A newly disclosed vulnerability in eSIM technology has exposed serious risks to mobile subscriber identity security, with researchers from AG Security Research demonstrating the ability to clone eSIM profiles and hijack phone identities, according to Cyber Security News.
The team exploited flaws in Kigen eUICC cards using GSMA consumer certificates, claiming the first public hack of certified GSMA eUICC chips. The attack hinges on type confusion vulnerabilities within Java Cards virtual machine, enabling unauthorized installation of malicious applets via SMS-based OTA protocols. In their most alarming test, the researchers cloned an Orange Poland eSIM profile across two devices, intercepting calls and SMS, including 2FA codes, without alerting the victim. Key mobile operator credentials such as OPc and AMF were extracted, undermining core network authentication. Kigen has since patched affected systems, coordinated updates with GSMA, and shut down test profiles. Despite rapid mitigations, the findings underscore critical concerns for telecom security, especially as eSIMs continue to gain adoption across mobile and IoT platforms.
The team exploited flaws in Kigen eUICC cards using GSMA consumer certificates, claiming the first public hack of certified GSMA eUICC chips. The attack hinges on type confusion vulnerabilities within Java Cards virtual machine, enabling unauthorized installation of malicious applets via SMS-based OTA protocols. In their most alarming test, the researchers cloned an Orange Poland eSIM profile across two devices, intercepting calls and SMS, including 2FA codes, without alerting the victim. Key mobile operator credentials such as OPc and AMF were extracted, undermining core network authentication. Kigen has since patched affected systems, coordinated updates with GSMA, and shut down test profiles. Despite rapid mitigations, the findings underscore critical concerns for telecom security, especially as eSIMs continue to gain adoption across mobile and IoT platforms.
