Security researchers have discovered a serious vulnerability in eSIM technology that could have affected billions of devices. The bug was found in a test version of the embedded SIM (eSIM) used in smartphones, smartwatches, tablets, and even IoT devices. Thankfully, the issue has been fixed before any real harm could be done.
The flaw was found in the GSMA TS.48 Generic Test Profile (v6.0 and earlier), a special type of eSIM setup used only during device testing and certification. This test profile is not used in everyday consumer use but is common during the manufacturing and development phase of devices.
The flaw was discovered by Security Explorations, a Polish cybersecurity research team known for digging deep into hardware-level threats. They found the issue in Kigen’s eUICC technology, which powers eSIMs in over 2 billion devices. For their discovery, Security Explorations received a $30,000 reward, recognizing the importance of their work in helping secure billions of connected devices.
Kigen is one of the key players in the eSIM industry, and its platform is used across many smartphones and connected devices globally.
The vulnerability allowed someone with physical access to the device to install custom applets (small programs) on the eSIM without proper checks. These applets could potentially steal sensitive data, intercept or manipulate network communication, inject malicious code, and bypass built-in security.
That made this a high-risk vulnerability, especially in environments where eSIM test profiles were not properly disabled after use.
Although the bug was serious, exploiting it was not easy. An attacker would need physical access to the device, the ability to activate test mode, a device running an outdated, unprotected test profile, and RAM keys that were not cleared. In short, while the potential impact was huge, the number of devices actually vulnerable in the real world was likely low, mostly limited to development or testing environments.
Kigen acted fast and has already rolled out a fix. The new GSMA TS.48 v7.0 specification addresses all known issues. The update includes blocking RAM key access in test profiles, prohibiting installation of applets in test mode, randomizing keysets to avoid reuse, and hardening the OS to stop unauthorized remote loading.
After these updates, security experts say that the attack is now almost impossible to carry out.
