Critical eSIM Security Flaw in Kigen Chips Exposes Billions of Devices to Cloning and Spy Attacks

A major eSIM security flaw has been uncovered in technology used by over two billion devices worldwide, including smartphones, wearables, tablets, and IoT products. Researchers revealed that Kigen’s implementation of the GSMA TS.48 Generic Test Profile (versions 6.0 and below) harbored a critical eSIM security flaw that could allow attackers with brief physical access to some device in which malicious JavaCard applets can be installed unnoticeably. These applets may read sensitive identity keys, clone eSIM profiles, and/or allow remote calls and text messages to be spied on, possibly including two-factor authentication (2FA) codes, and the user remains unaware of the spying. More troubling was the fact that the researchers succeeded in cloning active eSIM profiles, and particularly one belonging to Orange Poland, and successfully received messages that were to be sent to the original phone.

The vulnerability is attributed to many known vulnerabilities of the JavaCard virtual machine, specifically a lack of type confusion patches applied to eUICC implementations. Although physically attacking the eSIM will necessitate physical access to an eSIM (and hence decryption), the attacked eSIM can subsequently be managed remotely via over-the-air (OTA) provisioning, thus nodes can eventually become useful to used as surveillance and fraud drivers. In response, Kigen has issued an updated GSMA TS.48 v7.0, which blocks the installation of test-profile applets and enhances protection by disabling RAM key access and introducing randomization for test keysets. All the partners are said to have now received the update, and the researchers were granted a bug bounty of $30,000 by the company.

While the eSIM security flaw is not easy to exploit due to its physical access requirement and dependency on specific Kigen eSIM configurations, the widespread presence of these chips raises significant concerns for user privacy and national security. Analysts stress that customers and companies must be cautious and upgrade firmware settings, check patch installations against their device provider or carrier, and get rid of 2FA based on SMS messages, in favor of authentication methods via apps.