Skip to main content
eSIM.report logoeSIM.report
NewsArticlesOperatorsDevicesFAQs
eSIM.report logo

Your source for eSIM news, articles, and comparisons.

Content
  • News
  • Articles
  • FAQs
Tools
  • Operators
  • Devices
Legal
  • Disclaimer
  • Terms of Use
  • Privacy Policy
  • Contact Us
About

Stay updated with the latest eSIM news and deals.

  • See an error? Let us know
  • Submit content

© 2026 eSIM Report. All rights reserved.

Academic Research Confirms Privacy Risks in Travel eSIM Ecosystem - eSIM Report
Abstract lines and graphs with blue and pink hues

Photo by Logan Voss on Unsplash

  1. Home/
  2. Articles/
  3. Analysis/
  4. Academic Research Confirms Privacy Risks in Travel eSIM Ecosystem
Analysis

Academic Research Confirms Privacy Risks in Travel eSIM Ecosystem

Published March 18, 2026·Last updated March 18, 2026·7 min read

Summary

Researchers from Northeastern University have published the first peer-reviewed study to systematically examine the travel eSIM ecosystem, confirming what privacy advocates have long suspected: many budget travel eSIM providers route user traffic through foreign networks, expose sensitive device data to unregulated resellers, and suffer from critical profile management failures.

The paper, titled "eSIMplicity or eSIMplification? Privacy and Security Risks in the eSIM Ecosystem," was presented at the USENIX Security Symposium in August 2025 in Seattle and is available as open-access research.

Key Findings

1. Traffic Routed Through Foreign Infrastructure

The researchers analyzed dozens of travel eSIM profiles and found that user traffic is frequently routed through third-party networks in foreign jurisdictions, even when users are physically located in their home country.

Most concerning finding: Several providers route data through Chinese infrastructure (including China Mobile), regardless of where the user is located.

Example from the research:

  • Holafly (an Irish provider) assigned users a public IP (223.118.51.96) geolocated to China, routed through China Mobile International Limited
  • Traceroutes showed hops through China Mobile and foreign ASNs
  • Users in the United States had their traffic routed through servers in China and Europe

Why this matters:

  • Jurisdictional exposure (data accessible to foreign governments)
  • Potential for surveillance and metadata collection
  • Location inference and tracking
  • Access to region-locked services may be compromised

2. Resellers Have Dangerous Access

The research documented the extensive control that eSIM resellers (not just network operators) have over user devices:

What reseller APIs can return:

  • Subscriber identifiers (IMSI, MSISDN)
  • SIM PINs
  • SMS send/receive capabilities
  • Profile lifecycle controls (activate, deactivate, delete remotely)

What resellers can do:

  • Assign public IP addresses to mobile devices (in one test, an iPhone became an accessible web server)
  • Initiate silent data sessions without user awareness
  • Retrieve SMS messages proactively (user-invisible background communication)
  • Access metadata about device location and network usage

The risk: Users buying from "recognizable brands" may not realize the underlying reseller or data-handling entity is a completely different company with minimal regulatory oversight.

3. Profile Deletion Failures

Using a private LTE testbed and commercial SM-DP+ infrastructure, researchers demonstrated a critical flaw in eSIM profile management:

The problem: If a user deletes an eSIM profile while their device is offline, the SM-DP+ server may not register the deletion.

The result: Users cannot reinstall the same profile later, creating a denial-of-service scenario that can only be resolved through manual intervention by the provider.

This doesn't happen with physical SIMs, where you simply swap the card. The digital provisioning model introduces new failure modes that lock users out of their own connectivity.

4. Silent Background Behavior

Using specialized hardware (sysmoEUICC and SIMtrace2), researchers captured proactive, user-invisible actions embedded in travel eSIM profiles:

  • Unsolicited SMS retrieval
  • Silent open/send/close data sessions
  • Background communication that never appears in user-facing logs

Users have no visibility into this behavior. There's no indication in phone settings that the eSIM is "phoning home" or retrieving messages in the background.

Which Providers Were Tested?

The researchers purchased eSIM profiles from 25 providers including Holafly, Airalo, and eSIM Access. The paper includes a detailed table (Table 1) showing each provider's company origin, public IP assignment location, IP geolocation, and ISP/network used.

Several providers showed concerning patterns, with IPs assigned in China, unclear jurisdictions, and opaque routing paths. Others routed through European or US-based infrastructure. The paper does not rank providers or make endorsements — it reports the observed data routing paths for each.

The full table is available in the open-access paper linked below.

The Bigger Picture: Why eSIMs Change the Threat Model

Unlike physical SIM cards (where mobile network operators directly manage connectivity), the rise of eSIMs has introduced a flood of new commercial entities:

  • eSIM resellers
  • White-label service providers
  • Third-party provisioning platforms

The problem: Users may purchase from a "recognizable brand" without realizing:

  • The network provider is different
  • The data-handling entity is a foreign company
  • The reseller has administrative access to their device

The scale: There are now hundreds of travel eSIM companies operating globally, many with minimal regulatory oversight.

Security Risks Unique to eSIMs

1. SIM Swapping is Easier

Unlike physical SIMs (which require possession and deliberate user action), eSIMs can be installed by:

  • Scanning a QR code
  • Tapping a URL in an SMS
  • Installing a malicious profile via a fake website

This removes friction, making attacks easier to execute and harder for users to detect.

2. Phishing at Scale

Attackers can distribute fake eSIM profiles via:

  • Fraudulent QR codes
  • Spoofed websites
  • SMS links

Users may install unauthorized configurations without realizing it until it's too late.

3. Private Network Risks

The paper also examines eSIM deployment in private LTE/5G networks (hospitals, warehouses, industrial settings).

The risk: These networks often rely on local infrastructure and permissive profile policies, which may not follow operator-grade security practices. Reduced visibility and weaker controls introduce additional vulnerabilities.

What the Researchers Recommend

The paper includes specific recommendations for improving the eSIM ecosystem:

For Users:

  1. Stick to vetted carriers — avoid unknown resellers with unclear origins
  2. Don't scan random QR codes — verify the source before installing any eSIM
  3. Ask about routing transparency — find out where your traffic will be routed
  4. Prefer local breakout over home-routed profiles when possible

For Operators and Regulators:

  1. Require transparency — disclose routing paths, SM-DP+ endpoints, and whether traffic uses local breakout or home routing
  2. Vet resellers — enforce least-privilege access for third-party reseller APIs
  3. Strengthen authentication — implement MFA and stricter identity checks to prevent eSIM swap abuse
  4. Fix deletion semantics — ensure server-acknowledged deletes and user-visible profile state
  5. Audit compliance — regular audits against GSMA standards and privacy regulations

For Platforms (Apple, Google, Samsung):

  1. Improve user visibility — show active eSIM profiles, data usage, and background activity
  2. Better profile management — ensure users can reliably delete and reinstall profiles
  3. Warn about resellers — indicate when an eSIM is from a third-party reseller vs direct operator

About the Research

Paper: "eSIMplicity or eSIMplification? Privacy and Security Risks in the eSIM Ecosystem"

Authors:

  • Maryam Motallebighomi (Northeastern University)
  • Jason Veara (Northeastern University)
  • Evangelos Bitsikas (Northeastern University)
  • Aanjhan Ranganathan (Northeastern University)

Presented: USENIX Security Symposium 2025 (August 13–15, 2025, Seattle, WA)

Availability: Open access (no paywall)
URL: https://www.usenix.org/conference/usenixsecurity25/presentation/motallebighomi

Datasets: The researchers have released datasets and captured logs on GitHub, including:

  • eSIM installation traces
  • Deletion logs
  • Network traffic captures
  • Traceroute data

What This Means for Travelers

If you've been using budget travel eSIMs to stay connected abroad, this research is a wake-up call:

  1. Your data may be routed through countries you've never visited
    Even if you're in New York, your traffic might pass through Beijing.

  2. The "cheap eSIM" you bought online gives a reseller broad access
    They can see your subscriber identifiers, send SMS, assign public IPs, and control your profile remotely.

  3. Deleting an eSIM might not actually delete it
    If you're offline when you hit "delete," the server might not register it — and you'll be locked out.

  4. Your eSIM is doing things you can't see
    Silent SMS retrieval, background data sessions — all invisible to you.

Bottom Line

The convenience of eSIMs comes with real privacy and security trade-offs. This is the first peer-reviewed study to systematically document those concerns with empirical data across the travel eSIM ecosystem.

For esim.report readers:

  • Be selective about which travel eSIM providers you use
  • Ask questions about routing and reseller relationships
  • Prefer providers that are transparent about their infrastructure and routing paths
  • Avoid dirt-cheap, no-name resellers with unclear origins
  • Check the paper's Table 1 to see where your provider's traffic actually goes

For the industry:

  • This research should be a wake-up call
  • Transparency and user control need to improve
  • Regulatory oversight is long overdue