The National Information Technology Development Agency (NITDA) has issued a security alert over a newly discovered vulnerability in embedded SIM (eSIM) cards that could expose more than 2 billion devices worldwide to cyberattacks.
The flaw stems from the GSMA TS 48 Generic Test Profile, version 6.0 and earlier, widely used in testing embedded Universal Integrated Circuit Card (eUICC) chips. NITDA warned that if exploited, attackers could gain physical or even remote access to devices, install malicious applets, extract cryptographic keys, or clone eSIM profiles.
“This vulnerability can allow interception of communications, persistent device control, and stealth backdoors at the SIM level,” the agency said.
NITDA urged manufacturers and service providers to immediately apply Kigen OS patches through over-the-air (OTA) updates and adopt the updated GSMA TS 48 version 7.0. It also advised the removal of outdated test profiles that may leave devices exposed.
The agency stressed that quick action is critical to closing exploitation paths and averting what could become one of the most far-reaching cybersecurity threats in recent years.
Nigeria introduced eSIM technology in 2020, when the Nigerian Communications Commission (NCC) approved trials by MTN and 9mobile. Airtel joined in 2023, giving Nigerian users with compatible devices the option to ditch physical SIM cards.
Unlike traditional SIMs, eSIMs are built directly into phones, tablets, wearables, and IoT devices, offering flexibility and eliminating the need for a physical card. While adoption numbers in Nigeria remain unclear, the new vulnerability underscores the risks tied to the growing shift toward embedded SIMs.
