Security researchers successfully compromised Kigen's GSMA-certified eUICC card, exploiting Java Card VM vulnerabilities to extract private keys and download eSIM profiles in plaintext from multiple mobile network operators. The attack demonstrates critical weaknesses in eSIM architecture, enabling profile cloning, subscriber
Table of contents
NotesCrypto ProofDemonstration moviesGSMA certificate theft implicationsKigen notification / reportsReward from KigenThe core issuesGSMA and Oracle notificationsVulnerable Kigen products / fixing status / patch detailsInitial research impactThe warning call for mobile phone vendorsGSMA inquiry around eUICC / eSA certification schemeGSMA spec changeseUICC / Java Card exploitation toolkitRemote SIM provisioning (RSP) serversOrange Poland mirrored eSIMs testThe ultimate (pending) goalOther eUICC vendorsSummary of security mechanisms / features of a target cardResearch complexityOn technology vendor's responsibilityOn the value of independent security researchSome recommendations / take aways for MNOs and/or vendorsSort: