, enabling legacy smartphones to benefit from modern \gls{esim} provisioning workflows.

\section{Motivation}
% Motivation

% esim standard is developed by the GSMA, ETSI and 3GPP -> security was build into the design from the ground up
% with the first release of SGP.21 in 2015 relatively new -> current version v3.1 released in 2025 -> still introducing new features
% other researches have already looked at the specs in depth (cite papers here)
% implementation of the esim firmware is still up to the manufacturs which develope their own versions -> possibility of vulnerabilities in their implementations

% security vulnerabilities can have a major impact -> persistence of exploits are high: malicouse profiles may persist accross reboots or even device resets; often low level and invisible -> particularly dangerous and hard to detect
% sims have direct, priviledged, unfiltered access to the baseband

% esim os are closed source and implemented by the manufactruers -> not subject to open review
% strengthens the importance of black-box testing methodologies to uncover implementation specific issues without requiring internal access
% also has potential for undocumented features and backdoors -> esim  vendors might introduce update endpoints to update their esim firmware, or add extra functionality outside of the specs

% non standard implementations may introduce bugs or security flaws 
% implementation bugs: like any other complex embedded system esim stack are susceptiuble to bugs
% particular dangeros due to the priviledged rele of the esim in device architecture

% esim specs may have been interpretated differently by the different vendors

% differential testing offers automated and scalable method to detect inconsistency in the different implementations -> comparing output of multiple esim on sim implementations against the same inputs

% this thesis addresses need for systematic security and correctness evaluation of esim on sim implementations -> differential testing
% differential testing: compare multiple implementations against each other -> identify anomalies under identical/similar inputs
% goal: uncover functional deviations and security issues in a black-box setting

Despite the \gls{esim} architecture being built with security in mind and standardized by the \gls{gsma}, \gls{etsi}, and \gls{3gpp}, implementations are left to individual manufacturers. While the specifications provide a common baseline, the actual firmware and OS implementations remain proprietary and closed-source. This means they are not open to public review and may include undocumented features, backdoors, or custom update mechanisms beyond the published standards.

These implementation-specific deviations can have a significant security risks. \glspl{esim} operate at a privileged layer of the system architecture, with direct and largely unfiltered access to the device's baseband. Vulnerabilities within this stack can result in persistent malware, surviving reboots or even factory resets, and often remain invisible to users. Bugs in the implementation of profile provisioning, certificate validation, or update mechanisms can therefore have severe and long-lasting impact.

Furthermore, given the relative novelty of the consumer \gls{esim} ecosystem, the first SGP.21 release only dating back to 2015~\cite{gsma_sgp21_2015} and the latest version (v3.1) being released in 2025~\cite{gsma_sgp22_2025}, the technology is still evolving. Different vendors may interpret and implement the specifications in slightly different ways, leading to inconsistencies and potentially exploitable gaps.

Due to the lack of transparency in vendor implementations, black-box testing methodologies are especially valuable for uncovering such issues. Differential testing is a promising approach as it systematically compares how different implementations behave when subjected to identical or similar inputs \cite{mckeeman_differential_1998}. This makes it possible to detect deviations and identify bugs without needing source code or internal documentation.

This thesis aims to close the gap in independent, systematic analysis of commercial eSIM-on-SIM implementations. It proposes and demonstrates a differential testing framework that facilitates the black-box evaluation of these implementations in terms of correctness and security.

\section{Contribution}
% Contribution

% implement framework for differential testing of esims (esims and esim on sim)
% containing: fuzzing of structural input when communicating with the esim, fuzzing on transport level, tracing and replaying recordings from one esim to another; make it accessible via cli and as a library for scripting
% this includes custom LPA implementation, APDU mutation engine, and structured fuzzing tools
% using property based testing: generate valid but edge-case-rich inputs targeting high-level esim commands -> detecting errors beyond byte-level malformations
% using the tracing functionality we discover first implementation differences in the implementation
% reverse engineer the update functionality of the estk.me esim
% demonstrate the framworks ability in security research:
% through apdu level differnetial testing, we discover and evaluate bug in the profile provisioning process of one manufacturer -> suggests potential security risk such as certificate validation bypass -> analyze and evaluate potential impact

This thesis presents a novel framework for the differential testing of \gls{esim} and eSIM-on-SIM implementations. The framework includes a custom \gls{lpa}, an \gls{apdu} mutation engine, and structured fuzzing tools. It enables tracing, mutation, and replaying of provisioning flows, and is exposed both through a command-line interface and as a Python library for scripting and automation.

By employing property-based testing and structural input mutation, the framework generates valid but edge-case-rich test cases to evaluate high-level commands. This allows it to uncover subtle logic bugs beyond low-level malformed input handling.

We use the framework to analyze several commercial eSIM-on-SIM implementations. Our analysis reveals significant implementation differences, including a critical vulnerability in one vendor's certificate handling logic. Specifically, we uncover a bug that suggests a certificate validation bypass during the profile provisioning process. We also reverse-engineer the firmware update functionality of the estk.me card.

\section{Outline}
% Outline

% Thesis begins with background: provides necesssary background on SIMs, eSIMs, and the RSP architecture
% also introduces relevant standardization from 3GPP, GSMA, and ETSI
% Chapter 3 reviews related work: including acedemic research on sim card security, emulation frameworks, and software tools relevant to analyze esims
% In chapter 4: details about the implementation of the testing framework -> tracing mutation, structured fuzzing, and design of the custom LPA
% Chapter 5: evaluation of several commercial eSIM on SIM cards using the implemented framework, analyzing observed behaviour, and identifying incosistencies accross vendors
% Chapter 6: discuss the implications of our findings and reflect on potential weaknesses in current esim on sim deployment models
% in the last chapter: concludes thesis, outlines possible future work, including testing of IoT specific features, and supporting proactive commands

The thesis begins with an overview of \gls{sim} and \gls{esim} technologies in \cref{ch:background}, along with the \gls{rsp} architecture, to establish the necessary technical background. It also introduces the relevant standards developed by the \gls{gsma}, \gls{etsi}, and \gls{3gpp}.

In \cref{ch:relatedwork}, it surveys related work in the domain of \gls{sim} and \gls{esim} security, focusing on academic literature, emulation frameworks, and software tools used for analysis.

The implementation of the proposed differential testing framework is described in \cref{ch:implementation}, covering the tracing infrastructure, \gls{apdu} mutation engine, and structured input generation logic.

Following the implementation, we evaluate a selection of commercial eSIM-on-SIM cards using the developed framework in \cref{ch:evaluation}. We analyze inconsistencies in behavior across vendors and discuss potential deviations from the specifications.

Finally, we discuss the broader implications of our findings in \cref{ch:discussion}, reflect on current limitations in eSIM-on-SIM deployment models, and propose avenues for future research in \cref{ch:conclusions}, including expanding the framework to support proactive commands and IoT-specific provisioning flows.