Kigen’s embedded Universal Integrated Circuit Cards (eUICC) are said to have a previously unknown vulnerability. This chilling situation puts the security of billions of Internet of Things (IoT) devices at risk. Kigen, an Irish company known for enabling over 2 billion SIMs in IoT devices by December 2020, faces scrutiny as details of the flaw emerge.
The vulnerability is said to mainly affect Gemalto SIM cards, which use Java Card technology. As security experts explained, a determined attacker can take advantage of this vulnerability. They only have to get physical access to a target eUICC. The entire process depends on their publicly known keys. This reliance can leave lucrative opportunities for hackers to remotely access and tamper with devices.
Kigen acknowledged the severity of the situation, stating that “successful exploitation requires a combination of specific conditions. An attacker must first gain physical access to a target eUICC and use publicly known keys.” This admission alone highlights the extreme necessity for physical security measures even stronger than what is currently on these devices. The danger comes when an adversary is directly able to get to the eUICC.
According to Security Explorations, the flaw is capable of breaking “memory safety of the underlying Java Card VM.” This means that, once an attacker was inside, they would be able to use Java Card’ unique environment to run high-risk actions. And the implications are huge. Kigen’s SIMs are critical to many of these IoT systems that are quickly becoming embedded in our critical infrastructure.
“The eUICC card makes it possible to install the so-called eSIM profiles into the target chip,” noted Security Explorations. In fact, this functionality enables agile control of mobile connectivity across an increasingly sophisticated landscape of IoT devices. It provides an opportunity for attackers to exploit vulnerabilities once inside.
As Kigen approaches this security challenge, it brings to light the necessity of physical security protocols that need to circulate around IoT devices. The company’s world-leading migration to eUICC technology highlights how important it is to remain vigilant while securing these devices against future threats.
