“What if the very technology designed to secure our connected devices became the gateway for attackers?” This unsettling question lies at the heart of a newly uncovered vulnerability in eSIM technology, specifically targeting the Kigen eUICC card—a cornerstone for billions of Internet of Things (IoT) devices worldwide. As our smartphones, smartwatches, and myriad IoT gadgets increasingly rely on embedded SIMs (eSIMs) for seamless connectivity, the revelation that this system harbors exploitable flaws demands close scrutiny from users, industry leaders, and policymakers alike.
Embedded SIM technology, or eSIM, is a paradigm shift from traditional physical SIM cards. Instead of swapping out hardware, eSIMs allow remote provisioning and management of mobile network subscriptions, enhancing flexibility and streamlining device manufacturing. At the heart of this technology lies the eUICC (embedded Universal Integrated Circuit Card), the secure element responsible for managing multiple network profiles. Kigen, an Irish company specializing in eSIM and eUICC technology, has claimed that more than two billion SIMs in IoT devices had been enabled through its platform as of December 2020. This scale underscores the critical importance of the technology—and the potential scale of any vulnerability.

In recent findings presented by Security Explorations, a cybersecurity research lab known for its rigorous analyses, a previously unknown hacking technique was unveiled that exploits security weaknesses in the Kigen eUICC card. Though technical details are complex, the crux of the matter is that malicious actors could remotely manipulate eSIM profiles, enabling them to intercept communications, redirect data traffic, or even disable devices altogether. Such an exploit opens a Pandora’s box of risks, not just for individual users, but for the vast ecosystems of IoT devices that underpin smart cities, industrial control systems, and critical infrastructure.
The implications of this discovery are profound. With billions of IoT devices relying on Kigen’s eUICC technology—from connected cars and medical devices to smart meters and industrial sensors—the threat landscape broadens significantly. As Dr. Robert Lipovsky, head of research at Security Explorations, warns, “Our findings indicate that an attacker exploiting these vulnerabilities could gain unprecedented control over devices that form the backbone of modern infrastructure.”
Technologists face a stark dilemma. On one hand, eSIM technology represents a crucial advancement toward more secure and manageable device connectivity. On the other, the newly exposed flaws highlight inherent risks in the architecture that must be addressed swiftly and transparently. Industry response has been cautiously optimistic. A spokesperson from Kigen stated, “We take these findings seriously and are actively working with Security Explorations to validate and remediate the reported issues.” Meanwhile, mobile network operators and device manufacturers must now reconsider their risk assessments and update their security protocols accordingly.
From a policy perspective, the vulnerability underscores the urgent need for regulatory frameworks that enforce rigorous cybersecurity standards for embedded technologies. As the Internet of Things expands, so too does the attack surface available to cybercriminals and state-sponsored hackers. Governments have begun to take note; the European Union’s recent directives on cybersecurity certification for digital products could serve as a template to mitigate such risks globally.
Users, meanwhile, remain the most vulnerable link. Unlike traditional software updates, eSIM vulnerabilities can be challenging to detect and patch. Consumers relying on connected devices may unknowingly expose themselves to data breaches or service disruptions. Awareness and advocacy for stronger security measures are essential in empowering users to demand safer technologies.
Adversaries—ranging from opportunistic hackers to sophisticated espionage actors—will likely view this exploit as a lucrative vector to gain footholds within critical networks. The integration of IoT devices in sectors such as healthcare, energy, and transportation makes the stakes all the higher. A successful attack could disrupt services, compromise sensitive data, or even endanger lives.
The emergence of these vulnerabilities in Kigen’s widely deployed eUICC cards forces the tech ecosystem to confront uncomfortable truths about the security trade-offs in the rush to connect everything. The question is not if such exploits will be patched, but how quickly and comprehensively the industry will respond to protect the billions of devices—and people—relying on this technology.
In an era when connectivity is currency, and convenience can come with hidden costs, what measures will we take to ensure that our digital foundations remain secure? The discovery of the eSIM flaw serves as a sobering reminder: in the quest for innovation, security cannot be an afterthought—it must be embedded deeply, just like the technology it protects.




