Convenience comes at a cost! Revealing four hidden vulnerabilities of eSIM: privacy exposure, surveillance risks emerge

eSIM technology is rapidly replacing physical SIM cards, but the convenient remote management architecture conceals multiple risks. Research has found problems in which data from cross-border roaming flows to specific jurisdictions.

The Rise of eSIM Technology and Architectural Risks

Mobile communication technology is entering the deep waters of digital transformation, as traditional physical SIM cards are accelerating their exit from the historical stage. According to GSMA forecasts, by 2028, 50% of smartphones worldwide will fully support eSIM technology.

This change reached its peak after the release of the “eSIM Only” version of the iPhone 14 in the U.S. market. The core advantage of eSIM (Embedded User Identity Module) is remote management (Remote SIM Provisioning, RSP), which allows users to switch telecom plans by scanning a QR Code or downloading an App. However, behind this convenience lie profound architectural risks.

A research report from Northeastern University points out that the design of eSIM amplifies the risks associated with traditional SIM cards, and that introducing complex remote management processes and third-party agents with extremely low transparency has opened up an entirely new attack surface. As identity verification shifts from physical chips to digital workflows, users’ control over their communications security is facing challenges.

The Cross-Border Trap of Data Roaming: Revealing Data Flow and Jurisdiction Exposure

In-depth investigations into the travel eSIM market show that user data is often directed to specific foreign jurisdictions without users’ knowledge. Most travel eSIM providers adopt a “Home-Routed Roaming” (HRR) architecture. Even if users are in the U.S. and accessing local telecom networks, all network traffic, web browsing records, and App usage data are still re-encapsulated and sent back to the eSIM provider’s “home network” for processing.

Experiments show that when using Holafly services headquartered in Europe, even within the U.S., the data still flows through China Mobile’s infrastructure, causing the device’s externally visible public IP geolocation to be marked as China.

Image source: USENIX—detailed information on IP addresses, IP geolocation, and ISPs of various eSIM providers

This mechanism grants foreign operators the ability to monitor users’ online activities. Although some regions have privacy regulations such as GDPR that restrict data processing, in the complex technical chain of cross-border roaming, enforcement still leaves gray areas, and users may face overseas surveillance risks.

Privacy on the Run? Silent Communications and Unauthorized Monitoring

The entry barrier to the eSIM market is extremely low, and a large number of unregulated resellers have emerged. Researchers found that by registering as a reseller, they could easily obtain extremely sensitive user backend data with just an email and a credit card.

On reseller dashboards of platforms such as Telnyx, resellers can monitor in real time the activation status and data usage of users’ eSIMs, and can even obtain device location information based on base station positioning. Some resellers have permissions to “assign fixed public IP” and “send binary SMS,” giving malicious third parties an opportunity to bypass device protections and directly send malicious payloads to mobile phones or establish command-and-control channels.

In addition, through hardware monitoring such as sysmoEUICC1 and similar tools, it has been found that services like eSIM Access initiate “Proactive Communication” in the background. Without any App running or any user action, the eSIM silently exchanges data with servers in Singapore or Hong Kong. Such covert activity, based on the SIM Application Toolkit (STK), exposes users’ mobile devices to digital threats.

From Flawed Deletion Mechanisms to DoS Threats

eSIM lifecycle management involves a high degree of synchronization among the device, the eUICC hardware, and the SM-DP+ servers. Experimental data shows that this digital process is extremely fragile under certain conditions.

The most typical vulnerability occurs in the “offline deletion” state. When users delete an eSIM profile without a network connection (such as by disabling Wi-Fi or being in a signal dead zone), the device cannot send status update notifications to the remote server. When the server still regards that profile as “installed,” even rescaning the original QR Code will fail due to a “reinstallation” error, resulting in a denial-of-service (DoS) situation.

This technical deadlock usually requires manual intervention by the telecom provider to resolve. In addition, some suppliers may exploit storage limitations by installing abnormally large profiles to exhaust hardware capacity, thereby preventing users from installing competing services. Regulators should require telecom companies to implement multi-factor authentication (MFA) to prevent SIM Swapping attacks and to establish transparent digital management standards to ensure users’ communications sovereignty.