We are writing to inform you of a recently identified security issue related to test profiles (e.g GSMA TS.48) and its use within an eSIM. This issue has affected one of our downstream environments and involves the ability to install unauthorized applets onto an eSIM under specific and highly controlled conditions.  

    The vulnerability stems from ambiguity in the GSMA TS.48 specification which may allow post-issuance applet installation and misuse of Remote Applet Management (RAM) functions. In this case, an independent security researcher with physical access to eight of our eSIM and knowledge of fixed security keys was able to exploit these functions over a period of seven months to then retrieve other secrets from the eSIM. This was a highly sophisticated research focused attack. 

    As the Test Profiles are purpose specific e.g connection to Device Test Environments, they do not allow for live cellular network connections. Currently, it is our understanding that a remote attack is not possible. 

    We want to reassure you that we have already taken strong measures:  

·                     We have updated our platform to block the use of TS.48 for RAM. 

·                     We are notifying relevant customers and partners. 

·                     We are distributing security patches where there may be any risk, no matter how small. 

·                     We will be working closely with the ecosystem to improve the clarity of the TS.48 standards for the wider industry. 

    At this time, there is no indication of a broader compromise, and this situation was contained to a specific scenario requiring insider knowledge and extended access to our eSIM that is usually limited to trusted actors. However, as a precaution, we are proactively informing our customers.