The National Information Technology Development Agency (NITDA) has issued a public alert regarding a newly discovered critical security vulnerability in embedded SIM (eSIM) cards. This flaw is now being deployed by attackers to potentially hijack phone numbers, steal subscriber data, intercept communications, and deploy malicious software.

Affecting more than two billion devices globally, the vulnerability poses a significant risk to communications security worldwide, exposing smartphones, tablets, wearables, and Internet of Things (IoT) devices to large-scale cyberattacks.

According to the agency, the flaw originates from the use of an older industry standard, the GSMA TS 48 Generic Test Profile, in versions 6.0 and earlier. If exploited, attackers could gain physical or remote access to a device, enabling them to install malicious applets, extract sensitive cryptographic keys, and even clone eSIM profiles.

This could lead to the widespread interception of communications, persistent device control, and the installation of hidden backdoors at the SIM card level. To mitigate these risks, device manufacturers and service providers have been urged to immediately apply specific Kigen OS patches via over-the-air (OTA) updates to restore the integrity of affected chips.

The agency also advised stakeholders to adopt the latest GSMA TS.48 version 7.0 standard and remove all legacy test profiles that could expose devices to malicious installations. NITDA emphasised that swift action is critical to blocking exploitation paths and safeguarding users from what could become one of the most far-reaching cybersecurity threats in recent years.

eSIM technology, which is a digital SIM built directly into a device, began its rollout in Nigeria in 2020 following approval from the Nigerian Communications Commission (NCC). MTN and 9mobile (now T2) were the first operators to launch a trial, with Airtel launching its own eSIM service in January 2023. There is currently no publicly available figure on the number of Nigerians using eSIM technology.