A critical wake-up call: Overcoming cloning and surveillance risks from eSIM vulnerability

Security researchers recently uncovered critical vulnerabilities in eUICC (Embedded Universal Integrated Circuit Card) chips used in eSIMs, particularly those parts developed by Kigen, a company with significant global reach in the IoT market. If exploited, the security flaws might enable an attacker to clone an eSIM, intercept mobile communications and even damage the eSIM chip permanently.

Kigen acknowledged the vulnerabilities and has since issued an advisory, classifying the threat as medium-impact. However, independent researchers emphasized that the vulnerabilities might have serious security implications, especially in scenarios involving surveillance, espionage or identity theft.

The underlying threat originates from long-standing Java™ Card vulnerabilities disclosed in 2019, such as type confusion and memory-safety flaws. These vulnerabilities allow attackers to bypass isolation and access secure memory on a Java Card Virtual Machine (JCVM). Oracle and early vendors downplayed these issues at the time, but the latest exploits confirm their impact.

To complete these attacks, an attacker needs brief physical access to extract known test-profile keys from the eUICC. With a compromised identity certificate, attackers can exploit over-the-air (SMSPP) provisioning to deploy malicious applets remotely.

As a proof of concept demonstration, researchers cloned an Orange Poland eSIM, causing calls, texts and two-factor codes to route to a clone device without alerting the original user.

The implications of these attacks are concerning. They include:

• eSIM cloning: Attackers can replicate eSIM profiles, potentially hijacking a user’s identity and mobile access.
• Communication interception: With control over an eSIM, adversaries can monitor SMS, calls and data traffic. This interception completely undermines privacy and corporate security.
• Undetectable back doors: Attackers could install stealthy back doors into compromised eSIMs, with mobile carriers unable to detect them.
• Bricking devices: Researchers reported permanently damaging eUICC chips during testing.

In response to the growing adoption of eSIM technology, industry stakeholders are actively developing standards, enhancing security measures and fostering collaboration. These efforts aim to address potential challenges and ensure a smooth transition from traditional SIM cards.

Experts warn that similar vulnerabilities might exist across other eUICC vendors, including major players such as Thales and NXP. These weaknesses stem from inherent flaws in Java Card technology, particularly in the lack of comprehensive on-card bytecode verification and shared architectural designs among vendors.

Because many eUICC implementations rely on similar virtual machine environments and security models, a single vulnerability in the Java Card systems can potentially propagate across multiple manufacturers and device types.

In response, cybersecurity researchers and industry specialists are calling for systemic reforms in how eSIM and eUICC security is managed. Their recommendations include the mandatory integration of full bytecode verification mechanisms, formal third-party security audits at both firmware and card operating system (OS) levels and stricter GSMA security compliance mandates for all Java-based eUICC profiles. Such measures would help prevent the exploitation of low-level flaws that could compromise the integrity of global mobile networks.

The discovery of these vulnerabilities in eSIM technology serves as a critical wake-up call for the broader mobile and IoT ecosystem. As global connectivity increasingly depends on embedded and remotely managed solutions, the security of foundational hardware components such as eUICC becomes essential.

This particular exploit highlights how subtle, often-overlooked implementation errors—especially those errors buried deep within shared runtime environments—can cascade into severe real-world risks. These risks include device surveillance, subscriber identity theft and large-scale network disruption.

Although vendors such as Kigen and standards organizations like the GSMA have begun issuing security advisories, implementing patches and tightening certification requirements, experts emphasize that these steps represent only partial mitigation.

The incident underscores the urgent need for continuous security auditing, transparent vulnerability disclosure practices and active collaboration between eUICC vendors, mobile network operators and the developer community.

In the long term, as digital infrastructure becomes more interconnected and software-defined, safeguarding the trust and integrity of communication systems must remain a central priority. Both enterprises and users should remain vigilant by regularly applying firmware updates, adhering to security best practices and advocating for higher industry standards.

Strengthening security at the foundational level of eSIM and eUICC technologies is not only a matter of protecting data—it is vital to the resilience and reliability of the global communications system.

Learn more about mobile security