How to steal the QR code is of scope of the attack described and is dependent on the security profile of any given carrier, but the important point is this:
Currently, an attacker installing the eSIM profile themselves is very visible, as it breaks the QR code for the legitimate user due to the singleton property (or, if the user installs it first, locks the attacker out anyway). If it happens, the legitimate user will call in and complain, and the carrier will at least revoke the current profile, and possibly even realize that something's afoot.
That property going away probably changes the threat model of most carriers in a way not initially anticipated.
Thank you. I think my confusion on concern stemmed from some opinions I held:
- Any key of mine should be copyable by me.
- Any key of mine (or copy thereof) should be usable as I see fit*.
- If someone had physical access to a device, we can assume they control it and have all information and communications on it, potentially forever due to the layered architecture of modern hardware systems.
- If someone compromised a network provider, we can assume they control all configuration and communication, potentially forever on the existing devices, for the same reasons.
* - though I obviously wouldn't want to use them in a way that illegally hurts people, like driving drunk and getting into an accident
The thing with eSIMs and SIM cards before is that they aren't keys of yours, network carriers like to own them instead. Everything about mobile communications is oriented towards that. The tamper-proof chips, "secure" firmware etc.
> 1. Intercept the eSIM setup QR code (which contains two things: the URL of the SM-DP and a secret profile identifier)
1. How might this be done? Would this require a separate attack, or are the mechanics a part of the attack described in the article?
2. Is this possible with the eSIM already set up on my phone?