A newly disclosed vulnerability in Kigen’s eUICC cards has exposed potentially billions of IoT devices to malicious attacks through flaws in eSIM profile management.
The issue affects older versions of the GSMA TS.48 Generic Test Profile, used for radio compliance testing in eSIM-enabled hardware.
The vulnerability allows attackers with physical access and knowledge of publicly available keys to install malicious JavaCard applets on affected eUICCs.
In more severe cases, it could enable the extraction of device identity certificates and unauthorized profile downloads, jeopardizing the confidentiality of mobile network operator (MNO) data and potentially allowing full interception of communications.
“Successful exploitation requires a combination of specific conditions,” Kigen said.
“This enables the attacker to install a malicious JavaCard applet.”
Flawed Test Profile Now Patched
Researchers at Security Explorations uncovered the flaw and were awarded a $30,000 bounty by Kigen for their responsible disclosure.
According to their analysis, the bug originates from GSMA TS.48 versions 6.0 and earlier, which failed to block unverified applet installation. Exploitation could allow an attacker to override profile state visibility and even disable an operator’s ability to remotely manage or deactivate the eSIM.
In response, Kigen issued an operating system security patch and collaborated with GSMA to revise the test profile specification.
The updated TS.48 v7.0 Generic eUICC Test Profile for Device Testing, published on June 18, addresses the vulnerability by:
-
Blocking JavaCard applet installation in test profiles
-
Restricting remote applet management (RAM) keys unless explicitly requested
-
Randomizing keys for all future profile shipments requiring RAM
Read more on SIM-based fraud: SIM Swapping Fraud Surges in the Middle East
Industry-Wide Impact and Mitigation
Though exploitation requires hands-on access, experts caution that nation-state threat actors could feasibly mount such attacks to deploy persistent backdoors on targeted eSIMs.
According to Security Explorations, the vulnerability builds on earlier findings from 2019, which identified related weaknesses in Oracle Java Card implementations.
Oracle has historically downplayed these flaws, but researchers assert that the latest findings prove the issues are more serious than originally acknowledged.
“The operator can be provided with a completely false view of the profile state. All of its activity can be subject to monitoring,” the research lab noted.
Kigen has since shared its security improvements with GSMA and the wider industry. The company says it will continue evolving its protections as part of an ongoing security effort.
No tags.
