https://security-explorations.com/esim-security.html
Cybersecurity researchers have discovered a critical vulnerability in Kigen’s eUICC cards that affects over 2 billion IoT devices worldwide, potentially allowing attackers to install malicious applets and compromise eSIM functionality. The vulnerability, discovered by Security Explorations and rewarded with a $30,000 bounty from Kigen, exploits weaknesses in the GSMA TS.48 Generic Test Profile versions 6.0 and earlier, which is used in eSIM products for radio compliance testing. This flaw allows for the installation of non-verified and potentially malicious applets on embedded SIM cards.
The attack requires specific conditions including physical access to the target eUICC and the use of publicly known keys, but successful exploitation can have severe consequences. Attackers could extract the Kigen eUICC identity certificate, download arbitrary profiles from mobile network operators in cleartext, access MNO secrets, and tamper with profiles without detection. The vulnerability also enables the deployment of persistent backdoors that could intercept all communications, with operators potentially losing control over profiles and receiving false views of profile states.
Kigen has addressed the issue through the release of GSMA TS.48 version 7.0, which restricts the use of the test profile, while all earlier versions have been deprecated. While the attacks require sophisticated capabilities typically associated with nation-state groups, the vulnerability represents a significant weakness in eSIM architecture that could compromise the security of billions of connected devices across various industries.