Billions of IoT Devices Exposed as Kigen eSIM Flaw Enables Cloning and Spying

A critical security flaw in Kigen’s eUICC cards has put billions of IoT devices at risk. Researchers have revealed that this vulnerability could enable attackers to clone SIM profiles and intercept sensitive communications on a massive scale.

The mobile security industry has been deeply shaken by this discovery. Experts warn that the flaw could allow malicious actors to bypass operator controls and gain persistent access to targeted devices.

How does the Kigen eSIM vulnerability work?

The vulnerability stems from weaknesses in the GSMA TS.48 Generic Test Profile, versions 6.0 and earlier. Radio compliance testing in eSIM products now deprecates these profiles in favor of a more secure version.

Attackers must gain physical access to the target eUICC and use publicly known keys to exploit the flaw. This enables them to install non-verified, potentially malicious JavaCard applets directly onto the chip.

Did you know?
Over two billion Kigen-enabled SIMs have been deployed in IoT devices worldwide as of December 2020, making this one of the most widespread hardware vulnerabilities ever reported.

What risks do IoT devices face from this flaw?

Once compromised, a device’s eSIM can be cloned or manipulated, allowing attackers to intercept all communications. Operators may lose the ability to remotely control, disable, or even detect tampered profiles, leading to a total loss of oversight.

This exposure is especially concerning for critical infrastructure, healthcare, and industrial IoT networks, where device security is paramount. The scale of the threat is unprecedented, given the billions of affected devices.

ALSO READ | GitHub Leak of Laravel APP_KEYs Triggers Major Security Crisis

The technical details behind the eUICC exploit.

Security Explorations, the research lab that uncovered the flaw, found that the issue allows the installation of arbitrary applets on the eUICC. Attackers can extract the eUICC identity certificate, download profiles in cleartext, and access mobile network operator secrets.

The exploit builds on earlier research into Java Card vulnerabilities, which can break memory safety and firewall protections. The exploit could lead to persistent backdoors and even native code execution on the card, making detection and mitigation challenging.

Industry response and the urgent need for security updates.

Kigen responded by awarding a $30,000 bounty for the discovery and has released an advisory. The company urges all users to update to GSMA TS.48 v7.0, which restricts the use of vulnerable test profiles and mitigates the risk.

Despite the technical barriers, experts warn that nation-state groups and sophisticated attackers could exploit this flaw. The incident points out the importance of robust security measures and rapid patch deployment across the IoT ecosystem.

This vulnerability marks a turning point for the security of embedded SIM technology. The industry must act swiftly to restore trust and safeguard billions of connected devices worldwide.