A major vulnerability has been identified in the eSIM (eUICC) software stack developed by Kigen, an Ireland-based provider whose technology powers over 2 billion IoT devices worldwide. This flaw allows an attacker with physical access to a device to compromise the eUICC, extract sensitive cryptographic certificates, and fraudulently access mobile operator profiles.

The vulnerability, revealed by cybersecurity firm Security Explorations, questions the foundations of the chain of trust upon which the eSIM ecosystem relies.

Technical Details

The issue stems from a standardized component: the Generic Test Profile defined by the GSMA TS.48 specification, used for radio testing during device certification. Versions of this specification prior to v7.0 present a significant weakness: they allow the loading of unauthenticated JavaCard applets using known and insecure keys.

Once an attacker has installed a malicious applet, they are able to unlock the secure content of the eUICC card, including private keys and identity certificates. These elements then allow for the downloading or modification of legitimate eSIM profiles remotely, while bypassing restrictions imposed by operators.

Exploitation Chain

The attack scenario involves several critical steps:

Physical access to the target device: A prerequisite for any exploitation.

Activation of the Generic Test Profile (GTP): Often left enabled during manufacturing or certification phases.

Use of default keys to install a malicious applet.

Extraction of credentials (certificates and keys) from the eSIM card.

Fraudulent use of eSIM profiles: Downloading, modifying, or cloning operator profiles.

Potential Consequences

The impacts of this vulnerability are severe, particularly in cases of targeted attacks or large-scale espionage:

Digital Identity Theft of devices.

Manipulation of mobile communications by modifying operator profiles.

Surveillance of users via compromised eSIM channels.

Large-scale propagation, as compromised profiles can be reused to attack other devices.

References to Past Vulnerabilities

This flaw is a continuation of similar discoveries made in 2019, when JavaCard vulnerabilities were revealed by the same research firm, affecting SIM cards from brands like Gemalto.

Corrective Measures

Faced with this threat, several actions have been taken:

The GSMA has published a new version TS.48 (v7.0), correcting the identified flaws.

Kigen has issued a security bulletin and strongly recommends that its customers update their firmware.

Previous versions of the TS.48 specification are now obsolete and should no longer be used in testing processes.

Conclusion

This vulnerability highlights a structural weakness in the eSIM ecosystem, particularly in certification and testing processes. It demonstrates that without rigorous control of access to test profiles and strict key management, the security of the entire mobile chain can be compromised.

Enterprises, device manufacturers, and operators must act quickly by applying necessary updates and adopting the latest recommendations from the GSMA and Kigen.