Critical Flaws in Kigen eSIM Tech: Billions of Devices at Risk
TL;DR
Security researchers have identified significant vulnerabilities in Kigen’s eSIM technology, potentially impacting over 2 billion devices. These flaws expose smartphones and IoT devices to severe security risks, challenging the industry’s security assumptions.
Critical Flaws in Kigen eSIM Technology Expose Billions of Devices
Security researchers at Security Explorations have uncovered critical vulnerabilities in Kigen’s eSIM technology, which is used in over 2 billion devices. These flaws pose significant security risks to smartphones and IoT devices.
Understanding eSIM and eUICC Technology
An eSIM (embedded SIM) is a digital version of a traditional SIM card integrated directly into devices like smartphones, tablets, smartwatches, and IoT devices. Unlike physical SIM cards, eSIMs do not require manual insertion or swapping. The eUICC (embedded Universal Integrated Circuit Card) is the software standard defined by the GSMA that runs on eSIM hardware. It enables the storage of multiple mobile carrier profiles, remote management, and seamless switching between profiles.
Vulnerabilities in Kigen eUICC Cards
The issues discovered by the researchers specifically affect the Kigen eUICC card. Researchers successfully hacked Kigen’s eUICC card, a security-certified chip used to manage eSIM profiles. The attack revealed that neither eSIM profiles nor Java Card apps stored on the chip are properly isolated or protected. This hack builds on prior Java Card research dismissed by Oracle in 2019, now shown to reveal real vulnerabilities.
Key points highlighted by the researchers:
- This is likely the first successful public hack against:
- Consumer GSMA eUICC
- Kigen eSIM (Kigen press releases and web pages implicate over 2 billion SIMs enabled by Kigen secure SIM OS)
- EAL(**) certified GSMA security chip (SLC37 chip based on 32-bit ARM SecurCore SC300 processor from Infineon)
The attack required physical access and knowledge of internal keys, though an over-the-air vector cannot be ruled out. This breach highlights significant risks in eSIM technology and challenges the industry’s security assumptions.
Implications of the Security Breach
The hack proved that there is no security or isolation for the eSIM profile and Java apps, compromising the eUICC memory content. The researchers developed new exploitation techniques based on their past Java Card research and extensive hacking experience.
“We hope the hack brings eSIM security along associated security risks to the focus of mobile network operators (MNOs), vendors, security researchers and security companies.”
Researchers extracted the private ECC key from a compromised Kigen eUICC, effectively breaking its cryptographic security. They provided proof of the hack to Kigen on March 17, 2025, which the company confirmed on March 20. The advisory includes video proofs of concept Demo 1, Demo 2 showing the attacks.
Security Implications and Industry Response
The theft of a GSMA consumer certificate from a compromised Kigen eUICC has major security implications. It allows attackers to download decrypted eSIM profiles from various mobile network operators (MNOs), bypassing the need to hack secure hardware. These profiles contain sensitive data like subscriber configurations, authentication keys (OPc, AMF), and Java apps. The apps and profiles can be extracted, analyzed, modified, and reloaded onto other eUICCs without detection by MNOs. This undermines the integrity of eSIM security architecture and reveals a fundamental vulnerability in trusting shared certificates across networks.
On March 31, 2025, Kigen rewarded the researchers with $30K for their detailed work identifying the vulnerability and establishing a 90-day non-disclosure period.
Kigen disclosed that a vulnerability in GSMA TS.48 Generic Test Profile (v6.0 and earlier), used for eSIM radio compliance testing, allowed non-verified, potentially malicious applets to be installed. The issue was addressed in TS.48 v7.0, which restricts test profile use; earlier versions are now deprecated.
“A vulnerability in the GSMA TS.48 Generic Test Profile (v6.0 and earlier), used in all eSIM products across the industry for radio compliance testing, allows installation of non-verified, and potentially malicious applets. Kigen has issued an OS patch, and contributed to the GSMA TS.48 v7.0 specification.”
The patch has been distributed to all Kigen customers.
Conclusion
The discovery of these vulnerabilities in Kigen’s eSIM technology underscores the need for vigilant security measures in the IoT and mobile industries. As technology advances, continuous research and proactive responses are essential to safeguard billions of devices from emerging threats.
For further insights, check: