© (c) Cyberfreek Industries, llc 1997-2025 All rights reserved.

Main Menu  

Cyberfreek on Twitter  

The Hacker News  

The Hacker News

Security Warning, eSIM, for phones and devices for the traveler

Details
Written by: CyberFreek
Category: Celll Phones and Mobile devices

eSims are the new rage for people who travel.

eSim stands for embedded Subscriber Identity Module and can add data & phone service no matter where you travel.  You do not need a slot or a physical card anymore to use an eSIM.  It allows you to use more than 1 carrier and phone numbers at once.

 

An eSIM uses preinstalled software on your device to work just like a physical SIM. Activation is required and once activated, you can connect & call through a Cell Network to make phone calls and access the Internet.  To start, you must buy an eSIM plan through an eSIM provider.  This is usually based in the current country you are in or traveling to.  There is no requirements to remove your existing SIM card from your home provider.

 

Dangers of eSIMs

eSIMS can be manipulated if you give out the OTP (One Time Password) to anyone that may be a hacker or from an actual representative.

Example:

A eSIM subscriber received an SMS from the eSIM provider containing an OTP for eSIM card activation. The person then received a long numerical message on WhatsApp along wiht what looked to be eSIM update related messages (on WhatsApp??) also the person received and additional calls from both the hackers and legitimate eSIM Provider representatives. The victim shared the OTP with the callers, inadvertently giving them access to activate an eSIM on their own device, effectively hijacking her phone number.  Once the Hackers gained control of the phone number through the eSIM activation, they systematically drained the users bank accounts. 

This was only discovered when the user's new eSIM was inactivated due to potential fraud.  If the eSIM provider did not do this,  the user would never have known and still used the phone.

 

 

eSIM Safety Tips:
  • Never share OTPs or activation codes with anyone. If you receive a phone call from someone stating they are from your eSIM provider, do not give them any information.  Call the Provider yourself.  DO NOT call the number that the potential hacker gives you.
  • ONLY use official channels for the eSIM provider. DO NOT click onto unknown links that say they need to upgrade your eSIM software.  Call the provider!
  • Phishing attempts on phones or devices that are using an eSIM are more prevalent.  Be extra Cyber Aware of these messages.  If need be, call the provider and ask them what these messages are.  DO NOT assume they are real messages from the Provider.
  • Be Cyber Aware that phone calls or text messages asking for personal, banking and especially eSIM related information is a high risk incident.  Call the Customer Care number for the eSIM provider. Verify all information from the provider only.
  • If for any reason your device has unexpected signal loss, call the provider immediately.  This can be an indication that your eSIM may have been compromised.
  • When using an eSIM, monitor your accounts actively. If you see any strange phone calls or bank transactions, immediately call your eSIM provider as well as your Bank.
  • Always remember that an eSIM is software based.  Software based apps can be susceptible to new hacking techniques as they arise.  Be aware.

 

Potential for eSIM Cloning and Spying is real.

It seems that eSIMs are based upon Java Card flaws that were discovered in 2019.  These flaws are mostly with Oracle Java Card implementations as found by a Poland Based Cyber Security firm.  It was noted that the Java Card Technology was found to have 18 Vulnerabilities in the Oracle Reference for Java Card Technology.  Initially the eSIM industry chose to downplay these vulnerabilities.  This is staggering.

The vulnerabilities were related to a specific app that could be downloaded with knowledge of the Encryption used by the providers.  This app can break the memory safety of the underlying Java Card VM and gain full access to the card's memory.  It can then break the applet firewall and potentially achieve native code execution.

The crypto flaw can affect a wide range of eSIM cards that make it possible to remotely discover keys that are required to load the Java applets into the cards.  The Poland based Security company stated that there was as this time, no easy way to deploy Java applications on the eSIM cards either remotely or via SMS messages.  Not even physical access to the eSIM.

But the potential is out there.

Read more:  here

 

eSIM and Privacy:

If you use an eSIM in a country you are traveling through, be aware that many eSIMs silently route traffic through foreign carriers and grant unverified resellers carrier-grade privileges.

Potential issues:

  • Cross-border routing. Many travel eSIMs send traffic via foreign networks (ex. Holafly via China Mobile), exposing data to other jurisdictions.
  • Third-party access. Unverified resellers can view IDs, track location, assign static IPs, revoke profiles etc - without oversight.
  • Silent activity. Some eSIMs quietly open data sessions or receive SMS without user notification.
  • Nearly all eSIMS routed traffic through foreign networks
There is a PDF full of research in August 2025 from Northeastern University, located here:   PDF of research