Convenience comes at a cost! Revealing four hidden vulnerabilities of eSIM: privacy exposure, surveillance risks emerge

eSIM technology is accelerating the replacement of physical cards, but the convenient remote management architecture hides multiple risks. Studies have found issues with data flowing to specific judicial jurisdictions during cross-border roaming.

The Rise of eSIM Technology and Architectural Risks

Mobile communication technology is entering the deep waters of digital transformation, and traditional physical SIM cards are rapidly exiting the stage. According to GSMA forecasts, by 2028, 50% of smartphones worldwide will fully support eSIM technology.

This transformation peaked after the launch of the “eSIM Only” version of the iPhone 14 in the U.S. market. The core advantage of eSIM (Embedded User Identity Module) lies in remote management (Remote SIM Provisioning, RSP), allowing users to switch telecom plans by scanning a QR code or downloading an app. However, behind this convenience lie profound architectural risks.

A research report from Northeastern University points out that eSIM design amplifies the risks associated with traditional SIM cards, and the introduction of complex remote management processes and third-party agents with low transparency opens up new attack surfaces. Identity verification shifts from physical chips to digital workflows, challenging users’ control over their communication security.

The Cross-Border Trap of Data Roaming: Revealing Data Flow and Jurisdiction Exposure

In-depth surveys of the travel eSIM market show that user data is often directed to specific foreign judicial jurisdictions without their knowledge. Most travel eSIM providers adopt a “Home-Routed Roaming” (HRR) architecture. Even when users are in the U.S. and accessing local telecom networks, all network traffic, web browsing records, and app usage data are re-encapsulated and sent back to the eSIM provider’s “home network” for processing.

Experiments demonstrate that when using services from Holafly, headquartered in Europe, even within the U.S., data still flows through China Mobile’s infrastructure, causing the device’s public IP address to be geolocated as China.

Image source: USENIX, detailed information on IP addresses, geolocation, and ISPs of various eSIM providers

This mechanism grants foreign operators the ability to monitor users’ online activities. Although some regions have privacy laws like GDPR that restrict data processing, the complex technical chain of cross-border roaming still leaves regulatory enforcement in gray areas, exposing users to potential overseas surveillance risks.

Privacy on the Run? Silent Communications and Unauthorized Monitoring

The entry barrier to the eSIM market is extremely low, with many unregulated resellers emerging. Researchers found that by registering as an agent, they could easily access highly sensitive user backend data with just an email and credit card.

On reseller dashboards of platforms like Telnyx, resellers can monitor in real-time the activation status and data usage of users’ eSIMs, and even obtain device location data based on cell tower positioning. Some resellers have permissions to “assign fixed public IPs” and “send binary SMS,” enabling malicious third parties to bypass device protections and send malicious payloads or establish command channels directly to phones.

Furthermore, hardware monitoring with tools like sysmoEUICC1 reveals that services like eSIM Access initiate “Proactive Communication” in the background. Without any app running or user operation, eSIM silently exchanges data with servers in Singapore or Hong Kong. This activity, based on SIM Application Toolkit (STK), poses digital threats to users’ mobile devices.

From Faulty Deletion Mechanisms to DoS Attacks

eSIM lifecycle management involves high synchronization between devices, eUICC hardware, and SM-DP+ servers. Experimental data shows that this digital process is extremely vulnerable under certain conditions.

The most common vulnerability occurs during “offline deletion.” When users delete eSIM profiles without an internet connection (e.g., disabling Wi-Fi or in signal dead zones), the device cannot send status updates to remote servers. If the server still considers the profile “installed,” even rescanning the original QR code will fail due to a “reinstallation” error, leading to a denial-of-service (DoS).

This deadlock typically requires manual intervention from the telecom provider to resolve. Additionally, some providers may exploit storage limits by installing abnormally large profiles to exhaust hardware capacity, preventing users from installing competing services. Regulators should require telecom companies to implement multi-factor authentication (MFA) to prevent SIM swapping attacks and establish transparent digital management standards to safeguard users’ communication sovereignty.