eSIM / Java Card VM Exploitation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Muhtasari

Embedded SIMs (eSIMs) zinatekelezwa kama Embedded UICC (eUICC) smart-kadi ambazo zinaendesha Java Card Virtual Machine (JC VM) juu ya elementi salama. Kwa sababu profiles na applets zinaweza kupangwa over-the-air (OTA) kupitia Remote SIM Provisioning (RSP), kasoro yoyote ya memory-safety ndani ya JC VM mara moja inakuwa primitive ya remote code-execution ndani ya sehemu yenye hadhi zaidi ya kifaa.

Ukurasa huu unaelezea uchomvu kamili (full compromise) wa ulimwengu halisi wa eUICC ya Kigen (Infineon SLC37 ESA1M2, ARM SC300) ulisababishwa na ukosefu wa ukaguzi wa type-safety katika bytecodes getfield na putfield. Mbinu ile ile inaweza kutumika dhidi ya wauzaji wengine wanaoruka on-card byte-code verification.

Uso wa Mashambulizi

1. Remote Application Management (RAM) Profaili za eSIM zinaweza kujumuisha applets za Java Card za aina yoyote. Upangaji hufanywa kwa kutumia APDU za kawaida ambazo zinaweza kupitishwa kupitia SMS-PP (Short Message Service Point-to-Point) au HTTPS. Ikiwa mshambuliaji anamiliki (au kuiba) RAM keys za profaili, anaweza kwa mbali INSTALL/LOAD applet ya kibaya.
2. Java Card byte-code execution Baada ya ufungaji, applet inatekelezwa ndani ya VM. Ukosefu wa ukaguzi wakati wa utekelezaji (run-time checks) unaruhusu uharibifu wa memory.

Mabadiliko ya ekosistimu 2024–2025

• GSMA TS.48 v7.0 (18 Jun 2025) iliondoa public RAM keysets kutoka Generic Test Profile na inazuia INSTALL isipokuwa randomized keys zitatolewa; profaili zilizosimbwa v≤6 bado zinaonyesha static RAM keys na zinaendelea kuwa zilezile kuchukuliwa.
• GSMA AN‑2025‑07 (09 Jul 2025) inapendekeza on-card bytecode verification; eUICC nyingi bado zinaruka ukaguzi kamili hivyo mende za memory za VM zinabaki kufikiwa baada ya ufungaji wa applet.
• Kigen OTA hardening (Jul 2025) inalizuia kupakia applet wakati legacy TS.48 test profiles ziko hai na inaongeza runtime checks, lakini vifaa visivyo patched vinabaki kuwa hatarini.

Primitive ya Type-Confusion

getfield / putfield zinapaswa kufanya kazi tu kwa marejeo ya object. Katika Kigen eUICC maagizo hayawahi kuthibitisha kama operand kwenye stack ni object au array reference. Kwa sababu neno array.length huishi kwenye offset sawa kabisa na field ya kwanza ya instance ya object ya kawaida, mshambuliaji anaweza:

1. Unda byte-array byte[] buf = new byte[0x100];
2. I-cast kwa Object o = (Object)buf;
3. Tumia putfield kuandika upya thamani yoyote ya 16-bit ndani ya object jirani (ikiwa ni pamoja na VTABLE / ptr translation entries).
4. Tumia getfield kusoma memory yo yote mara tu pointers za ndani zitakapotekwa.

// Pseudo-bytecode sequence executed by the malicious applet
// buf = newarray byte 0x100
// o   = (Object) buf            // illegal but not verified
// putfield <victimObject+offset>, 0xCAFE // arbitrary write
// ... set up read-what-where gadgets ...

The primitive provides arbitrary read / write in the eUICC address space – enough to dump the device-unique ECC private key that authenticates the card to the GSMA ecosystem.

Mtiririko wa End-to-End Exploitation

1. Orodhesha firmware – Tumia kipengele kisichoandikwa GET DATA item DF1F:

80 CA DF 1F 00   // → "ECu10.13" (vulnerable)

2. Install malicious applet OTA – Tumia vibaya publicy-known keys za TS.48 Generic Test Profile na push SMS-PP fragments zinazobeba CAP file (LOAD) ikifuatiwa na INSTALL:

// simplified APDU chain
80 E6 02 00 <data>   // LOAD (block n)
80 E6 0C 00 <data>   // INSTALL for load

3. Trigger type-confusion – Wakati applet inapochaguliwa inafanya write-what-where ili hijack pointer table na leak memory kupitia normal APDU responses.
4. Extract GSMA certificate key – Private EC key inakopiwa kwenye RAM ya applet na kurejeshwa kwa vipande.
5. Impersonate the eUICC – Key pair iliyodukuliwa + certificates zinamruhusu mshambuliaji authenticate kwa any RSP server kama kadi halali (EID binding inaweza bado kuhitajika kwa baadhi ya watoa huduma).
6. Download and modify profiles – Plaintext profiles zina sehemu zenye nyeti sana kama OPc, AMF, OTA keys na hata applets za ziada. Mshambuliaji anaweza:

• Clone a profile to a second eUICC (voice/SMS hijack);
• Patch Java Card applications (e.g. insert STK spyware) before re-uploading;
• Extract operator secrets for large-scale abuse.

Cloning / Hijacking Demonstration

Installing the same profile on PHONE A and PHONE B results in the Mobile Switching Centre routing incoming traffic to whichever device most recently registered. One session of Gmail 2FA SMS interception is enough to bypass MFA for the victim.

Automated Test & Exploit Toolkit

Watafiti walitoa zana ya ndani yenye amri bsc (Basic Security Check) ambayo mara moja inaonyesha kama Java Card VM ni vulnerable:

scard> bsc
- castcheck        [arbitrary int/obj casts]
- ptrgranularity   [pointer granularity/tr table presence]
- locvaraccess     [local variable access]
- stkframeaccess   [stack frame access]
- instfieldaccess  [instance field access]
- objarrconfusion  [object/array size field confusion]

Modules shipped with the framework:

• introspector – chunguzi kamili wa VM na kumbukumbu (~1.7 MB Java)
• security-test – generic verification bypass applet (~150 KB)
• exploit – 100 % reliable Kigen eUICC compromise (~72 KB)

Mikakati ya kupunguza hatari

1. On-card byte-code verification – kuweka ufuatiliaji kamili wa aina za control-flow & data-flow badala ya stack-top pekee.
2. Hide array header – weka length nje ya shamba za object zinazogongana.
3. Harden RAM keys policy – usitume profaili zenye public keys; zima INSTALL katika test profiles (TS.48 v7 removes RAM keysets).
4. RSP server side heuristics – punguza kasi ya upakuaji wa profaili kwa kila EID, fuatilia anomalies za kijiografia, hakiki freshness ya certificate.
5. Keep devices off legacy test profiles – apply the July 2025 OTA that blocks applet loading with TS.48 v≤6 or remove the test profile from factory images.

Quick Checklist for Pentesters

• Query GET DATA DF1F – vulnerable firmware string ECu10.13 indicates Kigen.
• Kagua profaili zilizopakiwa: TS.48 test profiles with static RAM keys (v≤6) are directly exploitable; v7 without RAM keys need a new key leak.
• Angalia kama RAM keys zinajulikana ‑> attempt OTA INSTALL/LOAD.
• Baada ya ufungaji wa applet, brute-force simple cast primitive (objarrconfusion).
• Jaribu kusoma Security Domain private keys – success = full compromise.

References

• Security Explorations – eSIM security
• GSMA TS.48 Generic Test Profile v7.0
• GSMA AN-2025-07 Preventing misuse of an eUICC Profile
• The Hacker News – eSIM vulnerability in Kigen eUICC (July 2025)
• Java Card VM Specification 3.1

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.