Security issue with test profiles (e.g. GSMA TS.48)
A research-focused attack exploiting ambiguity in GSMA TS.48 test profiles affected a downstream environment. Here's what happened and the steps we've taken.
We are writing to inform you of a recently identified security issue related to test profiles (e.g. GSMA TS.48) and their use within an eSIM. This issue affected one of our downstream environments and involves the ability to install unauthorized applets onto an eSIM under specific, highly controlled conditions.
The vulnerability stems from ambiguity in the GSMA TS.48 specification, which may allow post-issuance applet installation and misuse of Remote Applet Management (RAM) functions. In this case, an independent security researcher with physical access to eight of our eSIMs and knowledge of fixed security keys was able to exploit these functions over a period of seven months to retrieve other secrets from the eSIM. This was a highly sophisticated, research-focused attack.
Because test profiles are purpose-specific (e.g. connecting to device test environments), they do not allow live cellular network connections. As far as we currently understand, a remote attack is not possible.
We want to reassure you that we have already taken strong measures:
- We have updated our platform to block the use of TS.48 for RAM.
- We are notifying affected customers and partners.
- We are distributing security patches wherever there may be any risk, however small.
- We will work closely with the ecosystem to improve the clarity of the TS.48 standard for the wider industry.
At this time there is no indication of a broader compromise. This situation was contained to a specific scenario requiring insider knowledge and extended physical access to our eSIMs — access normally limited to trusted parties. As a precaution, however, we are proactively informing our customers.