AG Security Research researchers have discovered vulnerabilities in the eSIM technology used in modern smartphones. The issues impact the eUICC software package by Kigen, which is used by billions of devices.
Embedded SIM cards (eSIMs) are becoming increasingly popular. They eliminate the need for physical SIM cards in mobile phones and IoT devices. One of the essential components of the eSIM ecosystem is the eUICC (embedded Universal Integrated Circuit Card) chips, which are integrated into the device, allowing remote SIM card installations and the use of multiple profiles for connecting to various mobile networks.
According to Kigen data, as of December 2020, approximately two billion such SIM cards were used in IoT devices.
According to the security bulletin released by Kigen last week, the issue discovered by experts affects the GSMA TS.48 Generic Test Profile, version 6.0 and earlier, which is used in eSIM products for compliance testing in telecommunications.
In fact, researchers discovered that some mobile operators supply a “test profile” for eUICC Kigen, which uses a default secret key to protect eSIM data. This secret key can be extracted from a device that an attacker has physical access to, and can subsequently be used to sign and deploy unverified and malicious Java Card applets. Such applets can be used to attack the Java Card VM virtual machine that runs on the eUICC chip.
GSMA TS.48 v7.0, released last month, addresses the issue by limiting the use of the test profile and preventing the installation of remote applets. Other versions of the TS.48 specification are no longer in use.
“Successful exploitation of the issue requires a combination of factors. First, the attacker must gain physical access to the target eUICC and use publicly available keys,” explains Kigen. “This will allow them to install a malicious Java Card applet.”
The vulnerability may also facilitate the extraction of the Kigen eUICC identification certificate, allowing arbitrary mobile network operator profiles to be downloaded in an unencrypted form, gain access to confidential information, modify these profiles, and deploy them on any eUICC (without detection by the operator).
AG Security Research states that this study is based on the results of a previous analysis conducted in 2019. At that time, numerous vulnerabilities were discovered in Oracle Java Card, which allowed for the deployment of a persistent backdoor. One of the bugs also affected Gemalto SIM, which relies on Java Card technology.
These issues could be exploited to “compromise the memory safety of the base Java Card VM,” gain full access to the card’s memory, breach the applet firewall, and execute native code.
However, at the time, representatives from Oracle stated that these “security concerns” did not affect the industrial version of Java Card VM and also attempted to downplay the significance of the issue. According to AG Security Research, it is now proven that these “concerns” were indeed real bugs.
While such attacks may seem complex, researchers assure that this is well within the capabilities of APT groups. The vulnerabilities allow for the compromise and cloning of eSIMs, as well as the installation of a hidden backdoor that intercepts all communications.
Although the current research focuses on Kigen solutions, eUICC solutions from other vendors may also be vulnerable to similar attacks, as the main issue is linked to a series of old vulnerabilities in Java Card.
“A loaded profile can potentially be modified in such a way that the operator loses control over it (unable to manage it remotely, unable to disable or revoke it, and so on). The operator may receive a completely false view of the profile’s status, while all activity can be monitored,” explain the experts. “In our opinion, the possibility of compromising eSIM profiles of any operator through a single hacked eUICC or theft of one GSMA eUICC certificate is a serious architectural problem with eSIM in general.”
For discovering these issues, specialists from AG Security Research received $30,000 from Kigen as part of a bug bounty program.
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →