eSIM Security Vulnerabilities 2025-2026: Critical Alerts Uncovered

eSIM Security Alert: Critical Vulnerabilities Exposed in 2025-2026

Your digital SIM might not be as secure as you think. New research reveals serious flaws that could let hackers clone your identity and intercept your calls.

Remember when we all thought eSIMs were the future of mobile security? No more tiny plastic cards to lose, no more SIM swapping attacks, no more hassle. Just a sleek digital chip embedded in your phone, ready to connect you anywhere in the world.

Well, 2025 just delivered a reality check. Security researchers have uncovered critical vulnerabilities in eSIM technology that expose billions of devices to cloning, surveillance, and identity theft. And the scariest part? Some of these flaws have been hiding in plain sight since 2019.

What Just Happened: The Kigen eSIM Breach

In mid-2025, researchers at AG Security Explorations dropped a bombshell. They successfully cloned an eSIM profile from Orange Poland and intercepted calls, texts, and two-factor authentication codes, all without the victim ever knowing something was wrong.

Here is how it worked. The attack targeted eUICC chips (the hardware running your eSIM) made by Kigen, an Irish company whose technology powers over 2 billion IoT devices globally. The researchers exploited old Java Card vulnerabilities, specifically a "type confusion" flaw that lets malicious code break out of its isolated environment and access secure memory areas.

Think of it like a prison break, but for your SIM card. The Java Card Virtual Machine is supposed to keep different apps separate, like inmates in different cells. But this flaw creates a secret tunnel between cells, letting attackers reach cryptographic keys and sensitive data they should never touch.

From Physical Access to Global Threat

The attack starts with brief physical access to the device. The hacker extracts test profile keys from the eUICC chip, then uses those keys to download eSIM profiles from mobile operators in plain text. Yes, you read that right. Plain text. No encryption.

Once they have the keys, they can install malicious Java Card applets over the air, no physical access needed anymore. These applets can intercept all communications, create undetectable backdoors, or even permanently damage the eSIM chip. During testing, researchers bricked five chips just experimenting with the exploit.

The truly alarming part? They demonstrated this by cloning an Orange Poland eSIM onto two different Samsung phones. When the second phone turned on, all calls and SMS messages started routing there instead of the original device. The legitimate user had no idea their identity was hijacked. No notifications, no warnings, nothing.

Why This Affects Everyone, Not Just Orange Poland

You might think, "I do not use Orange Poland, so I am safe." Unfortunately, that is not how this works.

The researchers used the compromised Kigen certificate to download decrypted eSIM profiles for multiple major operators: AT&T, Vodafone, O2, Bouygues Telecom, DTAC, China Mobile, CMHK, and T-Mobile. The vulnerability is not in the carrier networks. It is in the eSIM hardware and software architecture itself.

Kigen has patched their specific eSIM OS version (ECu10.13) with over-the-air updates, but here is the kicker: Java Card technology underpins eSIMs from many vendors, not just Kigen. Thales, IDEMIA, NXP, and others all use similar architectures. As researcher Adam Gowdiak noted, "I would lean towards all of them being vulnerable."

The GSMA has updated their TS.48 specification to version 7.0, restricting test profile usage and adding security measures. But billions of devices worldwide remain unpatched, and legacy hardware cannot always be fixed remotely.

The Real-World Dangers You Need to Know

Let us talk about what this actually means for your daily life:

Identity Hijacking: Attackers can clone your eSIM and receive all your calls and texts, including those precious OTP codes for banking and email. Gmail, banking apps, crypto wallets, everything that relies on SMS verification becomes vulnerable.

Undetectable Surveillance: Because the cloned eSIM works simultaneously with the original (networks often do not detect duplicates), attackers can monitor communications for extended periods without raising flags. No suspicious login alerts, no blocked accounts, just silent eavesdropping.

Permanent Device Damage: The same exploit that enables cloning can also brick your eSIM permanently. Five chips were destroyed during research testing. Imagine your phone suddenly unable to connect to any network, with no way to fix it.

Supply Chain Nightmares: For businesses using eSIM-enabled IoT devices, fleet management systems, or industrial sensors, this creates massive supply chain risks. One compromised chip at the manufacturing level could backdoor thousands of devices.

Why Did This Take So Long to Fix?

Here is where it gets frustrating. The Java Card vulnerabilities exploited in this attack were first disclosed back in 2019. Security researchers found type confusion and memory safety flaws in Oracle's Java Card implementation, but Oracle downplayed the issue as "not applicable" and never fully patched it.

For six years, these flaws sat dormant in certified, production-grade eSIMs. The mobile industry assumed that GSMA certification and EAL4+ security ratings meant these chips were fortress-like. But certification tests focus on static compliance, not real-world attack scenarios involving voltage glitching, electromagnetic fault injection, or sophisticated side-channel analysis.

It took a motivated researcher with physical access and technical expertise to prove what should have been obvious: theoretical vulnerabilities eventually become practical exploits. And when they do, billions of devices pay the price.

How to Protect Yourself Right Now

While you cannot single-handedly fix the global eSIM ecosystem, you can take steps to reduce your personal risk:

Check for Updates: Ensure your device firmware and carrier settings are current. Kigen and other vendors have issued OTA patches, but you need the latest OS version to receive them.

Enable App-Based 2FA: Move away from SMS-based two-factor authentication wherever possible. Use authenticator apps like Google Authenticator, Authy, or hardware security keys for critical accounts. This removes the SMS interception attack vector entirely.

Monitor Your Connections: If your phone suddenly shows "No Service" or you stop receiving expected calls and texts, contact your carrier immediately. This could indicate a cloned SIM hijacking your identity.

Be Skeptical of Urgency: Social engineering attacks often precede technical exploits. If someone calls claiming to be your carrier and pressures you to "verify" your eSIM or install an update, hang up and call your provider directly through official channels.

Consider Physical Security: For high-risk individuals (journalists, activists, executives), physical device access by sophisticated attackers is a real threat. Use tamper-evident cases and maintain physical control of your devices, especially when traveling.

Audit IoT Deployments: If you manage eSIM-enabled IoT devices for business, demand security attestations from your vendors. Ask specifically about Java Card VM versions, bytecode verification implementation, and post-certification security updates.

The Bigger Picture: eSIM Sovereignty and Trust

This incident exposes a fundamental problem with how we approach digital identity security. We have built massive global infrastructure on the assumption that certified components are secure components. But certification without continuous runtime verification creates blind spots exactly where attackers love to hide.

The concept of "eSIM sovereignty" is emerging as a response. Sovereign security architectures demand that identity controls remain under user or organizational control, not delegated entirely to vendor certification chains. Hardware security modules (HSMs), out-of-band verification, and field attestation protocols offer paths forward, but they require industry-wide adoption.

For now, the harsh reality is this: eSIM technology offers genuine convenience benefits, but the security promises were oversold. The embedded nature of eSIMs makes them harder to steal than physical SIMs, yes, but once compromised, they are far harder to detect and remediate.

Looking Ahead: Can We Trust eSIM Again?

The mobile industry is responding, albeit slowly. The GSMA has deprecated vulnerable test profile specifications. Vendors are implementing stricter bytecode verification and removing default cryptographic keys from production devices. Quantum-resistant cryptography is being explored for future eSIM generations.

But trust takes years to build and moments to break. For the 600 million eSIM connections active today, and the projected 75% of all smartphone activations by 2030, the stakes could not be higher.

As a user, your best defense is awareness. Understand that convenience and security exist in tension. Ask questions about the eSIM providers you use, especially when traveling. Demand transparency from carriers about their security practices. And never assume that because something is "digital" or "certified," it is automatically safe.

The Kigen breach is not the end of eSIM technology, but it is a necessary wake-up call. The future of mobile connectivity is still digital, still embedded, but now it must also be verifiably secure. Not just certified secure, not theoretically secure, but tested-against-real-attackers secure.

That future is possible, but only if we stop taking security assurances at face value and start demanding the transparency and accountability that digital identity deserves.