Your Travel eSIMs Found Routing Data Through China (Holafly)

Security Alert: Travel eSIMs Secretly Use Foreign Networks

When I came across this news, I was telling myself, “Oh no, not my eSIM!” A recent study has uncovered alarming privacy and security risks associated with travel eSIMs, revealing that many providers route user data through foreign telecommunications networks — including Chinese infrastructure — without informing customers. Conducted by researchers from Northeastern University and presented at the USENIX Security Symposium, the investigation analyzed eSIM profiles from 25 providers such as Holafly, Airalo, and eSIM Access.

The researchers found that in most cases, the public IP address assigned to a device did not match its physical location. Instead, traffic was routed through third-party countries. One notable example involved Ireland-based Holafly, whose eSIM service routed connections through China Mobile’s network. In that test case, the device received an IP address allocated to China Mobile International Limited in Hong Kong, making it appear as though the device was physically located in China. Disabling GPS on the test device further reinforced this illusion.

This unexpected routing allowed access to region-restricted content, such as ViuTV, without the use of a VPN. The study also highlighted how easy it is to become an eSIM reseller, with platforms requiring only an email and payment method. Resellers gain access to sensitive user data, including IMSI numbers and location information accurate to within 800 meters.

Imagine if you are using Holafly eSIM, someone can access your data and track you anywhere in the world as close as 800 meters in accuracy. The eSIM I usually use are Airalo and Saily. Although they are doing the same thing, but in not China. I am on some level comfortable sending my data to other countries (if I have no choice), but sending my info to CHINA is a big NO for me.

The researchers are calling for greater transparency and regulatory oversight to ensure users are informed about how their data is handled. They propose mandatory disclosure of routing practices and clearer accountability among network operators, resellers, and wholesale providers.

This study raises serious questions about the safety of using travel eSIMs and underscores the need for stronger consumer protections in the rapidly-evolving mobile connectivity landscape.