Experts Uncover Critical Flaws in Kigen eSIM Technology Affecting Billions
In a shocking discovery, experts at Security Explorations have uncovered critical flaws in Kigen eSIM technology, used in over 2 billion devices worldwide. This revelation exposes smartphones and IoT users to serious security risks, raising concerns about the integrity of eSIM security architecture.
What is an eSIM?
An eSIM (embedded SIM) is a digital version of a traditional SIM card that is built directly into a device, such as a smartphone, tablet, smartwatch, or IoT device. Unlike physical SIM cards, you don't need to insert or swap it manually.
The Role of the eUICC
The eUICC (embedded Universal Integrated Circuit Card) is the software standard defined by the GSMA that runs on the eSIM hardware. The eUICC enables the storage of multiple mobile carrier profiles, allows these profiles to be downloaded and managed remotely, and supports switching between them without the need to replace physical SIM cards.
The Flaws Discovered by Researchers
Researchers successfully hacked Kigen's eUICC card, a security-certified chip used to manage eSIM profiles. The attack revealed that neither eSIM profiles nor Java Card apps stored on the chip are properly isolated or protected. This breach highlights significant risks in eSIM technology and challenges the industry's security assumptions.
The Impact of the Hack
The researchers pointed out that this is likely the first successful public hack against Kigen's eUICC card. The attack required physical access and knowledge of internal keys, though an over-the-air vector cannot be ruled out. This breach has major security implications, allowing attackers to download decrypted eSIM profiles from various mobile network operators (MNOs), bypassing the need to hack secure hardware.
The Consequences of the Hack
The theft of a GSMA consumer certificate from a compromised Kigen eUICC has significant security implications. It allows attackers to download decrypted eSIM profiles from various MNOs, containing sensitive data like subscriber configurations, authentication keys (OPc, AMF), and Java apps. These apps and profiles can be extracted, analyzed, modified, and reloaded onto other eUICCs without detection by MNOs.
Kigen's Response
On March 20, Kigen confirmed that the company had been notified of the vulnerability on March 17, 2025. The company rewarded the researchers with $30K for their detailed work in identifying the vulnerability and establishing a 90-day non-disclosure period.
Avoiding Future Attacks
Kigen has issued an OS patch to address the issue, and contributed to the GSMA TS.48 v7.0 specification. The patch has been distributed to all Kigen customers. However, this incident highlights the importance of regular security audits and updates in protecting against emerging threats.
Conclusion
The discovery of critical flaws in Kigen eSIM technology serves as a wake-up call for the industry. It underscores the need for robust security measures to protect against hacking attempts and ensure the integrity of eSIM security architecture. As the use of eSIMs continues to grow, it is essential that mobile network operators, vendors, security researchers, and security companies work together to address these vulnerabilities.
Stay Safe Online
Follow us on Twitter: @securityaffairs and Facebook for the latest updates on cybersecurity threats and industry developments. Remember to stay informed and take necessary precautions to protect your online security.