Global cyber threat: Nigerians warned of eSIM vulnerability

The National Information Technology Development Agency (NITDA) has issued a public alert over a newly discovered critical security vulnerability in embedded SIM (eSIM) cards.

The flaw is being exploited by attackers to potentially hijack phone numbers or subscriber data, intercept communications, and deploy malicious applets.

The vulnerability affects more than two billion devices globally and poses significant risks to communication security.

In a statement on Friday, NITDA warned that the flaw could expose billions of smartphones, tablets, wearables, and Internet of Things (IoT) devices to large-scale cyberattacks.

According to the agency, the flaw originates from the use of the GSMA TS 48 Generic Test Profile (versions 6.0 and earlier), which is widely applied in radio compliance testing of eUICC (Embedded Universal Integrated Circuit Card) chips.

NITDA explained that if exploited, attackers could gain physical or remote access to targeted devices, install malicious applets, extract sensitive cryptographic keys, and even clone eSIM profiles.

This could enable widespread interception of communications, persistent device control, and the deployment of hidden backdoors at the SIM card level.

eSIM, or embedded SIM, is a digital SIM that enables customers to access the same functionality as a physical SIM card.

It is considered the next stage in the evolution of Subscriber Identity Modules, offering users more flexibility since it is already built into smartphones, devices, or wearables without requiring manual insertion.

To mitigate the risks, NITDA urged device manufacturers and service providers to immediately apply Kigen OS patches via over-the-air (OTA) updates to restore the integrity of affected eUICCs.

The agency also advised stakeholders to adopt the latest GSMA TS 48 version 7.0 standard and remove all legacy test profiles that could expose devices to malicious installations.

NITDA stressed that swift action is critical to closing exploitation pathways, enforcing updated security controls, and protecting users from what may become one of the most far-reaching cybersecurity threats in recent years.

The eSIM journey in Nigeria began in 2020 when the Nigerian Communications Commission (NCC) approved MTN and 9mobile to conduct a trial of the technology. The trial, which involved 5,000 eSIMs, lasted one year under regulatory supervision.

MTN and 9mobile later became the first operators to launch eSIM services in Nigeria, allowing customers with compatible devices to switch from physical SIMs. In January 2023, Airtel also introduced its eSIM service.

At present, there is no publicly available figure on the number of Nigerians using eSIM technology.