The eSIM debate

The GSMA has now released the second version of its global specification that enables Remote SIM Provisioning in any consumer device. This enables the device to be provisioned with more than one operator profile, which will extend the specification to a wider range of devices beyond the single companion device enabled by the first release of the specification.

Now device manufacturers and operators will be able to offer consumers the ability to select the operator and the device of their choice, and then securely download that operator’s profile to their device. – GSMA

Whether we like not or not, eSIM is coming… but it’s arrival and the changes it will brings is in wide debate. Funnily enough there are some people here at the MWC in Barcelona this week which may remember that there was a time when mobile phones didn’t have sims… no user profiles… eSim takes us back to sim less phones but in quite a different way.

ROCCO is pro eSim! But we also like to follow the debate on the launch of consumer eSIM as it comes to market…

Part 1: The people

The idea of eSIM started off with Apple back in 2011: the tech giant wanted to create a MVNO platform with a selection of wireless networks which could provide connectivity to Apple users, and 3 years later, the company created its own SIM embedded into their tablet devices.

These innovations were met with a lot of resistance, but it is natural for new, bold ideas to take a while to be assimilated and now, in 2017, the words on everyone’s lips are IoT and eSIM. How things change.

If you’re still confused about what an eSIM is: it’s an electronic SIM card embedded into your mobile device, so you won’t need a physical one. The eSIM will allow you to change networks almost instantly without the need to go to a store which, in turn, might render those useless and could disappear with time. Maybe not a great idea for MNOs if they rely on upselling new products and services to their clients every time they visit the store.

You won’t need to request a new card every time you move to a new network and you won’t need it to transfer your contacts; all you’ll need is a password to unlock the device’s embedded SIM. It sounds great in practical terms, but in reality, this presents an invaluable gold mine to hackers. We know people’s reputation with passwords – ‘123456789’ and ‘11111111+’ is another favourite among lazy consumers.

Let’s hope this eSIM card has more security measures installed to at least force consumers to have a more complicated password because seeing that over-the-air provisioning sounds as flimsy as it sounds fancy.

Security issues aside, trust issues have always been a huge problem between clients and MNOs. We’ve all suffered a bill shock at some point or have been deceived one way or another, or received a bill of duplicated services or random leaks here and there of little cost that, in the end, accumulate to a shocking price.

Well, it’s not about to get any better. Consumers, just as much as MNOs and vendors are aware of the fragile security structure of M2M and eSIM, but not only that – many believe the eSIM is just another way for MNOs to take full control.

Smartphones ‘don’t have the space to accommodate SIMs’. No, they do. Device vendors want to do away with physical SIMs so that they, not operators are in control. The Network operator and Device maker then do deals. Less control to consumer. Have you LOOKED at a SIM, never mind the pointless new smaller ones (that we don’t really need anyway). BATTERY dwarfs everything else. It’s not about saving space, that’s merely spin to justify user loss of control. Unless the device is locked to a network, the operator has no control with physical SIM, user can change it and many governments have demanded users should be able to unlock.

“The virtual SIM is all about giving a partnership of a Network Operator and Device maker control and the user less control.” – Mage

Countless comments similar to this one extracted from The Register have resurfaced across the net under popular telecom eSIM announcements. Would there be any MNOs left with physical cards? Would there be a choice at all? Conflicting arguments would provide contrast to this air of paranoia, but they were ‘downvoted into oblivion’ and harshly criticised.

“My phone, my choice. Here’s a hint for phone manufacturers and network operators – no SIM, no sale! I’ll decide what network I’m going to use and where – and I’ll be making that choice by removing the SIM from my phone and replacing it with the one in my pocket anytime I feel so inclined, I will not be contacting a call centre and trying to explain to someone with a questionable grasp of my language that I want to change operators for a couple of weeks while I’m on holiday in another country. “It’s so simple. Just take the SIM out of one phone and put it in another. To fxck up that flexibility would be criminal.”- Slap

Sometimes even professional opinions emerge among the myriad of outrage:

“The big problem with these re-programmable SIMs is the encryption. It needs to be downloaded onto the device to connect to a network. Without being connected to a network. Telcos are remarkably protective of Ki as possession of it would get you a good way towards being able to do all sorts of nefarious things. They certainly wouldn’t want it broadcast over a bearer they don’t control. So you need a neutral, trusted 3rd party with a secure comms capability to deliver that information onto the SIM to get it to work in the first place. Good luck with that. Then if you change from network A to Network B, network B has to trust to send its secrets over a competitors network. Of course the SIM vendors have had the tech for all this for years, but the trusted delivery is not there. As consumers we want to be able to swap telco with 2 button pushes, but there is a long way to go.
Anon cos certain telcos pay my mortgage.” – Anonymous

It’s an undeniable fact that the tech industry is suffering from a great lack of cybersecurity specialists. Some vendors have expressed a concern and even believe that the tech world should not move onto a global adoption of IoT until proper security measures have been put in place.

“Sounds initially like a good idea. But then 15 seconds thought later, sounds like it’s probably full of loopholes and will make it easier for the scammers to go out cloning and run up big bills for people.”- Rybags

“Esims would be gold to hackers. They can use your identity literally without you knowing it.”- Jerusalem

Whether these people have any fluency on the matter is a different question, but it seems to be a global concern for many, including those who work within the industry.

How fragile the network actually is will be revealed quite soon: as we speak, MNOs from all over the world are attending the Mobile World Congress in Barcelona this week. But it is unlikely that the security loopholes will take the spotlight – most would prefer to discuss their new initiatives, deals and tech designs.

All the rush into the Internet of Things will leave behind undeniable evidence of its incomplete shape, and the day devices start acting up in a massive and threatening scale will be the day the Internet will explode with rage.

What the actual security problems in IoT and eSIM present will be discussed next week in Part 2.

Written by Polina Hristova Journalist at ROCCO and Jason Bryan, Editor and Chief!