There has been a lot of discussion about eSIM security lately, and I wanted to share some field observations.
A critical vulnerability (CVSS 9.1) affecting eSIM provisioning has been documented, enabling SIM cloning and call interception through Java Card applet exploitation. The attack targets the SM-DP+ to eUICC communication channel.
From a field diagnostic perspective, here is what we look for in the L3 signaling:
- Attach Request anomalies: duplicate IMSI registrations from different TACs
- Authentication failures: unusual Auth Reject / Auth Failure sequences
- NAS Security Mode patterns: downgrade attempts from EA2 to EA0
- Location Update frequency: abnormal TAU patterns suggesting IMSI catcher presence
The practical impact is real: an attacker with physical proximity can clone an eSIM profile, intercept SMS-based 2FA, and redirect calls.
We published a detailed technical analysis covering the signaling indicators and field detection methodology: eSIM Vulnerability CVSS 9.1: Cloning, Interception, and What Signal...
For those working on network security audits: what countermeasures are your operators implementing at the core network level? Are you seeing SUPI/SUCI enforcement in 5G SA deployments?