A detailed comparison of eSIM and physical SIM security properties — covering SIM cloning attacks, physical theft vulnerabilities, SIM swap fraud, and the secure element architecture that underpins eSIM protection.
The fundamental physical security difference between eSIM and traditional SIM lies in removability. A physical SIM card can be extracted from a device in seconds — no tools required beyond a SIM ejector pin — and once removed, it can be inserted into any compatible device to operate as your to Spot and Avoid Attacks on Your Phone">Your Phone Number">phone number. This physical portability, while convenient, is simultaneously one of the most significant security vulnerabilities of the physical SIM model. An attacker who gains momentary physical access to your device — in a busy MTR station, at a restaurant while you step away, or through a physical theft — can remove your SIM and use it to receive your calls, SMS messages, and critically, any SMS-based two-factor authentication codes sent to your number.
eSIM credentials are embedded in a secure element that is soldered to the device's motherboard during manufacturing. The secure element is a dedicated, tamper-resistant microchip that stores cryptographic keys and eSIM profiles in an isolated hardware environment that cannot be accessed by the device's main operating system, applications, or any external actor without the appropriate cryptographic credentials. The GSMA SGP.22 specification that governs eSIM architecture requires this secure element isolation — it is not an optional security feature but a mandatory architectural requirement. Even if an attacker physically disassembles the device and removes the secure element chip, the cryptographic keys it contains cannot be extracted without specialist equipment costing hundreds of thousands of dollars.
For Hong Kong users, this physical security distinction is particularly relevant given the density and pace of daily commuting. The MTR network carries over five million passenger trips per day, creating crowded conditions where opportunistic physical theft and pickpocketing occur. A physical SIM theft in this context is a low-sophistication, high-impact attack — the thief has immediate access to your number and all SMS messages sent to it. eSIM eliminates this attack vector entirely: even if your device is stolen, the eSIM profile cannot be extracted and used in another device without breaking through multiple layers of hardware security. The attacker is left with a device they cannot use for number hijacking unless they can also unlock the phone itself.
SIM cloning attacks against physical SIM cards have been documented since the 1990s and continue to be executed by sophisticated attackers today. The attack involves reading the authentication keys (Ki and IMSI) stored on a physical SIM card using a SIM reader device, then writing those keys onto a blank programmable SIM card. The cloned SIM operates as your number — it can receive calls and SMS messages sent to your number, making it an effective tool for intercepting SMS 2FA codes. The equipment required to perform this attack has become cheaper over time and is available from overseas electronics suppliers, though the attack still requires physical access to the target SIM for a period ranging from minutes to hours depending on the SIM card's generation and the clone device's capabilities.
Modern physical SIM cards include countermeasures against cloning that have made the attack more difficult. Modern 3G/4G SIM cards use stronger cryptographic algorithms (MILENAGE, TUAK) that make extracting the Ki through brute-force challenging, and some SIM cards include clone detection mechanisms that invalidate the original or the clone when both attempt to connect to the network simultaneously. However, these countermeasures are not uniformly implemented across all carriers and SIM card generations, and older SIM cards (2G-era cards still in circulation) may remain vulnerable to relatively straightforward cloning attacks. In Hong Kong, where the mobile network infrastructure is modern, most active SIM cards are relatively recent, but legacy card vulnerabilities cannot be dismissed entirely.
eSIM is architecturally resistant to cloning attacks because the cryptographic credentials are stored in a hardware secure element that does not expose them to any external interface. A physical SIM reader works by communicating with the SIM over a standardised interface and reading the authentication challenge-response behaviour to extract key material. An eSIM's secure element performs these cryptographic operations entirely internally — the key material never leaves the secure element in any readable form. There is no interface through which a clone device can extract the Ki equivalent from an eSIM. The only attack path against eSIM at this level would require physically de-packaging and probing the secure element chip at nanometre scale, an attack that remains firmly in the realm of nation-state capabilities rather than criminal threat actors.
SIM swap fraud — where an attacker convinces a carrier to transfer your phone number to a SIM under the attacker's control — is the primary attack vector that affects both physical SIM and eSIM users equally, though with different execution mechanisms. For physical SIM, the classic attack involves the attacker visiting a carrier store with forged identity documents and requesting a SIM replacement, claiming the original was lost or damaged. The carrier issues a new SIM, the victim's original SIM is deactivated, and the attacker now controls the number. For eSIM, the equivalent attack is conducted remotely: the attacker compromises the victim's carrier account credentials and requests an eSIM profile transfer to a device they control through the carrier's online portal or app.
The shift from physical to eSIM changes the SIM swap attack surface in a meaningful way. Physical SIM swap attacks require a human actor at a carrier store — they can be defeated by carriers requiring government-issued ID verification and adding fraud alerts to accounts, but the in-person interaction creates a social engineering opportunity where a convincing actor with plausible documentation can succeed. eSIM swap attacks are conducted entirely online, meaning they require the attacker to have compromised the carrier account credentials first. This raises the bar for execution: rather than social engineering a carrier store employee, the attacker must obtain the carrier account password (through phishing, credential stuffing, or data breaches) and bypass any two-factor authentication on the carrier account itself.
Hong Kong users should protect against eSIM swap by treating their carrier account with the same security rigour as a banking account. Set a unique, strong password for your HK carrier account that is not reused anywhere else. Enable 2FA on the carrier account — all four major HK carriers support authentication app-based 2FA for account login. Add a carrier account PIN or password that must be verbally verified before any SIM-related changes (number transfers, eSIM profile downloads) are processed. This PIN acts as a second layer of protection beyond account credentials — even an attacker who has obtained your carrier login password cannot transfer your eSIM profile without also knowing the account PIN. OFCA (Office of the Communications Authority) in Hong Kong has issued guidance encouraging carriers to implement stronger customer verification for SIM management operations.
eSIM's ability to be provisioned and managed remotely over-the-air is both its greatest convenience advantage and an area that requires understanding from a security perspective. The GSMA RSP (Remote SIM Provisioning) architecture specifies that all eSIM profile downloads occur through authenticated, encrypted connections to a Subscription Manager Data Preparation (SM-DP+) server operated by the carrier. The SM-DP+ server and the device's eSIM secure element perform mutual authentication using certificate-based cryptography before any profile transfer occurs — neither end accepts the connection unless the other can prove its identity through valid certificates in the GSMA-controlled certificate hierarchy. This means a malicious server cannot push an unauthorised eSIM profile to your device without a valid certificate signed by the GSMA root CA.
Remote deletion and deactivation of eSIM profiles is technically possible within the GSMA architecture and has legitimate uses — carriers can remotely deactivate stolen devices' eSIM profiles to prevent misuse, and corporate IT administrators can remotely wipe eSIM plans from employee devices when the employment relationship ends. However, this remote management capability is controlled by the carrier and requires authentication — a third party cannot remotely delete your eSIM without going through your carrier's systems with appropriate credentials. The practical security implication for individual users is that your carrier has greater administrative control over your eSIM than over a physical SIM that has already been issued and is in your possession. This is a trade-off that favours convenience and corporate management use cases but represents a theoretical carrier-trust dependency that does not exist with a physical SIM card you physically hold.
The overall security verdict comparing eSIM to physical SIM is that eSIM provides meaningful security improvements in the most common real-world threat scenarios — physical theft, SIM removal, and cloning attacks — while introducing a different risk profile around carrier account security and remote management that requires informed management. For most Hong Kong users, the net security outcome of switching to eSIM is positive, provided they properly secure their carrier account credentials and add a carrier account PIN. The weakest point in the eSIM security chain is typically the carrier account, not the eSIM technology itself. Users who have secured their carrier account are significantly better protected against the most prevalent mobile number-based attack vectors under eSIM than under physical SIM.
