← Back to Newsroom

eSIM technology under attack: what it is, how it works, and why this new exploit matters

11 July 20254 min read

eSimVulnerability

What is an eSIM and how does it work?

An eSIM (embedded SIM) is a programmable SIM chip embedded directly into your smartphone, tablet, laptop, or IoT device. Unlike physical SIM cards that you swap in and out, eSIMs are rewritable and remotely managed over the air.

Instead of inserting a plastic chip into your phone, eSIMs are activated digitally by downloading what’s called a profile — a signed configuration package that contains the user’s phone number, carrier credentials, and encryption keys.

The idea is to make switching carriers or plans easier, streamline logistics, and better support dual-SIM functionality — all while saving space in devices where physical components are being phased out.

The eSIM system operates through a set of globally standardized technologies called GSMA Remote SIM Provisioning (RSP). This allows carriers and manufacturers to:

  • Send a secure profile to the eSIM chip
  • Manage, revoke, or replace existing profiles
  • Encrypt the provisioning process using a chain of trust anchored in the device’s eUICC (embedded Universal Integrated Circuit Card)

In theory, it’s secure. In practice, it’s now under attack.

What just happened?

A new report has revealed a critical vulnerability in eSIM provisioning systems that could allow attackers to hijack, clone, or forge eSIM profiles, gaining unauthorized access to cellular networks.

This attack undermines the assumption that eSIM-based identity is unforgeable.

According to the researchers:

  • Attackers can trick the device into accepting a forged eSIM profile using a malicious provisioning server
  • They may exploit weak encryption or lack of mutual authentication between the device and carrier
  • Once installed, the fake eSIM profile can be used for intercepting traffic, impersonating victims, or tracking them silently
  • The entire attack can be staged remotely without physical access to the device

The most dangerous aspect? The user never sees a physical SIM swap, popup, or warning. Everything happens in the background via APIs and silent updates.

What we’ve seen in the field

At Cyber Protocol, we’ve tracked eSIM-related vulnerabilities since 2022—well before the attack surface became mainstream.

In audits for telecom partners and device manufacturers, we’ve observed:

  • Misconfigured RSP platforms that failed to validate server-side certificates
  • Devices accepting provisioning requests from non-authorized profiles
  • Cases where attackers replayed captured eSIM QR activation payloads across different devices (a primitive form of cloning)
  • eSIM logs and API traces being left unprotected in mobile device management (MDM) dashboards
  • Lack of eUICC-level enforcement for profile signature validation in several IoT manufacturers

In short, the industry rushed to adopt eSIMs, but many of the supporting infrastructures were not ready.

What we recommend

Based on field testing, active threat modeling, and audit simulations, here’s what we advise:

1. Verify the full provisioning chain

Don’t assume encryption means authentication. Mutual TLS, strong certificate pinning, and active monitoring of RSP endpoints are essential.

2. Lock down MDM systems

Many attacks are launched via integrations with mobile device management dashboards. Enforce strict controls on eSIM-related APIs and provisioning scripts.

3. Log and validate all eSIM profile changes

Implement centralized logging for every eSIM profile install, update, and deletion event. Trigger alerts on high-risk actions (e.g., unexpected downloads, provisioning from unknown IPs, or mismatched region codes).

4. Isolate eUICC trust zones

Treat the embedded secure element (eUICC) like a crypto wallet. If your device firmware allows third-party code to interact with it, you’ve already lost.

5. Educate users — yes, even for silent hacks

Most end users don’t know what an eSIM is, let alone how it could be hijacked. If you’re an enterprise managing fleets of mobile devices, include eSIM hygiene in your mobile policy.

Final word

The promise of eSIMs was simplicity, flexibility, and security.

The reality is a new remote attack vector hiding in plain sight.

We’ve moved from SIM swaps requiring social engineering to silent over-the-air takeovers, targeting both individuals and organizations.

Your eSIM is your digital identity.

Treat it like a cryptographic key — because that’s exactly what it is.

Concerned about your exposure to eSIM-based threats?

Cyber Protocol offers provisioning audits, RSP server scans, and mobile fleet resilience testing.

Request an eSIM audit

← Back to Newsroom