New eSIM Hack Allows Attackers to Clone Your eSIM Profile

A critical vulnerability has been identified in the GSMA TS.48 Generic Test Profile versions 6.0 and earlier, which are widely used across the eSIM industry for radio compliance testing.

This flaw enables attackers with physical access to an embedded Universal Integrated Circuit Card (eUICC) to exploit publicly known keys, facilitating the installation of non-verified and potentially malicious JavaCard applets.

In essence, this could allow unauthorized entities to load rogue applications onto the eSIM, compromising its security and potentially enabling eSIM profile cloning or other forms of data manipulation.

Vulnerability Exposes eSIMs

The exploit requires a specific sequence: physical access to the device, activation of the test profile, and utilization of these exposed keys to bypass standard verification processes.

While the TS.48 profile is intended solely for controlled testing environments and not for production use, its presence in field-deployed devices has raised alarms about real-world risks.

Successful exploitation could lead to severe consequences, such as unauthorized access to cellular network credentials, interception of communications, or even full eSIM takeover, mimicking the cloning of physical SIM cards but with far greater stealth due to the embedded nature of eSIMs.

Technical analysis reveals that the vulnerability stems from the profile’s inclusion of Remote Applet Management (RAM) keys, which, when not randomized, become predictable and exploitable.

Attackers could leverage this to inject bytecode-unverified applets, circumventing the JavaCard runtime environment’s security mechanisms.

This is particularly concerning in scenarios where eUICCs are integrated into consumer devices like smartphones, wearables, or IoT modules, where physical tampering might occur in supply chain attacks or targeted espionage.

The issue affects all eSIM products adhering to pre-v7.0 GSMA specifications, though not all eUICCs are equally vulnerable many cannot be forced into test mode or lack these exposed keys.

Nonetheless, the potential for misuse has prompted an industry-wide alert, emphasizing the need for hardened security postures in eSIM deployments.

Broader Industry Safeguards

According to the Report, Kigen, a leading eSIM solutions provider, has swiftly released an operating system (OS) security patch that prevents unauthorized remote applet loading, even when the vulnerable TS.48 profile is active on field devices.

This patch incorporates additional JavaCard runtime hardening measures, ensuring that applet installations are blocked in test profiles due to the absence of reliable bytecode verification methods.

Distributed via standardized Over-the-Air (OTA) Remote File Management to all customers, the update forms part of a two-layer mitigation strategy.

Complementing this, Kigen has introduced safer test profiles that exclude RAM keys by default, only incorporating randomized keys upon explicit request.

These enhancements not only address the immediate vulnerability but also reinforce the foundational security model of eSIMs, preventing rogue app loading at both profile and OS levels.

Kigen’s contributions extend to the GSMA’s updated TS.48 v7.0 specification, which now restricts test profile usage to safer variants without remote loading capabilities or those with confidential, randomized keysets for controlled environments.

The company has also influenced the GSMA Application Note on safe eSIM usage, promoting awareness of risks and best practices.

Publicly available since July 9, 2025, these documents underscore the collaborative effort to mitigate such threats industry-wide.

As eSIM adoption surges in 5G and beyond, Kigen plans ongoing enhancements, aligning with GSMA initiatives to evolve product security.

Users and manufacturers are urged to apply patches immediately and avoid test profiles in production, ensuring robust protection against this evolving threat landscape.

This proactive stance highlights the resilience of eSIM technology when fortified with timely mitigations.