eSIM Vulnerabilities Allow Card Cloning and User Spying

📟 News

Date: 17/07/2025

AG Security Research researchers have discovered vulnerabilities in the eSIM technology used in modern smartphones. The issues impact the eUICC software package by Kigen, which is used by billions of devices.

Embedded SIM cards (eSIMs) are becoming increasingly popular. They eliminate the need for physical SIM cards in mobile phones and IoT devices. One of the essential components of the eSIM ecosystem is the eUICC (embedded Universal Integrated Circuit Card) chips, which are integrated into the device, allowing remote SIM card installations and the use of multiple profiles for connecting to various mobile networks.

According to Kigen data, as of December 2020, approximately two billion such SIM cards were used in IoT devices.

According to the security bulletin released by Kigen last week, the issue discovered by experts affects the GSMA TS.48 Generic Test Profile, version 6.0 and earlier, which is used in eSIM products for compliance testing in telecommunications.

In fact, researchers discovered that some mobile operators supply a “test profile” for eUICC Kigen, which uses a default secret key to protect eSIM data. This secret key can be extracted from a device that an attacker has physical access to, and can subsequently be used to sign and deploy unverified and malicious Java Card applets. Such applets can be used to attack the Java Card VM virtual machine that runs on the eUICC chip.

GSMA TS.48 v7.0, released last month, addresses the issue by limiting the use of the test profile and preventing the installation of remote applets. Other versions of the TS.48 specification are no longer in use.

“Successful exploitation of the issue requires a combination of factors. First, the attacker must gain physical access to the target eUICC and use publicly available keys,” explains Kigen. “This will allow them to install a malicious Java Card applet.”

The vulnerability may also facilitate the extraction of the Kigen eUICC identification certificate, allowing arbitrary mobile network operator profiles to be downloaded in an unencrypted form, gain access to confidential information, modify these profiles, and deploy them on any eUICC (without detection by the operator).

AG Security Research states that this study is based on the results of a previous analysis conducted in 2019. At that time, numerous vulnerabilities were discovered in Oracle Java Card, which allowed for the deployment of a persistent backdoor. One of the bugs also affected Gemalto SIM, which relies on Java Card technology.

These issues could be exploited to “compromise the memory safety of the base Java Card VM,” gain full access to the card’s memory, breach the applet firewall, and execute native code.

However, at the time, representatives from Oracle stated that these “security concerns” did not affect the industrial version of Java Card VM and also attempted to downplay the significance of the issue. According to AG Security Research, it is now proven that these “concerns” were indeed real bugs.

While such attacks may seem complex, researchers assure that this is well within the capabilities of APT groups. The vulnerabilities allow for the compromise and cloning of eSIMs, as well as the installation of a hidden backdoor that intercepts all communications.

Although the current research focuses on Kigen solutions, eUICC solutions from other vendors may also be vulnerable to similar attacks, as the main issue is linked to a series of old vulnerabilities in Java Card.

“A loaded profile can potentially be modified in such a way that the operator loses control over it (unable to manage it remotely, unable to disable or revoke it, and so on). The operator may receive a completely false view of the profile’s status, while all activity can be monitored,” explain the experts. “In our opinion, the possibility of compromising eSIM profiles of any operator through a single hacked eUICC or theft of one GSMA eUICC certificate is a serious architectural problem with eSIM in general.”

For discovering these issues, specialists from AG Security Research received $30,000 from Kigen as part of a bug bounty program.

Related posts:
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers

Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →