Travel eSIMs secretly route traffic over Chinese and undisclosed networks: study - iTnews

Security researchers from Northeastern University found that travel eSIM providers frequently route user traffic through foreign networks, particularly Chinese infrastructure, without disclosing this to customers. Testing 25 popular eSIM services including Holafly, Airalo, and eSIM Access revealed that devices often receive IP addresses from third-party countries rather than their actual location, with one Irish provider routing connections through China Mobile’s network. The study discovered that becoming an eSIM reseller requires only an email address and payment method, granting extensive access to user data including subscriber identities, location information accurate to 800 meters, and SMS messaging capabilities. Researchers also found eSIM profiles silently establishing connections to foreign servers and retrieving messages without user knowledge through hidden SIM Application Toolkit commands. The findings raise significant privacy concerns about jurisdictional exposure and undisclosed data routing practices, with researchers calling for enhanced transparency requirements and clearer regulatory frameworks to address these security vulnerabilities in the growing eSIM ecosystem.​​​​​​​​​​​​​​​​