Travel eSIMs Found Routing Traffic Through Chinese Networks Without User Consent

Travel eSIMs are becoming increasingly popular among international travelers due to their convenience and cost-saving benefits. However, a recent study by researchers at Northeastern University has uncovered significant privacy and security concerns associated with these services. The study found that many travel eSIM providers route user traffic through foreign networks, including Chinese infrastructure, without informing users. This lack of transparency poses serious risks to user privacy and data security. The researchers tested 25 popular eSIM services and discovered that devices often receive IP addresses from third-party countries rather than their actual location. For instance, an Irish provider was found to route connections through China Mobile's network. This practice can expose users to surveillance and data interception, particularly in countries with different data protection laws. Another concerning finding is the ease of becoming an eSIM reseller. The study revealed that becoming a reseller requires only an email address and a payment method, granting access to extensive user data, including subscriber identities, precise location data (within 800 meters), and SMS messaging capabilities. This low barrier to entry increases the risk of malicious actors gaining access to sensitive user information. Furthermore, the study found that eSIM profiles can silently establish connections to foreign servers and retrieve messages without the user's knowledge. This is achieved through hidden commands in the SIM Application Toolkit (STK), which allows the SIM card to initiate actions on the device. This lack of transparency and user consent raises significant privacy concerns. For cybersecurity professionals, these findings highlight the need for greater scrutiny of eSIM providers and their practices. It is crucial to ensure transparency and user consent in data routing and handling. Users should be informed about where their data is being routed and who has access to it. Additionally, organizations should consider the risks associated with eSIM usage, particularly for international travel, and implement appropriate security measures. The broader impact on the cybersecurity landscape is substantial. This study reveals vulnerabilities in the eSIM ecosystem that could be exploited by threat actors. It underscores the need for better regulation and oversight of eSIM providers to ensure user privacy and security. Cybersecurity professionals should be aware of these risks and consider them when advising organizations or individuals on the use of eSIMs. In conclusion, while travel eSIMs offer convenience and cost savings, they also pose significant privacy and security risks. The findings of this study highlight the need for greater transparency, regulation, and oversight in the eSIM ecosystem to protect user data and ensure secure communications.