A serious security flaw has been discovered in Kigen’s embedded SIM (eUICC) chip, which is being integrated in over 2 billion eSIMs on global IoT devices. This finding suggests that the risk of attack from hackers can lead to data theft, information decryption, and network administrator (MNO) profile control on the device.

According to a report from the security team, the security flaw originated from the use of the GSMA TS.48 Generic Test Profile version 6.0 or lower. This configuration was originally designed to test radio signals in a development environment but was mistakenly integrated into commercial devices, i. e. devices in actual market use.

1752568608097.png

The vulnerability only affects IoT devices using Kigen eSIMs running TS.48 version 6.0 or lower. However, as the number of devices using Kigen’s eUICC platform has exceeded 2 billion, as of 2020, the extent to which this vulnerability has been affected is highly worrying, especially if the patches are not updated in time.

This security flaw allowed the attacker to install a malicious JavaCard applet on the device provided physical access and the use of previously published public keys.

After a successful attack, hackers can commit a variety of dangerous acts, including:

  • Stolen eUICC identity certificates, thus taking control of embedded SIM cards
  • Load MNO profiles in plaintext, i. e. without encryption
  • Track and interfere with the eSIM’s activity on the target device
  • Setup cloaked backdoor, helps maintain secret unauthorized access
  • Forge profile status, make the ISP system unable to detect anomaly, or disable the hijacked profile

This opens up a major weakness in the global eSIM architecture, especially when vulnerabilities are undetected from traditional network operator layers of control.

Soon after the vulnerability was discovered, Kigen quickly released a patch for the eUICC operating system, while providing OTA (Over-the-Air) updates to prevent the installation of unauthenticated applets on the device. In parallel, GSMA also released TS.48 v7.0, which removes the ability to use test profiles in real deployment environments to minimize security risk.

This incident continues to be a wake – up call to the entire IoT and telecommunications industry, emphasizing the importance of:

  • Do not use the wrong test configuration in the product environment
  • Update software and firmware regularly to patch newly discovered vulnerabilities
  • Strictly monitor the operation of the eSIM and the applets on the device, to ensure the integrity and safety of the system

As billions of IoT devices are increasingly reliant on eSIM and the eUICC platform, maintaining a strong security architecture is vital, not only to protect user data but also to ensure the reputation and stable operation of the entire digital ecosystem.

The Hacker News