A newly disclosed vulnerability in Kigen's eUICC cards has exposed potentially billions of IoT devices to malicious attacks through flaws in eSIM profile management . The issue affects older versions of the GSMA TS.48 Generic Test Profile, used for radio compliance testing in eSIM-enabled hardware . The vulnerability allows attackers with physical access and knowledge of publicly available keys to install malicious JavaCard applets on affected eUICCs .
In more severe cases, it could enable the extraction of device identity certificates and unauthorized profile downloads, jeopardizing the confidentiality of mobile network operator (MNO) data and potentially allowing full interception of communications . “Successful exploitation requires a combination of specific conditions,” Kigen said . “This enables the attacker to install a malicious JavaCard applet” .
Researchers at Security Explorations uncovered the flaw and were awarded a $30,000 bounty by Kigen for their responsible disclosure . According to their analysis, the bug originates from GSMA TS.48 versions 6.0 and earlier, which failed to block unverified applet installation . Exploitation could allow an attacker to override profile state visibility and even disable an operator's ability to remotely manage or deactivate the eSIM .
In response, Kigen issued an operating system security patch and collaborated with GSMA to revise the test profile specification . The updated TS.48 v7.0 Generic eUICC Test Profile for Device Testing, published on June 18, addresses the vulnerability by: Blocking JavaCard applet installation in test profiles . Restricting remote applet management (RAM) keys unless explicitly requested . Randomizing keys for all future profile shipments requiring RAM .
Though exploitation requires hands-on access, experts caution that nation-state threat actors could feasibly mount such attacks to deploy persistent backdoors on targeted eSIMs . According to Security Explorations, the vulnerability builds on earlier findings from 2019, which identified related weaknesses in Oracle Java Card implementations . Oracle has historically downplayed these flaws, but researchers assert that the latest findings prove the issues are more serious than originally acknowledged .
The theft of a GSMA consumer certificate from a compromised Kigen eUICC has major security implications . It allows attackers to download decrypted eSIM profiles from various mobile network operators (MNOs), bypassing the need to hack secure hardware . These profiles contain sensitive data like subscriber configurations, authentication keys (OPc, AMF), and Java apps . The apps and profiles can be extracted, analyzed, modified, and reloaded onto other eUICCs without detection by MNOs . This undermines the integrity of eSIM security architecture and reveals a fundamental vulnerability in trusting shared certificates across networks .
Researchers were able to extract the private ECC key from a compromised Kigen eUICC, effectively breaking its cryptographic security .