Travel eSIMs secretly route traffic over Chinese and undisclosed networks: study

A security study has unearthed security concerns for travel electronic subscriber identity modules (eSIMs), showing that many providers route user data through foreign telecommunications networks without disclosing to customers that this is happening.

The researchers' eSIM test setup.

Researchers from Northeastern University tested dozens of popular eSIM services and discovered that user traffic frequently passes through Chinese infrastructure, regardless of the customer's actual location.

Maryam Motallebighomi, Jason Veara, Evangelos Bitsikas, and Aanjhan Ranganathan said in their paper, eSIMplicity or eSIMplification? Privacy and Security Risks in the eSIM Ecosystem that the data routing raises concerns about jurisdictional exposure.

The research team purchased eSIM profiles from 25 providers including Holafly, Airalo, and eSIM Access to analyse how user data flows through mobile networks.

Their analysis presented at the 34th USENIX Security Symposium in Seattle, United States, pointed to a pattern of opaque routing arrangements with eSIM provider networks.

"After purchasing and installing a targeted set of eSIMs, we observed that in almost all cases the device’s public IP address did not correspond to its physical location," the researchers wrote.

"Instead, most of the assigned IPs were associated with third-party countries.

"Specifically, through IPinfo, we confirmed that many of the IP addresses belonged to telecommunications providers located in different countries," they added.

The team found that an eSIM from Ireland-based Holafly resulted in connections being routed through China Mobile's network.

In that test case, the device received an IP address (223.118.51.96) allocated to China Mobile International Limited.

This makes devices appear to be located in China rather than their actual location; disabling the global positioning service on a test device made it appear to be physically located in China, the researchers said.

Further evidence of unexpected IP addresses was found when the researchers were able to access services and content restricted to specific regions with eSIMs.

"For example, we could stream videos from ViuTV, an entertainment platform that is typically unavailable in the United States, without the need for a VPN [virtual private network]," the researchers said.

Surprisingly low barrier for entry to become an eSIM reseller

The researchers also looked into the requirements for becoming an eSIM reseller and found that it was surprisingly easy to be set up as one.

Platforms offer turnkey solutions and often target travel agents who can provide value-added services to customers through eSIM resale.

To investigate, the researchers subscribed to the eSIMaccess and Telnyx resale platforms, to create their own eSIM reseller service.

"All that was needed to become an eSIM reseller in both cases was a valid email address and method of payment," the researchers said.

eSIM resellers gain extensive access to user data, including International Mobile Subscriber Identity (IMSI) numbers, and in one case, device location information accurate to within 800 metres, along with the ability to send SMS messages directly to users.

Telnyx provides location information for any active eSIM profile, the study found, although not in real-time, raising questions about user privacy and consent.

eSIMs phone home on the quiet

Using specialised hardware, the team observed eSIM profiles engaging in "proactive communication" without user knowledge.

The research documented profiles silently establishing connections to servers in Singapore and retrieving SMS messages from Hong Kong numbers.

Silent open/send/close data sessions and unsolicited SMS retrieval initiated by profiles were captured, demonstrating user-invisible communication embedded in the provisioning layer.

This behaviour occurs through SIM Application Toolkit commands, which traditionally supported legitimate network configuration tasks but can now operate without user awareness.

The researchers proposed several measures to address identified vulnerabilities.

Enhanced transparency requirements would force providers to disclose routing arrangements and data handling practices clearly.

The researchers also suggested regulatory frameworks that clarify accountability between mobile network operators, resellers, and wholesale providers.

A complete dataset and methodology for the study will be released on GitHub to support further research into eSIM security challenges.