A critical security vulnerability has been discovered in embedded SIM (eSIM) cards, potentially allowing attackers to hijack phone numbers, intercept communications, and deploy malicious applets. The National Information Technology Development Agency (NITDA) has issued a public alert, warning that the flaw affects over 2 billion devices globally, posing significant risks to communications security.
According to NITDA, the vulnerability originates from the use of the GSMA TS 48 Generic Test Profile (versions 6.0 and earlier) in radio compliance testing of eUICC (Embedded Universal Integrated Circuit Card) chips. If exploited, attackers could gain physical or remote access to targeted devices, enabling them to install malicious applets, extract sensitive cryptographic keys, and even clone eSIM profiles. This could lead to widespread interception of communications, persistent device control, and the deployment of stealth backdoors at the SIM card level.
eSIM, or embedded SIM, is a digital SIM that enables customers to access the same functionality as someone using a physical SIM. It is seen as the next step in the evolution of Subscriber Identity Modules (SIM cards), designed to deliver unprecedented freedom and flexibility. Unlike physical SIMs, users do not need to insert an eSIM into their phone, as it is already built into the smartphone, device, or wearable.
To mitigate the risks, device manufacturers and service providers have been urged to immediately apply Kigen OS patches via over-the-air (OTA) updates to restore the integrity of affected eUICCs. Additionally, stakeholders have been advised to adopt the latest GSMA TS.48 version 7.0 standard and remove all legacy test profiles that may expose devices to malicious applet installations. NITDA emphasized that swift action is critical to blocking exploitation paths, enforcing updated security controls, and safeguarding users from what could become one of the most far-reaching cybersecurity threats in recent years.
The use of eSIM technology has been gaining traction globally, with several countries adopting it as a convenient alternative to traditional SIM cards. In Nigeria, the eSIM journey started in 2020, with the Nigerian Communications Commission (NCC) approving MTN and 9mobile to commence a trial of the technology. The trial involved testing 5,000 e-SIMs by the two networks, subject to compliance with regulatory conditions. Since then, Airtel has also launched its eSIM service, allowing customers with compatible phones to do away with physical SIMs. However, there is currently no publicly available figure on the number of Nigerians currently using eSIM.
As the world becomes increasingly reliant on digital technologies, cybersecurity threats like the eSIM vulnerability pose significant risks to individuals, organizations, and nations. It is essential for stakeholders to take swift and proactive measures to address these threats, ensuring the security and integrity of communications systems. By prioritizing cybersecurity and adopting best practices, we can mitigate the risks associated with emerging technologies like eSIM and create a safer, more secure digital landscape.