New eSIM Hack Let Attackers Clone Profiles and Hijack Phone Identities

A critical vulnerability in eSIM technology enables attackers to clone mobile subscriber profiles and hijack phone identities. 

AG Security Research revealed they broke the security of Kigen eUICC cards with GSMA consumer certificates, marking what they claim is the first successful public hack against consumer GSMA eUICC and EAL-certified GSMA security chips.

The research team extracted private ECC keys from compromised eUICC cards and demonstrated the ability to download eSIM profiles from major mobile network operators, including AT&T, Vodafone, O2, Orange, and T-Mobile, in cleartext format. 

Key Takeaways
1. Researchers successfully hacked Kigen eUICC cards, extracting private keys and downloading eSIM profiles from major carriers in unencrypted format.
2. Live tests demonstrated complete phone identity hijacking, with attackers intercepting all calls, SMS, and two-factor authentication codes undetected.
3. The vulnerability affects over 2 billion SIMs, allowing one compromised certificate to access any mobile operator's eSIM profiles globally.
4. Kigen deployed security patches to millions of eSIMs while GSMA shut down test profiles and updated industry security specifications.

This breakthrough represents a significant security breach in the eSIM ecosystem, which processes over 2 billion SIMs enabled by Kigen’s secure SIM OS, according to company press releases.

Java Card Flaw Allows Remote Cloning

The attack exploits fundamental flaws in Java Card Virtual Machine implementation, specifically targeting type confusion vulnerabilities similar to issues reported in 2019. 

The researchers developed a Proof of Concept that mimics malicious applet installation over the OTA SMS-PP protocol (Short Message Service Point to Point).

The vulnerability allows attackers to bypass multiple security mechanisms, including EAL4/5 certification, side-channel attack countermeasures, and Java Card Runtime security features. 

The attack vector requires either physical access to the target card along with knowledge of installation keys or remote exploitation through OTA channels.

Critical technical elements compromised include network operators’ OPc keys and Authentication Management Field (AMF) – two essential secret keys embedded in eSIM profiles that should be “safeguarded by network operators at any cost”. 

The researchers’ toolkit implements a Basic Security Check (BSC) command that evaluates Java Card-capable eUICC security through various bytecode vulnerability assessments.

The most alarming demonstration involved successful eSIM cloning tests conducted on Orange Poland’s network in July 2025. 

Researchers installed identical Orange eSIM profiles on two different physical eUICC cards and demonstrated complete subscriber identity hijacking.

When the malicious device was activated, it immediately began receiving all calls and SMS messages intended for the legitimate subscriber.

This cloning capability poses severe risks for two-factor authentication systems, as attackers can intercept SMS-based verification codes for services like Gmail and e-banking platforms. 

The researchers confirmed that legitimate users remain unaware of the hijacking, as no visible trace appears at the user end.

Kigen has responded by implementing type safety checks across approximately 180 JavaCard bytecode instructions and coordinating with GSMA to update the TS.48 Generic Test Profile specification. 

The company distributed patches to millions of eSIMs and issued a security bulletin detailing mitigation strategies. 

GSMA has also published new application notes and shut down all test profiles to prevent unauthorized Java Card application installations.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now