The Quiet Revival of Java Card Vulnerabilities in eSIMs
As eSIM technology becomes ubiquitous in smartphones and IoT devices, so do the security risks hidden beneath its convenience. A recent investigation has revealed that vulnerabilities once thought dormant have reemerged, this time within the Java Card virtual machines powering eSIMs. The consequence: attackers could clone an eSIM, intercept mobile traffic, and even disable the chip itself.
What’s an eSIM and Why It Matters
An eSIM (embedded SIM) is a digital version of the traditional SIM card. Instead of a removable chip, it’s embedded directly in the device. With support for remote provisioning via an eUICC (embedded Universal Integrated Circuit Card), it allows switching between mobile networks and managing multiple profiles without swapping hardware.
This technology is integral to modern mobile devices, IoT deployments, and enterprise fleets. But its growing adoption also means a wider attack surface, especially when core components like the Java Card platform are vulnerable.
The Research Behind the Threat
Polish cybersecurity lab Security Explorations, led by Adam Gowdiak, conducted a long-term study on the security of eSIM chips, specifically focusing on a widely used Kigen eUICC card. Kigen claims to power over 2 billion IoT SIMs globally.
The research showed that Java Card flaws, first disclosed in 2019, remain exploitable in eSIMs today. These vulnerabilities enable a highly targeted attack: with brief physical access to a device, a hacker can extract cryptographic keys from the eSIM, install a malicious Java Card app, and use over-the-air (OTA) updates for further control, eliminating the need for continued access.
Kigen was notified and responded with a security advisory, classifying the issue as medium impact. However, the $30,000 bounty awarded to the researchers suggests deeper concern behind closed doors.
Exploitation Scenarios
Once compromised, an eSIM chip may leak profile data used by mobile operators to authenticate users. This opens the door to several dangerous scenarios:
-
eSIM Cloning: Attackers can download and duplicate eSIM profiles, rerouting SMS and calls to another device. In a proof-of-concept, researchers cloned an Orange Poland eSIM with success.
-
Mass Surveillance: Nation-state actors could potentially exploit these flaws for covert eavesdropping on targets by intercepting mobile traffic.
-
Backdoors and Bricking: Hackers may implant persistent backdoors or render chips unusable. The researcher reportedly bricked five eSIMs during his tests.
-
Undetectable Tampering: Mobile operators and vendors lack mechanisms to detect such backdoors or silent manipulations.
Although the initial research focused on Kigen, other eUICC vendors using Java Card tech may also be vulnerable. That includes those who dismissed the 2019 disclosures.
Industry Response: Too Little, Too Late?
The GSMA has issued general guidance to manufacturers, developers, and profile managers. Yet Oracle, the creator of Java Card, remains largely indifferent. According to Security Explorations, these attacks could have been mitigated years ago if the vendor had taken the original flaws seriously.
The researchers developed a toolset to identify vulnerable Java Card VMs and extract required keys, but for now, this tool is tailored only to Kigen cards. Each vendor’s eSIM would require custom exploit development.
Why This Matters for Cybersecurity Professionals
This incident is a reminder that legacy vulnerabilities can silently persist in critical infrastructure, even years after disclosure. eSIMs are widely assumed to be secure by design, yet assumptions are no match for real-world exploitability.
For enterprises, government agencies, and any organization relying on mobile communications, this research raises a red flag. The implications range from industrial espionage to national security.
What Can Be Done?
eSIM security starts with transparency, vendor accountability, and threat monitoring. Until eUICC manufacturers patch these low-level flaws and implement runtime integrity checks, attackers will continue to have an edge.
Let’s talk about how to secure your mobile ecosystem.
Read the full article from Security Week here.
