AG Security Research researchers have discovered vulnerabilities in the eSIM technology used in modern smartphones. The issues impact the eUICC software package by Kigen, which is used by billions of devices.
Embedded SIM cards (eSIMs) are becoming increasingly popular. They eliminate the need for physical SIM cards in mobile phones and IoT devices. One of the essential components of the eSIM ecosystem is the eUICC (embedded Universal Integrated Circuit Card) chips, which are integrated into the device, allowing remote SIM card installations and the use of multiple profiles for connecting to various mobile networks.
According to Kigen data, as of December 2020, approximately two billion such SIM cards were used in IoT devices.
According to the security bulletin released by Kigen last week, the issue discovered by experts affects the GSMA TS.48 Generic Test Profile, version 6.0 and earlier, which is used in eSIM products for compliance testing in telecommunications.
In fact, researchers discovered that some mobile operators supply a “test profile” for eUICC Kigen, which uses a default secret key to protect eSIM data. This secret key can be extracted from a device that an attacker has physical access to, and can subsequently be used to sign and deploy unverified and malicious Java Card applets. Such applets can be used to attack the Java Card VM virtual machine that runs on the eUICC chip.
GSMA TS.48 v7.0, released last month, addresses the issue by limiting the use of the test profile and preventing the installation of remote applets. Other versions of the TS.48 specification are no longer in use.
“Successful exploitation of the issue requires a combination of factors. First, the attacker must gain physical access to the target eUICC and use publicly available keys,” explains Kigen. “This will allow them to install a malicious Java Card applet.”
The vulnerability may also facilitate the extraction of the Kigen eUICC identification certificate, allowing arbitrary mobile network operator profiles to be downloaded in an unencrypted form, gain access to confidential information, modify these profiles, and deploy them on any eUICC (without detection by the operator).
AG Security Research states that this study is based on the results of a previous analysis conducted in 2019. At that time, numerous vulnerabilities were discovered in Oracle Java Card, which allowed for the deployment of a persistent backdoor. One of the bugs also affected Gemalto SIM, which relies on Java Card technology.
These issues could be exploited to “compromise the memory safety of the base Java Card VM,” gain full access to the card’s memory, breach the applet firewall, and execute native code.
However, at the time, representatives from Oracle stated that these “security concerns” did not affect the industrial version of Java Card VM and also attempted to downplay the significance of the issue. According to AG Security Research, it is now proven that these “concerns” were indeed real bugs.
While such attacks may seem complex, researchers assure that this is well within the capabilities of APT groups. The vulnerabilities allow for the compromise and cloning of eSIMs, as well as the installation of a hidden backdoor that intercepts all communications.
Although the current research focuses on Kigen solutions, eUICC solutions from other vendors may also be vulnerable to similar attacks, as the main issue is linked to a series of old vulnerabilities in Java Card.
“A loaded profile can potentially be modified in such a way that the operator loses control over it (unable to manage it remotely, unable to disable or revoke it, and so on). The operator may receive a completely false view of the profile’s status, while all activity can be monitored,” explain the experts. “In our opinion, the possibility of compromising eSIM profiles of any operator through a single hacked eUICC or theft of one GSMA eUICC certificate is a serious architectural problem with eSIM in general.”
For discovering these issues, specialists from AG Security Research received $30,000 from Kigen as part of a bug bounty program.
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →