Cybersecurity & InfoSec

eSIM: Cloning, Interception, and Java Card System Vulnerability

Researchers from Security Explorations have reported a critical vulnerability in eSIM chips from Kigen, which allowed full access to secret keys, cloning of eSIM profiles, and interception of calls and messages without the owner's knowledge.

Attack Demonstration: Cloning an Orange Profile. Researchers demonstrated the attack in the real network of Orange Poland:

🕸 Two phones used the same eSIM profile,  
🕸 The second phone completely intercepted calls and SMS,  
🕸 The original owner noticed nothing — the eSIM operation appeared unchanged.

Kigen chips were certified to EAL4+, GSMA SGP.22 specifications, and secured by Infineon SecurCore SC300. However, even such "rock-solid" security did not protect against the logical vulnerability in Java Card.

Through the SMS-PP protocol (service SMS), an attacker can send a malicious applet to the device and gain access to the memory where private ECC keys are stored. This enables:

⦁ Forging the GSMA certificate (Generic Test Profile),
⦁ Uploading mobile operator eSIM profiles (AT&T, Vodafone, O2, Orange, etc.) in plain text,
⦁ Cloning the eSIM to another device.

This is the first publicly documented case in history of a successful hack of a consumer eUICC chip certified to the EAL4+ standard and approved by GSMA.

The issue lies in the architecture of the Java Card VM used in Kigen chips. It allows the installation and execution of Java applets on eSIMs but does not verify their security at the bytecode level.

You should post sources 😄
Here's what I found:

I will, clearly stated in a post on X, missed here

I will, clearly stated in a post on X, missed here https://x.com/officer_cia/status/1946679256668406169?s=46

You should post sources 😄
Here's what I found:
https://thehackernews.com/2025/07/esim-vulnerability-in-kigens-euicc.html?m=1
https://security-explorations.com/esim-security.html