A serious security flaw has been discovered in the eSIM technology used by millions of smartphones around the world. This bug could allow hackers to spy on users, take over their phones remotely, and even clone their identities. The vulnerability affects a wide range of devices and could have long-term consequences for how we think about mobile security.
The issue was found in the Kigen eUICC chips, which are used in many phones to manage eSIM profiles. These chips are based on a technology called Java Card, and it turns out that a six-year-old bug in Java Card’s virtual machine is at the heart of the problem. The bug had been reported before but was not considered dangerous, until now.
Security researcher Adam Gowdiak revealed that this overlooked bug can be exploited in the real world. He showed how attackers can first get physical access to a phone, extract the private key from the eSIM chip, and then use that key to control the eSIM remotely. Once they have this access, they don’t need the phone anymore, they can clone it and spy from anywhere.
This means hackers could receive your calls and texts, impersonate your phone number, and access services that rely on your mobile identity. In some cases, they could even take control of apps that use your number for login, like WhatsApp or Telegram. It’s a major privacy risk and could lead to identity theft or surveillance without the victim ever knowing.
What makes this even more concerning is that most people assume eSIMs are more secure than regular SIM cards. That’s true in some ways, but this discovery proves that even modern embedded systems can have serious flaws, especially if they rely on outdated code or platforms.
The attack works by tricking the eSIM into accepting malicious updates or apps sent over the air. The hacker doesn’t need to trick the user into clicking anything. Once they’ve exploited the bug and have the private key, they can operate silently in the background. No warnings, no alerts.
Despite being reported to Oracle years ago, the bug didn’t get much attention. Oracle claimed it didn’t apply to real-world use, and many vendors didn’t patch it. Now that the threat is real, companies are rushing to act. The GSMA, which sets standards for mobile networks, has issued guidance for fixing the issue and securing provisioning systems.
The researcher’s proof-of-concept even showed how an eSIM profile could be cloned and used on another device without the user knowing. This kind of attack could be used for targeted surveillance, especially against high-value individuals or businesses.
Kigen, whose chips are impacted, has acknowledged the bug and is working on solutions. They’ve also rewarded the researcher for responsibly reporting the flaw. But millions of devices are already out in the world, and many may not support secure updates to patch the issue.
Security experts recommend that users take some extra precautions. For example, avoid relying on SMS-based two-factor authentication where possible. Instead, use app-based authentication or physical security keys. Also, be cautious about where and how your mobile number is used for identity verification.
The bigger lesson here is about long-term security. Just because a platform is widely used or built into the hardware doesn’t mean it’s immune to threats. Bugs that seem harmless at first can turn into major vulnerabilities when combined with clever exploitation techniques.
In conclusion, this eSIM bug isn’t just a small glitch, it’s a wake-up call. Billions of devices could be affected, and fixing the issue will require cooperation between chipmakers, phone manufacturers, network providers, and software vendors. In the meantime, users should stay informed and take steps to secure their digital identity.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
