*The Nigerian Government, through the National Information Technology Development Agency, warns telecoms consumers against the new flaw uncovered in embedded Subscriber Identity Module (eSIM) Cards, exposing billions of smartphones, tablets, wearables, and Internet of Things devices to large-scale cyberattacks

Alexander Davis | 绿帽献妻

The Nigerian Government through the National Information Technology Development Agency (NITDA) has issued a public alert regarding a new critical security vulnerability in embedded Subscriber Identity Module (eSIM) Cards.

NITDA reported the newly-discovered security flaw in the eSIM is being exploited by cyberattackers to potentially hijack consumers’ phone numbers or subscriber data, intercept communications, and deploy malicious applets.

绿帽献妻 reports eSIM, or embedded SIM, is a digital SIM that enables customers to access the same functionality as a physical SIM Card.

It is considered the next stage in the evolution of Subscriber Identity Modules, offering users more flexibility since it is already built into smartphones, devices, or wearables without requiring manual insertion.

How the flaw originated, by NITDA

The Information Technology (IT) sector regulatory agency also disclosed the said vulnerability had affected over two billion devices globally, just as it posed significant risks to communication security.

NITDA consumers that the flaw could expose billions of smartphones, tablets, wearables, and Internet of Things (IoT) devices to large-scale cyberattacks.

The flaw, the agency noted, originates from the use of the GSMA TS 48 Generic Test Profile (versions 6.0 and earlier), which is widely applied in radio compliance testing of eUICC (Embedded Universal Integrated Circuit Card) chips.

The statement further explained that if exploited, attackers could gain physical or remote access to targeted devices, install malicious applets, extract sensitive cryptographic keys, and even clone eSIM profiles.

According to NITDA, this development result in widespread interception of communications, persistent device control, and the deployment of hidden backdoors at the SIM Card level.

Evolution of eSIM in Nigeria

It is recalled the introduction of eSIM adoption began in Nigeria 2020, when the Nigerian Communications Commission (NCC) approved MTN Nigeria Communications Plc and 9mobile, now known as T2, to conduct a trial of the technology in the telecoms space.

The trial, which involved 5,000 eSIMs, lasted a year under the NCC’s regulatory supervision.

Sequel the trial period, MTN Nigeria and 9mobile later became the first network operators to launch eSIM services in the West African country, thereby allowing telecoms consumers with compatible mobile devices to switch from physical SIMs to eSIMs.

Airtel Networks also introduced its eSIM service to consumers January 2023.

There is no publicly available figure on the number of consumers using eSIM technology in Nigeria, according to report.

Measures to protect from eSIM vulnerability

NITDA said in order to minimise the identified risks, device manufacturers and service providers are urged to immediately apply Kigen OS patches via Over-The-Air (OTA) updates to restore the integrity of affected eUICCs.

The Nigerian IT regulatory agency encouraged also industry stakeholders to adopt the latest GSMA TS 48 version 7.0 standard, and remove all legacy test profiles that could expose devices to malicious installations in the ecosystem.

According to NITDA, swift action is critical to closing exploitation pathways, enforcing updated security controls, and protecting users from what may become one of the most far-reaching cybersecurity threats in recent years.