Merge pull request #1787 from HackTricks-wiki/research_update_src_generic-hacking_esim-javacard-exploitation_20260120_130322

carlospolop · web-flow · commit fdc48ba10bc0 · 2026-01-20T14:23:57.000+01:00
Research Update Enhanced src/generic-hacking/esim-javacard-e...
diff --git a/src/generic-hacking/esim-javacard-exploitation.md b/src/generic-hacking/esim-javacard-exploitation.md
@@ -14,6 +14,11 @@ This page describes a real-world full compromise of Kigen’s eUICC (Infineon SL
 2. **Java Card byte-code execution**  
    After installation, the applet executes inside the VM.  Missing run-time checks allow memory corruption.
 
+### 2024–2025 ecosystem changes
+* **GSMA TS.48 v7.0 (18 Jun 2025)** removed public RAM keysets from the Generic Test Profile and blocks `INSTALL` unless randomized keys are provided; cached v≤6 profiles still expose static RAM keys and remain exploitable.
+* **GSMA AN‑2025‑07 (09 Jul 2025)** recommends on-card bytecode verification; most eUICCs still skip full verification so VM memory bugs stay reachable after applet install.
+* **Kigen OTA hardening (Jul 2025)** blocks applet loading when legacy TS.48 test profiles are active and adds runtime checks, but unpatched devices stay vulnerable.
+
 ## The Type-Confusion Primitive
 `getfield` / `putfield` are supposed to operate only on **object references**.  In Kigen eUICC the instructions never validate whether the operand on the stack is an *object* or an *array* reference.  Because an `array.length` word lives at the exact same offset as the first instance field of a normal object, an attacker can:
 
@@ -72,18 +77,22 @@ Modules shipped with the framework:
 ## Mitigations
 1. **On-card byte-code verification** – enforce full control-flow & data-flow type tracking instead of stack-top only.
 2. **Hide array header** – place `length` outside of overlapping object fields.
-3. **Harden RAM keys policy** – never ship profiles with public keys; disable `INSTALL` in test profiles (addressed in GSMA TS.48 v7).
+3. **Harden RAM keys policy** – never ship profiles with public keys; disable `INSTALL` in test profiles (TS.48 v7 removes RAM keysets).
 4. **RSP server side heuristics** – rate-limit profile downloads per EID, monitor geographic anomalies, validate certificate freshness.
+5. **Keep devices off legacy test profiles** – apply the July 2025 OTA that blocks applet loading with TS.48 v≤6 or remove the test profile from factory images.
 
 ## Quick Checklist for Pentesters
 * Query `GET DATA DF1F` – vulnerable firmware string `ECu10.13` indicates Kigen.
+* Inspect loaded profiles: TS.48 test profiles with static RAM keys (v≤6) are directly exploitable; v7 without RAM keys need a new key leak.
 * Check if RAM keys are known ‑> attempt OTA `INSTALL`/`LOAD`.
 * After applet installation, brute-force simple cast primitive (`objarrconfusion`).
 * Try to read Security Domain private keys – success = full compromise.
 
 ## References
 - [Security Explorations – eSIM security](https://security-explorations.com/esim-security.html)
 - [GSMA TS.48 Generic Test Profile v7.0](https://www.gsma.com/get-involved/working-groups/gsma_resources/ts-48-v7-0-generic-euicc-test-profile-for-device-testing/)
+- [GSMA AN-2025-07 Preventing misuse of an eUICC Profile](https://www.gsma.com/solutions-and-impact/technologies/esim/gsma_resources/an-2025-07-preventing-misuse-of-an-euicc-profile-and-installation-of-malicious-java-card-application-v1-0/)
+- [The Hacker News – eSIM vulnerability in Kigen eUICC (July 2025)](https://thehackernews.com/2025/07/esim-vulnerability-in-kigens-euicc.html)
 - [Java Card VM Specification 3.1](https://docs.oracle.com/en/java/javacard/3.1/jc-vm-spec/F12650_05.pdf)
 
 {{#include ../banners/hacktricks-training.md}}
