Researchers have successfully hacked a widely used chip that stores eSIM (embedded SIM) profiles, leaving billions of users vulnerable to SIM cloning, spoofing, spying on them, and related security implications.
Security Exploration, a security research lab based in Poland, said it successfully breached the implementation of an embedded Universal integrated circuit card (eUICC) developed by Kigen.
The hack allows attackers to extract certificates and download decrypted eSIM profiles and other sensitive data, affecting users of major operators like AT&T, Vodafone, T‑Mobile, or China Mobile.
The report confirms that attackers can abuse the flaw to clone and spoof eSIMs. Kigen eSIM products are used across IoT applications, ranging from industrial IoT to consumer devices.
“A vulnerability in the GSMA TS.48 Generic Test Profile (v6.0 and earlier), used in all eSIM products across the industry for radio compliance testing, allows installation of non-verified and potentially malicious applets,”
Kigen said in the security bulletin.
An eSIM is a digital version of a SIM card embedded directly into a device as software installed onto an eUICC chip. It enables downloading, storing, and seamlessly switching between eSIMs from multiple carriers.
While the researchers did not mention specific consumer devices that are vulnerable to hacks, they warned that eSIM chips are embedded in most modern smartphones and might all be susceptible.
Kigen previously stated that its tech is used to store over two billion eSIMs worldwide. The company lists major ecosystems, such as Android, ARM, Qualcomm, and leading telecoms, among its partners.
The researchers tested their proof-of-concept code to hack Kigen’s ECu10.13 eSIM product.
They warn that the attack is not limited to physical access, but network access should be assumed.
“The hack proves no security/isolation for the eSIM profile and Java apps (no security for eUICC memory content),” the report reads.
“The issues can be exploited over-the-air.”
Kigen acknowledged the issue and awarded the researchers a $30,000 bug bounty.
“A vulnerability in the GSMA TS.48 Generic Test Profile (v6.0 and earlier), used in all eSIM products across the industry for radio compliance testing, allows installation of non-verified and potentially malicious applets,” Kigen said in the security bulletin. It noted that the patch has been distributed to all Kigen customers.
However, it seems there are some disagreements on the severity of the issue and its mitigation.
Problems might be deeper than the patches cover
The researchers explained that a type confusion flaw affects Java Card VM itself, a lightweight version of Java Virtual Machine for small applications (applets). The core issue lies in the longstanding vulnerabilities of the Java Card VM, not just in Kigen’s implementation, which suggests that other eSIM implementations may also be vulnerable.
The team provided Kigen with ”multiple (100+) security vulnerabilities affecting its Java Card VM implementation " and other ideas that could help mitigate the exploitation scenarios.
However, the researchers found that Kigen mitigated the flaws by introducing quick checks to nearly all of the ~180 JavaCard bytecode instructions, but failed to address the deeper underlying issue: “no real control-flow tracking.”
“Kigen fell the victim of anyone trying to implement some form of a bytecode verification without proper background/state-of-the-art knowledge on the topic,” the report reads.
“There is no reference to any JavaCard vulnerabilities.”
The researchers relied on physical access and knowledge of the keys used for malicious Java app installation on the device, and assumed remote exploitation is plausible over the OTA SMS-PP (Short Message Service Point to Point) protocol if the keys leaked.
Kigen’s advisory claims that an attacker, to install malicious applets, “must first gain physical access to a target eUICC and use publicly known keys.” This indirectly denies the remote attack vector.
GSMA standards require eUICCs to implement remote management/remote SW update functionalities, “which alone constitute a significant threat surface,” the researchers argue.
The GSMA (GSM Association) and Oracle Java Card team were made aware of the underlying issues.
How dangerous is this hack?
The researchers demonstrated how an attacker could clone an Orange Poland eSIM profile onto another device with separate eUICC chips and hijack calls and SMS from legitimate users, including OTP codes.
“One can download arbitrary profiles from mobile network operators (MNOs) in cleartext,” the researchers said.
“We have used Kigen eUICC cert to download decrypted eSIM profiles for various MNOs (ATT, Vodafone, O2, Orange, Bouygues Telecom, DTAC, China Mobile, CMHK, and T-Mobile in particular).”
The theft of the GSMA certificate means that there is no need to hack the hardware protecting eSIMs. These profiles contain operator secrets, such as subscriber/and network configurations, secret/OTA keys, Java apps, etc.
SIM cards also contain the network operators' key OPc and an Authentication Management Field (AMF) critical secrets that should be safeguarded “at any cost.”
Hackers can also modify the eSIMs before adding them to other devices. The operators will not be able to detect the tampering and might lose control over the profile, and be provided “with a completely false view of the profile state.”
The researchers demonstrated uploading duplicated eSIMs to both Samsung (Android) and Apple smartphones.
They have not tried to hack eSIM chips used in mobile phones from major vendors, but the team also haven’t “tried all of the ideas.”
“That architecture alone makes eSIM a perfect attack target and backdoor location for nation states/cybercrime groups,” the researchers concluded.
Your email address will not be published. Required fields are markedmarked