The Quantum Clock is ticking - Securing eSIM device communications for the future

If quantum computers are a decade away, why is there urgency today?

The urgency stems from a specific strategy used by attackers known as "Harvest Now, Decrypt Later" (HNDL).

Even though hackers cannot break current encryption yet, they can intercept and store that data today. They are "harvesting" this information, simply waiting for the day quantum computers become available to decipher it.

This creates a dormant threat. Data that will still be sensitive in 10 or 15 years - like long-term identity credentials or private communications - is already at risk. We have to ensure that data captured today remains unreadable tomorrow, even by a quantum computer.

How does this specific risk apply to eSIM technology?

The danger lies in the Profile Package Download, the digital delivery of your mobile identity. If we do not secure this download with Post-Quantum Cryptography (PQC) today, we face two cascading risks.

First, the master keys are at stake. The profile package contains the "crown jewels" of mobile security. If an attacker records the download today and cracks it with a quantum computer later, they obtain the keys. The result? They can impersonate you on the network and intercept your calls forever.

Second, this leads to retroactive exposure. Attackers are likely already storing encrypted voice and data conversations. Once they have those keys, they can "reach back in time" to decrypt every historical conversation they’ve ever recorded from that user. Securing the download path now is the only way to stop this chain reaction.

What is Thales doing right now to mitigate this?

We aren’t waiting for the future to arrive. With our latest Remote SIM Provisioning (RSP) update, we are taking the first concrete step toward quantum-resistant connectivity.

We are introducing Hybrid Post-Quantum Cryptography to the secure "tunnel" used to transmit data over the internet. This "hybrid" approach combines today’s proven security standards with next-generation, quantum-safe mathematics. We are also significantly increasing the length of the encryption keys we use, making them exponentially harder to crack.

What is the immediate benefit of this update?

It effectively neutralises the "Harvest Now" threat on the open internet.

Once device providers update the LPA  (the software inside the phone that manages eSIM profiles) to be PQC compliant, any profile downloaded from a Thales platform becomes resistant to future quantum decryption.

Crucially, this protection applies regardless of the current eSIM generation. We can protect the transport of data to your current devices immediately, without needing to replace the hardware inside them.

Is the job finished, or is there more to do?

This is a significant first step, but the journey continues.

While we have secured the transmission over the internet, the ultimate goal is End-to-End protection. We need to prevent sophisticated attacks where malicious software might be listening directly on the device itself, rather than just on the network.

Achieving this requires a new industry-wide alignment. Thales is currently leading efforts between RSP platform providers, OEM and eSIM makers to update the global specifications (the GSMA SGP.22 standard).

This work is essential across the entire mobile landscape, whether it is Consumer devices (smartphones, wearables) holding personal data, or IoT deployments such as smart meters that rely on devices remaining in the field for 15+ years, trust is built on foresight. By addressing the quantum threat today, we are ensuring the connections of the future remain secure.