A security research team has found a flaw in eSIM tech that could let attackers install malicious code, steal operator secrets, and hijack mobile profiles – all without raising alarms.
The problem affects Kigen’s eUICC card, which powers digital SIMs in many phones and IoT devices. According to the company, more than two billion SIMs had been enabled by the end of 2020.
The issue was discovered by Security Explorations, a Polish research lab. Kigen confirmed the flaw and paid the group a $30,000 bug bounty.
eSIMs work without physical cards. Instead, the SIM is stored on a chip in the device – known as an eUICC – and lets users switch mobile plans remotely. Operators can add or manage profiles over the air, making it more flexible than standard SIM cards.
But that flexibility comes with risks. The vulnerability lies in older versions (6.0 and below) of a test profile specification known as GSMA TS.48, which is used for radio testing. Kigen said the flaw could allow someone with physical access to a device to install a rogue applet using public keys. The malicious applet could then take over key parts of the SIM’s software.
Kigen said the fix is included in version 7.0 of the GSMA test profile spec, which now limits how the test profile can be used. All older versions have been deprecated.
If exploited, the flaw could let attackers extract the eUICC’s identity certificate. That opens the door to much more serious attacks – like downloading operator profiles in plaintext, accessing sensitive MNO secrets, and tampering with how profiles are installed and managed. In some cases, attackers could slip in profiles without detection.
The researchers said this builds on earlier work from 2019, when they found bugs in Oracle’s Java Card system. That earlier research showed it was possible to break into a SIM’s memory, bypass its internal security walls, and run unauthorised code. Some of those bugs also affected SIM cards made by Gemalto.
At the time, Oracle downplayed the findings, saying they didn’t affect Java Card products in real-world use. But Security Explorations now says the flaws are real and tied directly to current eSIM threats.
While this might sound like a high bar for attackers, the team says it’s not out of reach for well-resourced actors – including nation-state groups. With the right conditions, an attacker could use the flaw to plant a backdoor inside an eSIM, monitor user activity, and bypass remote controls meant to protect the card.
One of the risks is that the attacker could modify a downloaded SIM profile in a way that prevents the operator from disabling it or even seeing what’s happening. “The operator can be provided with a completely false view of the profile state,” the research team said, “or all of its activity can be subject to monitoring.”
A single stolen certificate – or one compromised eUICC – could be enough to spy on eSIM profiles from any operator. The researchers say this points to a deep flaw in how the eSIM system is built.
(Image by Tomek)
See also: Google Maps Auto SDK drives new Rivian navigation experience
Want to learn about the IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Cyber Security & Cloud Expo, AI & Big Data Expo, Intelligent Automation Conference, Edge Computing Expo, and Digital Transformation Week.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
