The National Information Technology Development Agency (NITDA) has issued a security alert over a newly discovered vulnerability in embedded SIM (eSIM) technology that could put billions of devices worldwide at risk of cyberattacks.
The agency said the flaw arises from the GSMA TS 48 Generic Test Profile, versions 6.0 and earlier, which are widely used in radio compliance testing of eUICC (Embedded Universal Integrated Circuit Card) chips. This vulnerability, according to NITDA, affects more than two billion smartphones, tablets, wearable devices, and Internet of Things (IoT) systems.
If exploited, attackers could potentially install malicious applets on devices, extract cryptographic keys, or even clone eSIM profiles, opening the door to large-scale surveillance, persistent remote access, and stealth backdoors at the SIM card level.
To curb the threat, NITDA has advised device manufacturers and service providers to urgently apply security patches, specifically the Kigen OS updates, via over-the-air (OTA) mechanisms. It also urged operators to adopt the GSMA TS.48 version 7.0 standard and retire legacy profiles vulnerable to compromise.
The agency warned that timely intervention is critical, describing the flaw as one of the most far-reaching cybersecurity risks in recent years.
Nigeria’s eSIM adoption began in 2020 when the Nigerian Communications Commission (NCC) approved MTN and 9mobile to conduct a year-long trial involving 5,000 users. Both operators later became the first to roll out commercial eSIM services, before Airtel joined in 2023. While the technology allows subscribers with compatible devices to do away with physical SIM cards, there are currently no official figures on the number of active eSIM users in Nigeria.
Cybersecurity analysts say the newly discovered flaw highlights the urgency of implementing proactive safeguards as Nigeria deepens its reliance on digital mobile infrastructure.
