hack.lu 2023

Embedded Threats: A Deep Dive into the eSIM World
2023-10-18 , Salle Europe

With the increasing adoption of the embedded SIM (eSIM) or embedded Universal Integrated Circuit Card (eUICC), new connectivity opportunities and conveniences are emerging for users. However, with these advances emerge new potential vulnerabilities and security implications. This presentation will shed light on the yet unexplored attack surface of eSIM technology and highlight the potential risks and challenges of this now widely deployed technology. Support for eSIM is now available in modern mobile phones and also in popular desktop devices such as Lenovo Thinkpads running Microsoft Windows 10 and 11. By exploring the intricacies of eSIM security, we aim to raise awareness to the potential for offensive operations serving as technology but also in terms of post compromise situations.


This talk is posed to be the 2023 continuation of a talk called "Mobile Authentication Subspace Travel"[^1] given in 2015 at different security conferences. The main point of this talk was to implement what is nowadays
called an eSIM by patching the baseband of popular MediaTek phones and to explore the relation of mobile
network security, SIM card modules, and the baseband attack surface they pose.
Fast-foward to 2023, eSIMs are now a featured standard by the GSMA and present in all modern devices.
On top of this, they are now present on Desktop systems such as Microsoft Windows as well.

The talk will highlight the security aspects of eSIMs by covering the following topics:

  1. Overview of the eSIM attack surface in desktop systems and a comparison with mobile operating systems:

We will begin the talk with a comprehensive overview of the attack surface of eSIM technology in desktop systems, addressing the differences and similarities with mobile operating systems. This analysis will address the unique challenges and vulnerabilities that arise from the rather complex architecture and implementation of eSIMs on desktop and mobile platforms, and highlight the need for a comprehensive understanding of the potential risks in both environments. Especially the risks in a multi-user Enterprise environment will be covered.

  1. Secure deployment of eSIM profiles (from SM-DP+ to hardware eSIM):

Secure deployment of eSIM profiles is a critical component of maintaining the overall security of the mobile networks, but also of the actual hardware devices as well as operating systmes. We will discuss the process from the Subscription Manager - Data Preparation Plus (SM-DP+) server and how the profiles are dployed to the hardware eSIM. By examining key security measures and best practices to ensure the confidentiality, integrity, and availability of eSIM profiles throughout the deployment lifecycle, we will show potential risks arising from profiles originally intended for debugging purposes only and also test if the security mitigations intended by the GSMA to keep control over the eSIM ecosystem are actually effective..

  1. Attack surface on Windows and the Local Profile Assistant (LPA) service in the light of privilege escalation attacks:

To investigate security implicatoins on Windows Desktop systems, we will examine the local attack surface, focusing on the Local Profile Assistant (LPA) service and its potential role in privilege escalation attacks both in an organization and on the local system. We will outline the potential vulnerabilities and attack vectors that can be exploited by attackers to gain unauthorized access and elevated privileges within the system, emphasizing the importance of securing the LPA service and its associated components.

  1. Use of eSIMs in offensive red-teaming operations:

Finally, we will explore the innovative ways in which eSIM technology can be used in offensive red-teaming operations to simulate sophisticated cyber threats and assess an organization's overall security posture. This section will present real-world examples and scenarios that demonstrate how eSIMs can be used to circumvent traditional security measures, exfiltrate sensitive data, and compromise network infrastructures.

In summary, the rapid adoption of eSIM technology offers a host of new opportunities and conveniences, but also introduces a number of potential vulnerabilities and security issues. By comprehensively examining the attack surface associated with eSIMs and discussing secure deployment practices, local attack vectors, and red-teaming applications, this presentation aims to inspire a proactive approach to securing eSIM technology. It is critical that the cybersecurity community come together and develop robust strategies to mitigate risks and ensure the continued security and reliability of this breakthrough innovation to ultimately promote a more secure and connected world.

[1] https://conference.hitb.org/hitbsecconf2015ams/materials/D1T1%20-%20Markus%20Vervier%20-%20Mobile%20Authentication%

During the last 18 years Markus collected professional experience in offensive IT security working as a security researcher, code auditor, and penetration tester. He likes to do review code, reverse engineer the unknown, and to discover vulnerability in applications on various platforms and architectures.
Some of his notable accomplishments include conducting security analysis and reverse engineering of embedded firmware for mobile devices, discovering vulnerabilities in the Signal Private Messenger in collaboration with JP Aumasson, and finding a remote vulnerability in libOTR.