Security Affairs
Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts uncover critical flaws in Kigen eSIM technology affecting billions

Experts devised a new hack targeting Kigen eSIM tech, used in over 2B devices, exposing smartphones and IoT users to serious security risks. Researchers at Security Explorations uncovered a new hacking method exploiting flaws in Kigen’s eSIM tech, affecting billions of IoT devices. An eSIM (embedded SIM) is a digital version of a traditional SIM […]

eSim

Experts devised a new hack targeting Kigen eSIM tech, used in over 2B devices, exposing smartphones and IoT users to serious security risks.

Researchers at Security Explorations uncovered a new hacking method exploiting flaws in Kigen’s eSIM tech, affecting billions of IoT devices.

An eSIM (embedded SIM) is a digital version of a traditional SIM card that is built directly into a device, like a smartphone, tablet, smartwatch, or IoT device. Unlike physical SIM cards, you don’t need to insert or swap it manually. The eUICC (embedded Universal Integrated Circuit Card) is the software standard defined by the GSMA that runs on the eSIM hardware.

The eUICC enables the storage of multiple mobile carrier profiles, allows these profiles to be downloaded and managed remotely, and supports switching between them without the need to replace physical SIM cards.

The issues discovered by the researchers impact the Kigen eUICC card.

Researchers successfully hacked Kigen’s eUICC card, a security-certified chip used to manage eSIM profiles. The attack revealed that neither eSIM profiles nor Java Card apps stored on the chip are properly isolated or protected. The hack builds on prior Java Card research dismissed by Oracle in 2019, now shown to reveal real vulnerabilities.

The researchers pointed out that this is likely the first successful public hack against:

  • consumer GSMA eUICC
  • Kigen eSIM (Kigen press releases and web pages implicate over 2 billion SIMs enabled by Kigen secure SIM OS)
  • EAL(**) certified GSMA security chip (SLC37 chip based on 32-bit ARM SecurCore SC300 processor from Infineon)

The attack required physical access and knowledge of internal keys, though an over-the-air vector cannot be ruled out. This breach highlights significant risks in eSIM technology and challenges the industry’s security assumptions.

“The hack proves no security / isolation for the eSIM profile and Java apps (no security for eUICC memory content). It’s worth to note that while this work builds on our past Java Card research from 2019 (along [25] [years] [of] [Java] [hacking] experience), it required development of some new exploitation techniques / know-how.” reads the advisory published by Security Explorations.

“We hope the hack brings eSIM security along associated security risks to the focus of mobile network operators (MNOs), vendors, security researchers and security companies.”

Researchers were able to extract the private ECC key from a compromised Kigen eUICC, effectively breaking its cryptographic security. They provided proof of the hack to Kigen on March 17, 2025, which the company confirmed on March 20. The advisory includes videos PoC [1, 2] of the attacks showing both the simulated over-the-air app installation leading to the compromise and the extraction of the card’s identity certificate and private key.

The theft of a GSMA consumer certificate from a compromised Kigen eUICC has major security implications. It allows attackers to download decrypted eSIM profiles from various mobile network operators (MNOs), bypassing the need to hack secure hardware. These profiles contain sensitive data like subscriber configurations, authentication keys (OPc, AMF), and Java apps. The apps and profiles can be extracted, analyzed, modified, and reloaded onto other eUICCs without detection by MNOs. This undermines the integrity of eSIM security architecture and reveals a fundamental vulnerability in trusting shared certificates across networks.

On Mar 31, 2025, Kigen rewarded the researchers with $30K “for the detailed work we have performed to identify the vulnerability and to establish a 90-day non-disclosure period”.

Kigen disclosed that a vulnerability in GSMA TS.48 Generic Test Profile (v6.0 and earlier), used for eSIM radio compliance testing, allowed non-verified, potentially malicious applets to be installed. The issue was addressed in TS.48 v7.0, which restricts test profile use; earlier versions are now deprecated.

“A vulnerability in the GSMA TS.48 Generic Test Profile (v6.0 and earlier), used in all eSIM products across the industry for radio compliance testing, allows installation of non-verified, and potentially malicious applets. Kigen has issued an OS patch, and contributed to the GSMA TS.48 v7.0 specification.” reads Kigen’s advisory. “The patch has been distributed to all Kigen customers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, eUICC)