A serious vulnerability in eSIM technology has been exposed by researchers at AG Security Research. They successfully breached the security of Kigen’s eUICC cards, which are protected by GSMA consumer certificates and EAL certifications. This marks the first public demonstration of a successful hack against GSMA-certified eUICC chips used in consumer mobile devices.
The researchers extracted private ECC keys from compromised eUICC cards and were able to download eSIM profiles from major mobile network providers such as AT&T, Vodafone, O2, Orange, and T-Mobile. Alarmingly, the profiles were retrieved in unencrypted format. This vulnerability could allow one leaked certificate to access any mobile operator’s eSIM profiles globally, potentially affecting over two billion devices using Kigen's secure SIM OS.
In a live demonstration conducted in July 2025 on Orange Poland’s network, researchers installed identical eSIM profiles on two physical cards. When the cloned device was activated, it immediately received all calls, SMS messages, and two-factor authentication codes intended for the legitimate user. The user remained completely unaware of the interception.
The attack hinges on deep flaws within the Java Card Virtual Machine, particularly type confusion vulnerabilities similar to those disclosed in 2019. The team created a proof of concept that mimicked malicious applet installation over the OTA SMS-PP protocol. This allowed them to bypass security mechanisms such as EAL4/5 certification, countermeasures against side-channel attacks, and built-in protections in the Java Card runtime environment.
Two critical components normally safeguarded by network providers were compromised during the attack: the OPc key and the Authentication Management Field (AMF). These elements are essential for mobile authentication and should never be exposed under standard conditions.
To respond to the breach, Kigen implemented type safety checks across approximately 180 Java Card bytecode instructions. The company also coordinated with GSMA to update the TS.48 Generic Test Profile specifications and issued patches to millions of affected eSIMs. GSMA, for its part, shut down test profiles and released new application notes aimed at preventing unauthorized app installations via Java Card.
To respond to the breach, Kigen implemented type safety checks across approximately 180 Java Card bytecode instructions. The company also coordinated with GSMA to update the TS.48 Generic Test Profile specifications and issued patches to millions of affected eSIMs. GSMA, for its part, shut down test profiles and released new application notes aimed at preventing unauthorized app installations via Java Card.
Source: AG Security Research & cybersecuritynews.com