A serious flaw in widely used eSIM chips may put billions of devices at risk of cloning and unauthorized tracking. Security Exploration, a Polish research team, found a way to break into Kigen’s eUICC chip, which stores digital SIM profiles used by carriers including AT&T, Vodafone, and T-Mobile.
The team extracted decrypted eSIM profiles, certificates, and keys. With this data, attackers could copy a SIM profile, take over calls and messages, and avoid detection. The same chip is found in many phones and IoT devices.
Kigen said the issue has been patched and paid the researchers a $30,000 bug bounty. But the team found deeper issues in the Java Card VM that powers the chip. They said the patch applied surface-level checks without fixing the underlying problem.
The report shows that remote attacks are possible if private keys leak. Kigen claims physical access is required, but the researchers point to over-the-air protocols that allow remote updates, a common part of eSIM systems.
The team was able to duplicate a working eSIM from Orange Poland and load it onto another device. They said similar attacks may work with other operators. The profiles contain sensitive network settings and security data.
Kigen's chips support over two billion eSIMs. The researchers say many profiles could be exposed if this flaw isn’t addressed at a deeper level. They’ve notified GSMA and Oracle’s Java Card group. No major mobile brands were named in the test.
Notes: This post was edited/created using GenAI tools. Image: DIW-Aigen.
Read next: OpenAI’s New Texas Data Hub Raises Power Concerns for Locals
The team extracted decrypted eSIM profiles, certificates, and keys. With this data, attackers could copy a SIM profile, take over calls and messages, and avoid detection. The same chip is found in many phones and IoT devices.
Kigen said the issue has been patched and paid the researchers a $30,000 bug bounty. But the team found deeper issues in the Java Card VM that powers the chip. They said the patch applied surface-level checks without fixing the underlying problem.
The report shows that remote attacks are possible if private keys leak. Kigen claims physical access is required, but the researchers point to over-the-air protocols that allow remote updates, a common part of eSIM systems.
The team was able to duplicate a working eSIM from Orange Poland and load it onto another device. They said similar attacks may work with other operators. The profiles contain sensitive network settings and security data.
Kigen's chips support over two billion eSIMs. The researchers say many profiles could be exposed if this flaw isn’t addressed at a deeper level. They’ve notified GSMA and Oracle’s Java Card group. No major mobile brands were named in the test.
Notes: This post was edited/created using GenAI tools. Image: DIW-Aigen.
Read next: OpenAI’s New Texas Data Hub Raises Power Concerns for Locals
