Subj : A major security flaw in top eSIM system could put billions of de To : All From : TechnologyDaily Date : Mon Jul 14 2025 16:15:07 A major security flaw in top eSIM system could put billions of devices at risk - here's what we know Date: Mon, 14 Jul 2025 15:04:00 +0000 Description: An eSIM system used in more than two billion devices was flawed in a way which allowed crooks to intercept or manipulate communications. FULL STORY ======================================================================A test eSIM profile used by billions of devices carried a major flaw It allowed malicious actors with physical access the ability to deploy applets A patch is now available, so users should upgrade now Security researchers have discovered a vulnerability in eSIM technology used in virtually all smartphones and many other internet-connected, smart devices. In theory, the flaw could have been abused to intercept or manipulate communications, extract sensitive data, inject malicious applets, and more. There are more than two billion eSIM-enabled devices that could be potentially impacted by this flaw, which includes smartphones, tablets, wearables, and countless IoT devices that rely on Kigens eUICC technology. Updating the bug The bug allowed anyone with physical access to the compromised device to install custom programs - applets - without proving they werent malicious. Discovered by Security Explorations, a research lab of AG Security Research, the bug was discovered in the GSMA TS.48 Generic Test Profile (v6.0 and earlier), a standardized eSIM profile that supports device testing and certifications, especially for devices with non-removable embedded SIMs (eUICCs). In other words, it was discovered in a test version of a SIM card, used just for checking if the device worked properly or not. Kigen has released a patch to mitigate the issue, with the GSMA TS.48 v7.0 specification the first clean version - with the company saying the patch has already been distributed to all customers. The silver lining here is that the bug was not that easy, or straightforward, to exploit. Besides having physical access to the device or eUICC, the attacker would also need a way to trigger test mode activation. Furthermore, the device would need to use unprotected, legacy test profiles, with RAM keys still intact. Kigens patch and GSMA TS.48 v7.0 update now block RAM key access in test profiles by default, prohibit JavaCard applet installation altogether on test-mode profiles, randomize keysets for future RAM-enabled testing, and harden OS security against unauthorized remote loading. An attack should now be virtually impossible to execute. Security Exploration was subsequently awarded $30,000 for its troubles. Via The Hacker News You might also like Many of us feel vulnerable connecting to public Wi-Fi while traveling abroad - which is why I always pick an eSIM Take a look at our guide to the best authenticator app We've rounded up the best password managers ====================================================================== Link to news story: https://www.techradar.com/pro/security/a-major-security-flaw-in-top-esim-syste m-could-put-billions-of-devices-at-risk-heres-what-we-know --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .