Ask Slashdot: How Secure Is a Cellphone's eSIM? (pcmag.com) 41
A few months ago PC Magazine explained eSIMs:
You almost certainly have a SIM card: a thumbnail-sized chip that sits in your mobile phone, telling it which carrier and what phone number you use. Now those SIMs are going digital (or "e") and moving your information to a reprogrammable, embedded chip.
A SIM card is a "subscriber identity module." Required in all GSM, LTE, and 5G devices, it's a chip that holds your customer ID and details of how your phone can connect to its mobile network... An eSIM takes the circuitry of a SIM, solders it directly to a device's board, and makes it remotely reprogrammable through software... There are some minor consumer downsides, though. With eSIMs, it's harder to switch one plan between devices — you can't just swap the physical card around — and they can make it harder for you to temporarily remove your SIM if you don't want to be tracked by a carrier.
Google's Pixels have had eSIMs since 2017, and Apple's iPhones have had them since 2018...
Now let's see how long-time Slashdot reader shanen feels about them: Shopping for a new smartphone due to premature battery swelling of a cheapie, but surprised to find out I can't just plug the SIM into a new phone. There ain't no SIM here, but rather the dying phone has an eSIM.... Quick research indicated it's only software, so my obvious question is "How secure can an eSIM be?" (The obvious search results also fail to produce "fresh" results.)
But the black hats have already had a couple of years to work on the problem, and it seems intrinsically difficult to do anything securely if you're only using software. My probably obsolete understanding is that part of the basis of SIM security is that you'd have to destroy the SIM to save its data, but is there an actual security expert in the house?
Related question based on my surprise. How would you even know if you're using an eSIM? Especially since it appears to be possible to use an eSIM on a phone with a SIM.
Share your own thoughts and opinions in the comments.
How secure is an eSIM?
A SIM card is a "subscriber identity module." Required in all GSM, LTE, and 5G devices, it's a chip that holds your customer ID and details of how your phone can connect to its mobile network... An eSIM takes the circuitry of a SIM, solders it directly to a device's board, and makes it remotely reprogrammable through software... There are some minor consumer downsides, though. With eSIMs, it's harder to switch one plan between devices — you can't just swap the physical card around — and they can make it harder for you to temporarily remove your SIM if you don't want to be tracked by a carrier.
Google's Pixels have had eSIMs since 2017, and Apple's iPhones have had them since 2018...
Now let's see how long-time Slashdot reader shanen feels about them: Shopping for a new smartphone due to premature battery swelling of a cheapie, but surprised to find out I can't just plug the SIM into a new phone. There ain't no SIM here, but rather the dying phone has an eSIM.... Quick research indicated it's only software, so my obvious question is "How secure can an eSIM be?" (The obvious search results also fail to produce "fresh" results.)
But the black hats have already had a couple of years to work on the problem, and it seems intrinsically difficult to do anything securely if you're only using software. My probably obsolete understanding is that part of the basis of SIM security is that you'd have to destroy the SIM to save its data, but is there an actual security expert in the house?
Related question based on my surprise. How would you even know if you're using an eSIM? Especially since it appears to be possible to use an eSIM on a phone with a SIM.
Share your own thoughts and opinions in the comments.
How secure is an eSIM?
It's basically a TPM module. (Score:2)
With really bad encryption on the 2/3/4/5/6G backend.
Seriously, the protocol's official encryption is garbage and everybody knows it and nobody says anything because it's deliberate.
(A SIM talks to the provider via packets forwarded by your phone / baseband.)
So: Welcome your new old master. Now with more lock-in. Because monopolism is illegal, but localized monopolism, like lock-in, intellectual property, exclusive (work/product/...) contracts, or the many many others ways we have nowadays. is still legal.
Re:It's basically a TPM module. (Score:5, Informative)
Partially correct.
The physical SIM chip can be upgraded with better models over time, and replace encryption models to become more secure. If the carriers let it at least.
We've already had one upgrade happen, with the change from 2G/2.5G SIM cards to 3G USIM (as in UMTS, not AT&T and T-Mobile's garbage marketing)
However, eSIM's are just soldered versions of nano-sim cards.
There is a "all-software" version of sim cards which are used with throw-away phones called "Virtual SIM".
Re: (Score:2)
The physical SIM chip can be upgraded with better models over time, and replace encryption models to become more secure.
No they can't, they still require support on a wide range of devices. Given the secure life expectancy of a typical phone is only 2 to 3 years there's really no difference in upgradability between an eSIM or a physical SIM.
In fact now that I think about it, if there were you'll likely find it's the eSIM which is better. A physical SIM needs to be supported by all sorts of phones including those which haven't received security updates in a long time. An eSIM only needs to be supported in the current phone me
Re: (Score:1)
Stallman, is that you?
Re: (Score:2)
Still griping with this old copy-and-paste rant.
Grow up.
Re: The Internet in year 2000 and 2021 = day and n (Score:2)
Maybe you should sell your tinfoil hat, move to Mexico, buy some cheap land, grow drugs for the cartels. At least you wouldn't need a photo ID.
Re: (Score:1)
Does it really matter? (Score:4, Insightful)
The difference between SIM and eSIM will be negligible compared to whatever crapware is installed on the thing.
You want safety? Stop carrying around a permanently online device that knows where you are, what you do on the internet, who your friends are on- and offline.
If you already decided that the amenities are worth THAT risk, being bothered about the difference between SIM and eSIM is a strawman.
Re: (Score:3)
The FUCK makes you think us consumer plebs have a choice in the matter? You act like we asked for eSIMs.
Take your strawman argument, and shove it in the closet.
Re: Does it really matter? (Score:4, Interesting)
eSIMs does not benefit the consumer one damn bit, and only benefits the corporations 100%
Woe unto those who need to take a sim out of their dead phone and put it in their old standby in case they need to have a fucking working phone until the next paycheck.
This is what the powers to be want, a future where the little folk have no control over their lives, but instead crawl on their hands and needs to their masters' thrones and while licking their feet, beg them permission to use the bathroom pr. His Majesty's Pleasure.
I've given up trying to change this fucked up world. People want to be forever infantile, having to ask permission ro go potty or to even breathe? Fine. Fuck them. They deserve what's coming to them for being brainless cowards, bread and circuses loving morons, always being told what to do. I don't care anymore. I'm old enough to die (hopefully) before having to endure 100% the shitpot freedomless micromanaged world that Gen Z and beyond is about to recieve.
Re: Does it really matter? (Score:3)
"I'm old enough to die (hopefully) before having "
ick, best to calm bown before hitting that "submit" button. Meant to say
"I'm old enough that I'll likely be dead (hopefully) before having to endure the new shitpot world"
Re: (Score:2)
If I read that, I can fully understand why Y and Z gens hate boomers.
Re: Does it really matter? (Score:2)
Maybe it would be a bit wise to hear what "boomers" have to say once in a while.
If you told people 30 that they would have to "subscribe" to use their own washing machine, and they would be monitored by some big remote monolithic entity, you would be laughed out of the room and perhaps have the white coats called on you to take you away.
Now it seems Gen Y, Z, ABC...etc are more than happy to bow down and submit to this type of abuse. How hard is it to use a fucking washing machine without an app telling you
Re: Does it really matter? (Score:2)
"If you told people 30" years ago. :(
Re: (Score:2)
"You will own nothing and you will be happy"
Everything is now a subscription model that you cannot do without. Deal with it or we will cancel your bug rations or kick you out of the pod you rented. And because of covid-21-22-23, it will be illegal to be outside, so beware.
Re: Does it really matter? (Score:2)
Ironically, because of Covid, the cops have greatly reduced their crackdowns on homeless encampents, at least in Los Angeles. Mostly because no politician wants to be the target of super outrage and have people with pitchforks and torches at their door. They did catch some shit for allowing the encampment situation to get out of control, but to be fair, they were caught in a damned if you do, damned if you don't situation, though a bit less damned than if they went full on Brownshirt on the homeless
Maybe in
Re: (Score:2)
These arguments that because of a pre-existing problem A, everyone should happily welcome new problems B and C into their lives... or tolerate A becoming ten times as problematic.
"You broke your leg and still try to walk, that means you consent to have your ankle broken, too"
"You just lost your job, why are you bothered that your car burned down the same day?"
Re: (Score:3)
Yeah, Google and the NSA absolutely love cellphone security schemes.
standard sub-standard technology (Score:3)
eSIM is just about as secure as SIM, which is to say, not very.
> "those SIMs are going digital (or 'e')"
wow, i didn't know SIM chips were analog. how does that even work?!
> "intrinsically difficult to do anything securely if you're only using software"
uh, what? the eSIM runs in its own hardware enclave. it's not, like, just another app using system ram.
> "My [...] understanding is that part of the basis of SIM security is that you'd have to destroy the SIM to save its data..." ... i can't... even... wtf, are all SIMs wired to a tamperproof thermite charge or something?
Re:standard sub-standard technology (Score:4, Insightful)
> "My [...] understanding is that part of the basis of SIM security is that you'd have to destroy the SIM to save its data..." ... i can't... even... wtf, are all SIMs wired to a tamperproof thermite charge or something?
Plenty of secure microcontrollers have anti-tamper coatings on the die to prevent reverse-engineering via decapsulation and microscopy/probing. Some of them are reactive coatings that actively destroy the chip within if the package is opened. More often they're just super-hard-to-remove coatings that can only be removed by applying heat or chemicals that will also destroy the chip features. This patent, for instance: https://patents.google.com/patent/US8664047B2/en [google.com]
However, I think the OP was saying "in order to read out the contents of a SIM, you have to destroy it" - which decapsulation, FIB probing etc would definitely do. In other words, you can't borrow someone's phone, read out the SIM data, and give it back to him in the same condition he gave it to you.
Re: (Score:2)
In other words, you can't borrow someone's phone, read out the SIM data, and give it back to him in the same condition he gave it to you.
Given how crappy the "security" of the SIM is, there's no reason to. And any hardware pales in comparison to some guy in an indian call centre who'll happily send you a new one to a different address after you feed them some sob story.
Re: standard sub-standard technology (Score:2)
"wow, i didn't know SIM chips were analog. how does that even work?!"
Yeah those analog chips were something else back in the 1930s. Just replace "smartphone" with a box the size of a small filing cabinet, and "chip" with a caddy of vacuum tubes. :O)
Re: Digital (Score:3)
"Dear PC Magazine: SIMs already are digital devices you fucking nutsack. The e here doesn't mean electronic (or digital), it means embedded."
I'm guessing PC Magazine now vs 30 years ago is staffed with people who smack bubblegum all day, and text "Omg! Lollarskatez!", in the midst of doing their 'research'.
Expect standards to go down all across the board as time goes on.
Wrongness in evidence (Score:4, Insightful)
TFS claims that eSIMs are only software. All the eSIM designs I've been involved in most definitely have a hardware component. Principally an entropy source, extractor, a local unique identity (think PUF but usually not because PUFs are hard) and side-channel and fault injection mitigated crypto algorithms. Software does the protocol nonsense and invokes the hardware as needed.
Re: (Score:2)
If TFS refers to me, then I can only guess what the F stands for. Care to clarify?
However as soon as the TPM module was mentioned, I can sort of understand how the eSIM could provide a level of security comparable to a conventional SIM. My initial queries went in two directions, but neither of them got me there. (Years ago I was supporting some researchers when TPM was quite a new idea for secure booting.)
Not sure if it will add entertainment value to the story (but it must already be a slow news day for th
Re: Wrongness in evidence (Score:2)
TFS = The Fucking Summary. It does not refer to you or your comment, it refers to the text of this Slashdot post. As contrasted with TFA = The Fucking Article, i.e. the original article linked to by a Slashdot post.
Re: (Score:2)
Thanks for clarifying and I was right about the F.
It depends (Score:3)
Are you the consumer, the carrier or the phone manufacturer?
For the consumer, not very secure. If someone can call a carrier and use a little social engineering, they can hijack your number regardless of whether you have a SIM or eSIM. Crying lady with kids screaming in the background. She lost her phone and simply must switch the number to a new unit. And no, she can't come in to a phone store and show ID. What kind of insensitive beast are you anyway?
For the carrier, not very secure either. Someone brings a phone in to a new carrier and says "Switch my number to your service." The law is on their side. The old carrier had better switch fast or FCC complaints will be filed. Never mind the blood spatter on the phone.
For a manufacturer, very secure. If their software tool which the carriers must use to provision an eSIM checks back with the manufacturer's customer database, they can determine whether or not this sucker^H^H^H^H^H^Hcustomer should be allowed to switch brands. And make the decision to release/not release the number to a competitor's eSIM or removable SIM by selectively triggering an application error.
An eSIM is just as secure as a SIM (Score:4)
the thing just as secure as the other thing. You can reprogram a sim, you can reprogram an esim. In the end it's as secure as your provider and the system in which it operates.
Not a security issue (Score:1)
This is a red herring. In practical terms, the difference is that with a physical SIM you can swap it to a different device without 'permission'. For an eSIM, you need permission from your masters.
That's the only difference that matters.
Can't tell you, sorry. (Score:2)
Goddamn NDAs.
In unrelated news, I use an old school phone with a physical SIM card. But that's of course only my personal preference and has absolutely nothing to do with security considerations.
The wrong question (Score:2)
Asking whether it's 'secure' might be the wrong question... or at least, only a small portion of the right one.
Ask ANYBODY who's ever been a customer of AT&T how many times AT&T's official solution for 'dysfunctional phone' has been 'replace the SIM card'. And more surprisingly... how often it actually WORKS (answer: almost always). As I understand it, the SIM card ITSELF is perfectly fine, but AT&T's own fucked up provisioning system can get itself corrupted in ways that AT&T's tier 1 and t
Re: (Score:2)
Because sadly the industry has evolved that way...
People don't understand the systems well enough to fix them, so their solution is to reboot, reset to defaults, replace etc.
How secure are SIM cards? (Score:2)
I think the article is assuming that SIM cards are secure.
I was under the impression there was many known security vulnerabilities with Java card which runs on SIM card implementations already...
https://www.securityweek.com/m... [securityweek.com]
And there's a lot that pre-date this as well.
So, I think the better question is whether eSIM is more secure than SIM cards?
As secure as games consoles (Score:2)
Well the only thing you could do is to clone an "eSIM". However that's moderately easy to detect as you'll have several locations stored in your location database with the same IMSI but a different IMEI. While this probably can happen on "accident" (battery runs empty and you switch phones), it happening regularly and over large amounts of time would be an obvious flag.
BTW here's an introduction on SIM-Cards:
https://media.ccc.de/v/36c3-10... [media.ccc.de]
destroy the SIM to save its data ? ? ? ? (Score:2)
Where ... just where on earth did that come from?
Each SIM has an ID number, which is hard-to-impossible to change - probably a WORM memory chip, fixed by UV or over-heating or something. A PROM, versus an EEPROM.
But the data within a SIM is held on EEPROMS - it's intended to be erasable. Store a contact on the SIM (a very