A newly revealed eSIM security flaw could allow attackers to clone digital SIM profiles, hijack communications, and bypass key protections on billions of devices worldwide.
Poland-based Security Exploration successfully breached the Kigen eUICC chip, a common platform for embedded SIM (eSIM) functionality. Major operators like AT&T, T-Mobile, Vodafone, and China Mobile use this chip in mobile phones, IoT devices, and industrial systems.
Their findings show that attackers can extract private certificates, decrypt eSIM profiles, and clone user identities—without relying on physical access in many cases.
What Makes the Flaw So Dangerous?
An eSIM is a digital SIM card stored inside a chip known as an eUICC. Unlike physical SIMs, eSIMs allow remote provisioning and seamless switching between carriers. But that flexibility comes with a major risk.
Researchers discovered that the flaw stems from a vulnerable Java Card virtual machine (JavaCard VM) implementation. This allows attackers to install unverified Java applets using malformed bytecode, bypassing essential validation mechanisms.
Hackers can conduct the attack over the air (OTA), removing the need for physical access to your phone.
“We demonstrated hijacking calls and SMS from legitimate users,” the researchers said, confirming successful cloning of real profiles across multiple operators.
Cloning Demonstrated on Android and Apple Devices
In proof-of-concept testing, the researchers cloned an Orange Poland eSIM profile and uploaded it to new smartphones, including both Android and Apple devices.
They used Kigen certificates to download decrypted profiles from several mobile network operators, including:
- AT&T
- Vodafone
- O2
- Orange
- T-Mobile
- China Mobile
- Bouygues Telecom
The stolen profiles include operator secrets, subscriber data, and encryption keys—elements that, in theory, should be unbreakable.
The researchers argue that the vulnerability allows attackers to modify eSIM content without detection. Mobile carriers may not even realize a profile has been tampered with.
Kigen Responds, But Root Issues Remain
Kigen acknowledged the eSIM security flaw and awarded the researchers a $30,000 bug bounty. A patch was issued to customers, addressing some attack vectors by checking JavaCard instructions for anomalies.
However, researchers claim this mitigation does not fix the underlying architectural flaw: the lack of proper control-flow tracking. They say the attack still works in principle.
“This is a fundamental issue in the JavaCard VM itself,” the report states. The team warned GSMA and Oracle’s Java Card team that the entire eSIM ecosystem may be affected—not just Kigen’s product. They emphasized that the surface remains exploitable unless developers enforce full bytecode verification.
Conclusion
The eSIM security flaw highlights serious concerns about the integrity of mobile communications. With over two billion Kigen-based eSIMs in circulation, the risk is widespread and urgent.
Although patches have been issued, experts warn that deeper systemic vulnerabilities remain. As eSIMs become the new standard in mobile connectivity, their hidden complexity could offer nation-states and cybercriminals a powerful new attack vector—one that bypasses hardware and targets the very core of mobile identity.
0 responses to “eSIM Security Flaw Leaves Billions at Risk of Cloning and Remote Exploits”