Researchers from the Polish Security Exploration laboratory have cracked an eSIM chip from Kigen, opening the way for mass cloning of numbers, stealing SMS codes and installing malicious applets. The vulnerability affects more than 2 billion eSIM profiles worldwide — from T-Mobile to China Mobile.
Experts claim that they managed to extract certificates and decrypt eSIM profiles, including *Orange, AT&T, Vodafone, Bouygues, T-Mobile, O2 and others*. The hack is carried out both through physical access and potentially remotely over the network (OTA) using the SMS-PP protocol.
The essence of the attack lies in the vulnerability of the GSMA TS.48 standard and the implementation of the Java Card VM in the Kigen product ECu10.13. This allows attackers to clone eSIM and intercept calls and SMS, including OTP codes; change the content of the eSIM profile before it is downloaded to the smartphone; steal operator keys and configuration, including AMF/OPc; and use eSIM as a backdoor for system-level surveillance.
Kigen acknowledged the issue, paid a 30,000 $ bounty, but stated that an attacker would need physical access and known keys — this partially negates the possibility of a remote attack. However, it should be noted that the vulnerability is not just in Kigen, but in the Java Card architecture itself, which is used by most vendors. Kigen tried to quickly fix the problem with bytecode checks, but did not implement execution flow control — a key condition for virtual machine security.
This hack shows that the eSIM architecture is complex, but not very secure. Given the prevalence of the technology, the risk of global data interception and surveillance increases significantly. Even without a complete device hack, eSIM can become a channel for control by states, hacking groups, and spyware.
