Global eSIM Infrastructure at Risk: Major Security Flaws Exposed in Kigen eUICC Cards

A Wake-Up Call for the Mobile Tech World

A groundbreaking discovery by cybersecurity researchers has shaken the foundation of modern mobile communication. Security Explorations, a respected firm in the infosec community, has revealed serious vulnerabilities in one of the world’s most widely used eSIM technologies: Kigen’s eUICC cards. These chips, embedded in billions of smartphones and IoT devices, are meant to offer secure, flexible connectivity without the need for physical SIM cards. But this latest revelation shows just how fragile that trust can be.

The report details how researchers were able to breach the core encryption mechanisms of eSIM infrastructure by exploiting a long-standing flaw in the Java Card virtual machine used by Kigen’s eUICC cards. More alarmingly, the issue has existed since at least 2019 and was previously reported to Oracle, but remained unpatched until now. This lapse has left a backdoor open for potential exploitation across global mobile networks.

How the Vulnerability Was Uncovered

Security Explorations found a way to exploit type confusion bugs in the Java Card implementation—bugs they had previously flagged to Oracle. Using this method, they were able to access protected memory areas within eUICC chips and extract private ECC cryptographic keys used in the GSMA’s security certificate infrastructure. These keys serve as the cornerstone of eSIM trust, and with them, attackers could impersonate legitimate devices.

Once compromised, a single eUICC chip allowed researchers to pull eSIM profiles from over 100 mobile operators around the globe. These profiles contained critical user information, authentication keys, and embedded Java Card apps. Perhaps most concerning, this breach didn’t require physical access. By mimicking an OTA (over-the-air) applet installation via SMS protocols, the attack could be launched remotely, turning any compromised chip into a global master key.

Industry’s Patch Response and Risk Assessment

Kigen responded with patches and a security hardening campaign, scoring the threat as “medium” (CVSS 6.7) for physical attacks. However, experts argue the real-world impact through remote vectors justifies a “critical” score (CVSS 9.1). Patches were pushed OTA to affected devices, and GSMA updated its specifications and released new guidelines to curb the misuse of Remote Applet Management.

Yet, the question remains: why were these vulnerabilities left unresolved for six years, and what does this mean for other certified hardware? Even though Kigen’s eUICC was certified at the EAL4+ level, the attack exposed that software-level flaws can bypass hardware-level assurances, undermining the entire Common Criteria process.

What Undercode Say:

A Deep Dive into the Anatomy of the eSIM Breach

The Kigen eUICC breach isn’t just a single

First, the heart of this issue lies in the Java Card virtual machine. Despite being an industry staple, its underlying codebase contains logic vulnerabilities like type confusion, which can be exploited to gain unauthorized memory access. This isn’t a trivial programming oversight—it reflects years of structural neglect where vendor responsibility and certification rigor did not align.

From a threat modeling perspective, the ability to extract ECC private keys invalidates the integrity of the eSIM ecosystem. These keys were never supposed to leave the secure element. Once they did, they opened a Pandora’s box: remote profile downloads, subscriber impersonation, and potential cloning of eSIMs on a global scale. For attackers, this offers unprecedented reach. One breach equals unlimited network access, across countries and providers.

Remote exploitation capabilities via OTA further magnify the threat. Unlike SIM swap fraud that requires insider help or physical access, this method can be orchestrated from anywhere in the world. That raises the stakes for telecom operators relying on SMS for critical authentication.

The security community must also reckon with the failure of the Common Criteria framework. An EAL4+ certification gave a false sense of security. But no amount of formal assurance can compensate for exploitable bugs ignored by vendors. Oracle’s dismissal of the 2019 vulnerability report now looks like a costly misstep. It allowed a bug to morph into a full-blown infrastructure threat.

This breach also highlights a concerning reality for user privacy. With eSIM cloning proven feasible, identity theft becomes a lot easier. The attacker can intercept 2FA codes, impersonate victims on messaging platforms, and even use hijacked numbers for social engineering.

What makes this incident particularly important is the layered complexity of patching. While Kigen acted quickly after disclosure, millions of already-deployed devices may never receive updates. IoT devices, in particular, often lack mechanisms for automatic security patching, leaving large swaths of the ecosystem vulnerable.

For developers, one major lesson is the necessity of secure design in depth. Vendor reliance on third-party VM platforms like Java Card must be scrutinized more closely. Telecom companies need better runtime validation mechanisms, more granular applet isolation, and less reliance on remote applet management via SMS.

Independent research teams like Security Explorations play a critical role in bringing hidden flaws to light. However, real change will only come when vendors are incentivized—or compelled—to treat such reports seriously from the start. A future breach may not be so responsibly disclosed.

The Kigen case might be a signpost for broader systemic review: we’re entering an era where secure hardware can still be compromised by soft logic and poorly managed applet systems. It’s time to recalibrate how we define “secure” in the mobile age.

🔍 Fact Checker Results:

✅ Breach occurred due to Java Card VM flaw confirmed by Security Explorations
✅ GSMA and Kigen issued coordinated updates and OTA patches
❌ ECC private keys were never meant to be extractable under EAL4+ certified conditions

📊 Prediction:

Expect a surge in mobile network security audits following this breach, especially for devices using Java Card-based eUICC platforms. Telecom firms may begin shifting toward in-house VM development or switching to hardware vendors with proven post-quantum security capabilities. Additionally, industry standards like GSMA’s TS.48 will likely see accelerated updates and tighter testing protocols to restore confidence in global eSIM infrastructure. 📱🔐