Thursday, March 7, 2024

Prefer eSIMs

The SIM (Subscriber Identity Module) is a finger nail sized integrated circuit (IC) that fits into a slot on your wireless phone.  It stores a number called the International Mobile Subscriber Identity (IMSI) and its related key.  

The IMSI is what associates your mobile phone with your telephone number and your mobile service provider.  It is "provisioned" by your service provider when you open your account and place it in your phone.  If you get a new phone all you need to do is move the SIM to the new phone in order for your number to ring on the new phone. Your number travels with the SIM.

Your phone also has a unique identifier, the International Mobile Equipment Identity, or IMEI.  When you make a call, the system sees both the SIM and the IMEI.

Your service provider also has an account number for you that they use to record all the information about your plan, your charges, payments, and balance or credits due.  This number is unique and binds you and your carrier.  It remains the same across phones, phone numbers, and SIMs.  

Many of us use our phones as evidence of our identity in systems of strong authentication (at least two kinds of evidence, at least one of which is resistant to replay).  This takes two forms.  We may have a "soft token" (e.g., Google Authenticator, Microsoft OKTA, Symantec VIP Access) on our phone. This is an app that generates a one time password every minute.  The app is synchronized with a server in the Internet.  Another app, for example for your bank account or other business application, may prompt for the OTP at logon time.  It will submit the number you supply to the server to ensure that you have the soft token.  Possession of the phone, "something you have" and can use, as one form of evidence in a system of strong authentication.

Alternatively, you may register your phone number with an application provider.  At logon time, the provider may send a OTP message (SMS) to your phone which you can copy and paste into a prompt at logon time.  Only someone receiving the text, that is can receive text at that phone number, can successfully logon to the application.  This is marginally more convenient than the soft token; it is also marginally less secure.  It depends upon the application provider having the right phone number associated with your account, and your wireless service provider having your phone number associated with your phone.  

Herein lies the limitation of this measure.  If an attacker can dupe your wireless service provider into re-assigning your number to his device, then he can receive the OTP message.  Because this attack usually involves the wireless service provider also giving the attacker a new SIM, this attack is known as "SIM swapping."  A similar attack involves duping the application provider into  changing the wireless phone number associated with your account to that of the attacker.  Both of these attacks require duping support personnel.  (See also "port-out" attacks.)

Note that support personnel are trained and motivated to be supportive.  If they think that they are talking to you, they will do whatever they are asked.  Of course, they are also trained and motivated to be sure its you but there are lots of them and their training may be spotty.

This is where the eSIM comes in.  Instead of storing the IMSI on an IC, in late model phones it can be stored in a High Security Module (HSM) on the phone.  Instead of being provisioned by support personnel at your wireless provider, it is provisioned by you either by running an app on your phone or scanning a QR code.  

The app comes from a network service provider (e.g., AT&T, Verizon, T-Mobile) or a contractor (e.g., Consumer Cellular, AARP, Mint Mobile, Nomad) with those that do.  It is to be hoped that you are a little more concerned with your identity than any of these service providers.  These contractor service providers, that do not operate their own networks, may compete on the basis of price, coverage, data plan, or a combination of these.  While some may provide a SIM card for old phones, for late model phones they use eSIMs.

In any event, if your phone suddenly stops working, you may be the victim of a SIM swap.  Contact your service provider immediately.  Do not hesitate.











No comments:

Post a Comment