Cybersecurity researchers at AG Security Research have uncovered critical security vulnerabilities in embedded SIM (eSIM) technology that affect Kigen’s eUICC software package. These security flaws potentially expose billions of smartphones and IoT devices worldwide to sophisticated attacks, raising significant concerns about the integrity of modern mobile communications infrastructure.
Understanding the Scope of eSIM Security Vulnerabilities
The eSIM technology has rapidly gained adoption as a replacement for traditional physical SIM cards in mobile devices. At the core of this ecosystem are eUICC (embedded Universal Integrated Circuit Card) chips, which enable remote management of carrier profiles and seamless switching between different mobile networks without physical card replacement.
According to Kigen’s data, approximately two billion embedded SIM cards were already deployed in IoT devices by December 2020. The discovered vulnerability affects the GSMA TS.48 Generic Test Profile specification version 6.0 and earlier versions, which is used for compliance testing in eSIM products across the industry.
Technical Analysis of the Attack Vector
The security researchers identified that several mobile carriers distribute test profiles for Kigen eUICC systems using a default secret key for eSIM data protection. This fundamental security weakness allows attackers with physical device access to extract the key and leverage it for signing and deploying malicious Java Card applets.
Successful exploitation of this vulnerability enables attackers to:
- Compromise and clone eSIM profiles from legitimate carriers
- Install hidden backdoors for communication interception
- Access sensitive operator information and credentials
- Deploy arbitrary profiles without detection mechanisms
Connection to Previous Java Card Research
This research builds upon findings from a 2019 analysis that revealed multiple vulnerabilities in Oracle Java Card technology. While Oracle previously downplayed the significance of these issues, claiming they didn’t affect industrial Java Card VM implementations, the current AG Security Research findings demonstrate the real-world impact and severity of these security concerns.
Industry Response and Mitigation Measures
In response to these findings, Kigen has released an updated GSMA TS.48 v7.0 specification that addresses the identified security issues by restricting test profile usage and preventing remote applet installation. All previous versions of the TS.48 specification have been officially deprecated and are no longer supported.
Security experts emphasize that eUICC solutions from other vendors may also be vulnerable to similar attacks, as the underlying issue stems from fundamental Java Card security weaknesses. This highlights the need for a comprehensive security architecture review across the entire eSIM technology ecosystem.
Threat Assessment and Real-World Implications
Despite the apparent complexity of these attacks, researchers warn that such methods are well within the capabilities of Advanced Persistent Threat (APT) groups. The most concerning aspect is the potential for compromising eSIM profiles from any carrier through a single compromised eUICC device or stolen GSMA certificate.
The AG Security Research team received a $30,000 bug bounty reward from Kigen for discovering these critical vulnerabilities, underscoring the severity of the security flaws and the importance of their timely remediation.
These eSIM security vulnerabilities represent a significant threat to global mobile infrastructure security. Organizations and users must immediately update their software to the latest versions and closely monitor manufacturer security recommendations for embedded SIM cards. Only through a comprehensive cybersecurity approach can we minimize risks and protect critical communication infrastructure from sophisticated attacks targeting the fundamental building blocks of modern mobile connectivity.
