Embedded SIMs (eSIMs) are tiny chips that are built into networked devices to store the subscriber’s authentication details; an example is pictured. They differ from traditional SIMs because the information they contain can be rewritten by network operators and they are not meant to be transferred between devices. This generates new kinds of risks, such as a bad actor taking control of equipment by writing new identity information to the eSIM or a former owner’s identity being subverted because authentication information remains stored on the eSIM when the device is disposed of. The European Union Agency for Cybersecurity, ENISA, has published a guide on eSIM security risks and mitigations entitled Embedded SIM Ecosystem, Security Risks and Measures. Here are six key takeaways from their guide.
1. eSIMs Will Be Found in Sensitive Systems
It is natural to focus on eSIMs being incorporated into mobile phones but the small size, flat shape and embedded nature of these chips means they will also be found in many new kinds of networked devices. For example, they will be suited to equipment that needs to be waterproof. They will also be used in connected cards that are much slimmer than any phone. Their use for sensitive systems like medical IoT sensors, cars, wearables and home security installations will greatly increase the risks if the control of these systems can be compromised via the eSIMs they contain.
2. eSIM Swapping Has Already Begun
ENISA’s guide notes several instances of eSIMs already being taken over by malicious actors.
- Attackers hijacked a device’s eSIM and then took over the banking apps linked to the device number, resulting in large amounts of money being siphoned from the accounts and converted to bitcoin.
- Attackers got access to sensitive documents (including immigration documents and passport copies) via eSIM swapping. Using these documents, the attackers tried to open new banking accounts.
- Attackers used eSIM swapping to get access to a device and the subscriber’s social media accounts, which they used to post racially charged messages.
The guide describes a variety of harms that can follow a successful eSIM swap, including: denial of service; identity interception; fraudulent network use; using a compromised device to spread misinformation; privacy breach; espionage; and spreading malware.
3. eSIMs Are Vulnerable to Memory Exhaustion Attacks Which Could Make Devices Unusable
Imagine a scenario where a ransomware hacker takes the next logical step by threatening to permanently disconnect a series of expensive new handsets from every mobile network, making it impossible to remotely update the compromised eSIMs within them. Such an attack could be realized by exhausting the memory of the eSIM by repeatedly adding garbage profiles to it. If no genuine profile is stored then the device will be ‘orphaned’ in the sense that it will no longer be possible to connect to a parent network. The guide observes how this could be extremely costly for operators, especially if they have just despatched a large number of the latest subsidized handsets.
It should also be noted that because of the profile being ‘orphaned’, neither MNOs nor the SM-DP [a profile management system] have the ability to delete it, which makes recovery of the device impossible.
4. Another Way to Prevent Profile Updates Involves Tricking the Device Into Thinking Its Memory Is Exhausted
A cryptographically secure system manages the communication of profiles to the eSIM but if this was compromised then it could be used to set an incorrect value for the amount of memory remaining on the eSIM. If this figure is set below the amount needed to add a new profile then further updates would not be possible. Such an attack may be difficult to detect because of the assumption that the memory of eSIMs in older devices will be progressively filled by new profiles over time, leading to the same effect.
5. Bad Operators Could Prevent Devices Being Ported By Manipulating Profiles
One of the advantages of eSIMs is that the ability to store multiple profiles permits the same device to be easily transferred from one network to another. However, a bad network operator could knowingly fill the eSIM memory just to prevent any new profile being added to it, thus making it impossible to change the network provider.
6. A Bad Actor Could Lock the eSIM to a Particular Network
Whilst eSIMs are meant to support devices being transferred between networks there is also a parameter to lock an eSIM to one specific profile, which is effectively the same as locking the device to one specific network. Governments and regulators may impose rules that prohibit network locking but the abuse of this specific parameter, perhaps with the intention of delaying a customer who wants to switch between communications providers, would be difficult to police.
Security Risks Left Unmentioned by ENISA
The authors of this guide possess far more technical knowledge than me, but it is apparent that some kinds of risks are either left unmentioned or they are only alluded to so vaguely that they might not receive the attention they deserve. This can occur when international organizations seek to be diplomatic about all the stakeholders who will participate in the adoption of a new technology even though not every stakeholder should be deemed trustworthy.
The risk of eSIMs being compromised by malware is covered at a high level but we should avoid the trap of assuming bad software only ever comes from outsiders. The guide describes the risks of users being tricked into downloading dangerous apps, but nothing is said about the risk of devices being supplied with pre-installed apps that already pose a risk to the user or other stakeholders. The authors discuss the possibility of badly-behaved network operators but barely examine the potential for badly-behaved suppliers of systems integral to the use of eSIMs. For example, each device will run a Local Profile Assistant (LPA) that will provide the interface so users can control the profiles they download to the eSIM. What if the LPA includes code that can autonomously instigate the download of a profile, and who will audit LPAs to check they do not contain such code?
The government of Lithuania caused a storm when they advised consumers to ‘get rid’ of Chinese-manufactured phones that contain hidden software that can censor the words users include in messages. Some Chinese and Russian-made phones have been found to come with spyware installed, whilst Taiwanese consumers have been warned about Chinese phones that were supplied with a scam game installed. It does not require much imagination to suppose a state actor could engage in espionage or give themselves the ability to rapidly disable large numbers of devices by forcing a manufacturer to adapt software so the eSIM profile can be subverted on command.
Much of the focus of this guide has been on the deployment of eSIMs, as might be expected for any new technology. However, as soon as we have a new technology we should have already planned for the risks that manifest themselves at the end of its life. Nothing in this report addresses the potential downsides of information being stored on a chip in an object that may be sold to a new owner or thrown away. Is there a mechanism to delete this data? Do mobile network operators have a responsibility for cleansing any profile data that was written to the eSIM? Perhaps the answers to these questions are known but they are not captured in this guide. This is an especial shame because the authors include generic advice on how users should protect themselves by not sharing personal details online and by regularly changing passwords, but seemingly forget that users can be most at risk when they stop thinking about a device they no longer use or possess. If steps need to be taken to secure eSIMs at the end of their life then these steps should also be communicated to all stakeholders required to take them, and if no steps are required then this should be stated just to provide confidence that the potential risks had not been omitted because of an oversight.
Embedded SIM Ecosystem, Security Risks and Measures is well worth reading, though its 36-page length leaves me feeling there are many more security risks that surround eSIMs which have yet to be documented. It can be downloaded free of charge and without registration from here.
The impact of eSIMs will be discussed by network testing expert John Davies, Managing Director of BluGem, on today’s episode of The Communications Risk Show. John will examine how eSIMs change the risk profile for networks and their customers, and the ways in which testing strategies should adapt to safely navigate the transition to increased use of eSIMs. You can ask questions by watching the livestream at tv.commsrisk.com beginning at 8am Seattle, 11am New York, 4pm London, 8.30pm New Delhi. If you miss the live show then the video recording and audio podcast will be available soon after the broadcast has ended.
