Ask HN: Why are SIM cards still a thing?

230 points by glennos ↗ HN
Using SIM cards in mobile phones seems antiquated. Should there not be a software solution that lets you select which network/s the phone should connect to?

Feels like this is probably the result of telco networks wanting as much friction as possible to change providers, but is there something more to it?

190 comments

[ 0.19 ms ] story [ 310 ms ] thread
Because they handle private keys that is soldered to chip and can't be retrieved at all. Before sim cards there was something in the phones that can be easily reprogrammed and you always have to walk to your carrier office to "program" your phone. Swapping of sim cards is much easier.
Usually these unique bits are burned in with fuses as a step in manufacturing in a non reversible process.
At least one can change the SIM and can un-locked phones that dan be used all around the world and I can easily swap the SIM card. Why change it, it works great as intended and all software service solutions would mean a middle man is in the game - that would suck, right? (except you eant to be the middle man)
You know if that happen then flip phone users will have hard time because network will promote only high end selective phones. SIM card gives you freedom of putting it in $25 or $640 phone and it works just fine. People with security, budget and privacy concern go for flip phones. Just like net neutrality, phone neutrality is a good thing. One should never be forced to purchase smart phone if he does not want it. A dumb phone just works fine for calling and text messaging. I have never used internet on my phone and I will never be excited about it (3G 4G, 5G or anything). I carry my laptop everywhere I go and it serves my need well.

I must add you can find flip phones cheaper than cost of lightening cables.

> People with security, budget and privacy concern go for flip phones.

No. That ensures you can't send encrypted messages or do encrypted calls.

Also see one of the reasons Signal moved to sending encrypted messages as data and stopped supporting encrypted messages sent as sms.

> SMS and MMS are a security disaster. They leak all possible metadata 100% of the time to thousands of cellular carriers worldwide. It's common to think of SMS/MMS as being "offline" or "peer to peer," but the truth is that SMS/MMS messages are still processed by servers--the servers are just controlled by the telcos. We don't want the state-run telcos in Saudi, Iran, Bahrain, Belarus, China, Egypt, Cuba, USA, etc... to have direct access to the metadata of TextSecure users in those countries or anywhere else.

https://whispersystems.org/blog/goodbye-encrypted-sms/

Well, they at least they no longer leak them to the servers of every application provider on their smartphone.
Apps on your smartphone only get access to your messages if you give them permission.
Apps routinely ask for many more permissions than they have reason to and users have been conditioned to just 'get it over with'. Technically you are right, in practice users hand over the keys to the kingdom without a moments pause to think of the implications.

Now, you could of course argue that they only have themselves to blame.

I'd argue that if someone wants to get a flip phone for privacy reasons they should be able to not download shady apps and give them permissions without thinking.
Flip phones have some of the best protections available: the sensors aren't there. You can't leak your location if there is no GPS module in your phone, you can't have your camera hacked if there is no camera and so on.

I'd prefer all this stuff came with physical switches so it can be enabled/disabled in a hack-proof manner.

Location tracking is possible without GPS module https://en.wikipedia.org/wiki/Mobile_phone_tracking

What's your threat model? https://ssd.eff.org/en/module/introduction-threat-modeling

For most people mass surveillance is a more realistic threat than the NSA hacking their camera.

Corporations merging their databases. This is happening in real time, right now.

I don't have any illusions about being able to stay private from the eyes of nation state level adversaries but commercial entities can still be kept out if you try.

You can't leak your location if there is no GPS module in your phone

While not as precise, you can definitively leak your location by scanning for the surrounding cell towers, especially in a city, which usually have hundreds or thousands of them (Manhattan alone has eleven, for example). I used to run a Python script on my Nokia phone that logged the tower ID, and I could reliable tell when I got to work, home, etc.

And that's just for people who control your phone. Your operator has U-TDOA¹, which is typically accurate to 50m.

The camera part is true, but tape is cheap :)

¹ https://en.wikipedia.org/wiki/U-TDOA

Sure, but that's telcos and the local law enforcement. It's not google, facebook, 500 advertising networks and a whole pile of other parties.

It's also not accurate to within enough resolution start targeting advertising and other nuisance information at me even if there was a way to present me that (which there isn't).

I'm well aware of the power of triangulation, I used to go fox hunting.

http://www.homingin.com/

> especially in a city, which usually have hundreds or thousands of them (Manhattan alone has eleven, for example)

That's really quite a way from "hundreds or thousands".

Sorry, I didn't explain myself well. I'm just talking about the main towers, for each of those there are many smaller ones. Check out http://opencellid.org/ it's amazing, actually.
Yes, security and flexibility.

1) Security: telco laws these days often require registration of accounts to your personal ID (i.e. no anonymous usage any more). How would a pure soft-SIM be able to fetch the data from the network?

2) Flexibility: SIM is pretty much standardized. This means a newcomer MVNO just has to issue SIM cards and the customer can use any kind of phone (or other interface, like a modem, a 2G/3G shield, ...) to use the network. And if a device breaks, then the SIM card usually stays intact and can be placed in a new device. Not sure how to securely do this with a soft-SIM.

Wouldn't e.g. a username and password accomplish the same thing as what you're describing?
Now any hacker that finds a flaw in a mobile OS will be able to impersonate you with another phone. For what gain?
The SIM card is a smart card, i.e. a secure piece of hardware, that protects the telephone network from the subscriber - most importantly, it ensures that the network has someone to bill.

In most western countries, SIMs do little else; however, they are full application platforms, allowing stuff like Kenya's mobile payment network https://en.wikipedia.org/wiki/M-Pesa.

For what it's worth, you really don't want to have every network provider negotiate with Samsung for the particular access policy of that network. "Not compatible with your telephone" indeed!

Yeah, while I can appreciate the question (curiosity is a good things) I don't think anyone with experience of software should be surprised. When you consider things like passwords, credit cards, wifi login and e-mail addresses the question is really why aren't more things like sim cards. (which is kind of what Apple is trying to do these days?)
The Yubikey Neo and similar gadgets are pretty much the same thing as USB smart cards. The software could be improved but in the end it is a pretty convenient way to achieve two factor authentication.
Doesn't every login form on the web also protect the respective operator from the subscriber? Why can't a "software SIM" simply be a username and a password?

My explanation is that it's difficult to change something that literally the entire world uses.

We're moving away from usernames and passwords though, into 2-factor systems such as... smart cards (Chip and PIN). Regressing phones back into usernames and passwords is a clear step backwards in security.
Yes, and remember too that SIMs are standardised technology from the mid-1990s, originating in GSM. It's not a trivial matter to change security in globally standardised technology.

(and Even if you did, it would need to be backward-compatible and still support SIM cards)

There is a good deal more to telecoms tech than just the tech side - the standardisation process brings a whole bunch of competitor companies into a room to develop a solution, incrementally over a number of years.

This applies from physical aspects all the way up to higher level concerns like security. It's a fascinating development process.

Who would you want to hold your 'software SIM' username and password? What's to stop someone else from logging in to your account once they have your credentials?
I have hundreds of usernames and passwords for various web sites and don't see a problem in having one more(?)
Interesting. I try to keep the number of usernames and passwords I have to an absolute minimum because I don't trust any of those to keep that secret, nor do I trust my computer to not spill the secrets somehow through a browser bug or other drive by exploit.

At the same time I totally trust my sim, it's never been more than 10 meters away from me in the last decade or two, hasn't failed me even once and it would be very hard to get it to cough up its secrets without my cooperation (so rubber hose cryptography would still work).

Contrary to www security the phone system seems - from my perspective - at least to have done a half decent job at integrating 2FA when your average website - 20 years later - is still making up its mind about whether or not that might be a useful thing to add.

If you use actual strong passwords then you are an outlier. Most people use basic words like "password" as shown by every password dump in history. Indeed, most people would use the very same weak password they use for their e-mail for their mobile, and this would reduce protection against spoofing versus continuing to use the SIM system.

What we need is a SIM-type system on the web as well, not to bring the broken web password system elsewhere.

Furthermore, any security system that effectively relies on the user possessing more than one computing device (e.g., using your laptop for access to a password manager or email address) fails for the significant and increasing swath of humanity for which their phone is their [first and] only such device.
Client TLS certificates have been a thing since forever, but browser makers keep it a pain in the ass, and too many "modern" software stacks don't even consider leveraging the decades of infrastructure that would make their job easier. Add to the fact that identity aggregators want to be producers, but rarely allow themselves to be consumers and we get stuck in the hell that is identity online.
Because username and password is a disaster for security. It's sole purpose is let ANY guy ANY where on the planet connect to your account.

SIM cards are cryptographic hardware tokens. They are much more secure than passwords.

In fact, they do need a password as well on top of the hardware token, that's the 'PIN code' you have to enter when you (re)boot your phone.

Most of the internet runs on usernames/passwords. I understand that a hardware token (with a PIN) is more secure. But is it worth the added complexity?
> But is it worth the added complexity?

If you don't want your account to be hacked: yes.

The SIM protects the carrier against "account sharing". It allows them to be sure that a subscriber is only using one phone at once - although it's portable between phones.

It means that carriers don't have to maintain "sessions" centrally. The SIM can authenticate you to the base station without the base station having to check back to see if you're logged in elsewhere - vital in reducing the latency of cell changes.

(It also stores various bits of technical information for SMS/MMS routing, and was intended to be a platform for "value added" applications.

Account sharing in a telco context is a bad thing all around. Which phone would you like to ring? How do you ensure the charges really are made by (and to) the right person? How will you protect against messages with important information landing with the wrong party?

Authentication in a telco context is a good thing, the fact that the web doesn't have it enabled a large number of applications to flourish, it also made some other things devilishly hard, or even almost impossible.

>It allows them to be sure that a subscriber is only using one phone at once

Only on home network, everybody who knows your IMSI and have low level access to phone network can clone your identity in roaming.

Carriers do maintain sessions centrally though. These are the HLR and VLR - home location register and visitor location register. This is how "hand offs" between towers work. Handsets don't authenticate to the base station, the base station proxies those back to the MSC, mobile switching center and are looked up in the EIR - Equipment Identity Register.
Do you happen to know of a good breakdown of how mobile networks work? I'd love to know more, but it's hard to get a handle on it to get started.
Sure:

Its helpful to understand the history of mobile/wireless I think since the Telecom industry takes acronyms to an insane level. The terminology changes slightly depending on which generation of mobile is being discussed. This is a good breakdown of the evolution of mobile networks. I think its a good starting point:

http://www1.i2r.a-star.edu.sg/~wongtc/EE5406-Network-Archite...

This is a good resource for understanding more recent and relevant mobile architecture. This has a lot more detail:

http://www.slideshare.net/abhishekshringi/gsm-architecture-1...

If you really want to learn mobile and wireless networking, this is unbeatable and very thorough, I highly recommend it, grab a used copy.

https://www.amazon.com/Wireless-Communications-Andreas-F-Mol...

If you just want the 10K view see:

http://www.telecomspace.com/gsm.html

Guess I've got some reading ahead of me. Thanks!
There is no added complexity. Just buy a SIM card and put it in your phone. It is very simple and straightforward.

The alternatives are worse in usability AND security.

I'd very much argue that a hardware token is more secure, and less complex, especially with multiple devices. It's a lot easier to remember where you put your smart card than to need to get a password store somewhere shareable, to secure that, to remember to put passwords in the store, etc.
In practice SIM cards don't give you much physical security anyway.

I transferred my mobile phone number etc over to a new SIM card the other week and all I needed was name, address, DOB and proof of ID... of course my network didnt have any of these on file yet, so I had to first tell them these details, and then show ID to verify that I was who I had just told them that I should be. Yeah... this is the state of consumer mobile security.

None of this required physical access to the phone, I just had to login to their website, with a username and password, and change my details.

On most networks you can steal someones mobile number with just a few minutes of physical access and a bit of planning.

But that's the choice of the network operator. The SIM itself is still completely unique and identifiable, they just chose to allow customers to re-map SIM's on the fly.
and this is the norm all over the world. And SIMs cannot exist without the network operator. So in the end, this is the worst vulnerability of SIM cards.
SIM cards come from an era where mobile phone contracts were much less common and more expensive, and therefore cloning phones cost the providers a lot of money. I assume the security requirements for reissuing SIMs were also higher back then.
(comment deleted)
In Estonia, you can use your SIM to create a government recognizeed digital signature. [1] Thus, you not only identify yourself to the mobile operator, but you can also identify yourself to banks, government services, and more.

[1] https://e-estonia.com/component/mobile-id/

The same idea is used in Norway. Most banks and public services (e.g. tax returns) use this system for online two-factor authentication.

[1] https://www.bankid.no/en/

Didn't NIST just say two factor via mobile is a "bad idea"? Have Norway or Estonia responded?

EDIT: Thank you whoever downvoted an honest question that added to the discussion

I think that was for SMS, not specifically mobile.
The bad idea is being sent a (potentially interceptable) SMS with a code.

The Estonian method is described as using a private key present on the SIM card, just like a normal smart card used for authenticating/signing.

That's how every bank I know in Australia, at least 2 US banks and 4 European banks do it. Transfer (sometimes login too) ? Code over SMS.

Besides, pretty much all banks simply use 2 or 3 factor authentication as an anticompetitive tactic (half the businesses in most countries pay the banks 2-300$ per month just for scheduled download of transactions)

Same in Lithuania. Have been using mobile signatyre as it is called for yeats, very convenient.
I hadn't thought about the security of being a physical token. Feels like you could do 2FA using someone's email (or similar) to protect against some scenarios, but take the point that someone having to steal something physical changes the attack surface.
The SIM card is a smart card

If you have a credit/debit card with a chip, look at the arrangement of the contacts and compare to a SIM card. It's essentially the same standard (ISO 7816) at the lower layers, but with different application-layer protocols on top.

Also, as a matter of being the only device in posession of the subscriber but arguably owned by the telco, I'd definitely prefer it to be a removable piece which communicates over a standard interface. The alternative of embedding it into the handset is far worse from the perspective of lock-in and perhaps security.

/me puts on tinfoil hat

the sim card has one important difference. It lives in a device that provides it with 24/7 battery and radio access.

That is really worrisome when you think about. A tiny computer running applications you have no idea/access. powered 24/7. Always with you. With access to battery, network, mic, etc. And the other side of the network that could monitor it's traffic for malicious actions is owned by the very people that could abuse it in the first place.

> powered 24/7

Is it? When you turn on "airplane mode" on a phone, is there a reason for the SIM to still be receiving power at that point?

> Is it?

Easy to test: add a SIM pin, turn on airplane mode and reboot your phone.

yes.

the sim has direct access to the radio and other modules, by design. it only needs the actual phone cpu/os for use interface.

if it wants to take the radio out of silent mode it can.

That seems like it wouldn't comply with FAA regulations.

I always presumed "airplane mode" was the specific set of features required by the FAA to enable the phone to do the same thing as a phone that's off, from the perspective of potential interference with a plane's communications.

If the SIM can still enable and use the radio despite "airplane mode" being on, then "airplane mode" is not really "a mode for making your phone safe to stay on while on an airplane."

yes and that is not new.

try this: enable airplane mode and then open any app that has system permission to change gps or Bluetooth or wifi settings. it will enable those radio and the ui will still show the little airplane there.

You can actually enable wifi yourself even while airplane mode is enabled - try it!
It's actually an FCC regulation that prevents people using cellular devices on airplanes, and the issue isn't "interference with avionics" but "violating some fundamental assumptions that the existing cellular network is based on" like devices not travelling 600mph or having the ability to transmit signals for dozens of miles.
It's no different than having no SIM, if your phone wants to spy on you, it doesn't need a SIM card. It's the phone that transceives the signals, and it can do so without a SIM card. SIM card authenticates you to the network, but you control the device and the network around the device, there's no need for a SIM card.
Yes, but now your Telco can also do those things.
If there was an open standards-compliant protocol it could be implemented open-source and trusted. You could create an entire open operating system and use open hardware to know everything happening on your phone. That is different than having a SIM, which is a piece of mystery hardware the phone company could do anything with.
They already have control of all your traffic so what's the harm? Take the sim out of your phone in case you are really worried, but that would cut you off the network as well.

I'd be far more concerned with the hundreds of microcontrollers running proprietary code.

The SIM, being a physical piece of hardware plugged into my phone, could easily be used as an attack vector for my phone company to root my phone. Hardware plugged into my phone is a much more vulnerable attack surface than control of network traffic.
The baseband is already at the beck-and-call of your telco provider and has much better access to the hardware than the SIM card.
The point is your phone (if it were secure enough) could treat your SIM card like any other untrusted device accessory, and only let it do stuff it's allowed to do.

[network] <-> [phone] <-> [SIM card]

In theory. Not sure how well practise matches this though.

the selling point of the sim is that it it "trusted computing". meaning the user is left out by design.
so? the point is that the sim IS there already. yeah you can have more vulnerabilities, but that one is a given.
Phones can be directly accessed over a network via IMEI
For tinfoil wearers, the sim card is not as much of an issue as the baseband modem itself.
That's what Sprint did, and why you couldn't use Sprint LTE equipment (that would otherwise be compatible) abroad. They basically hardwired the SIM to an existing design...
Yes but if we have credit cards which can be charged simply by copying a few numbers that can be read visually off the card, then why do we need SIMs really?

In other words, SIMs seem disproportionally secure w.r.t. credit cards.

Even small carriers have software customizations done to phone firmware deployed on their network. This is common.

I believe he's contrasting this between a built-in solution. So say Samsung would put a hardwired UICC (SIM) in the phone and ATT say would make Samsung give ATT an "area" (Security Domain" in UICC parlance) to provision. For all intents and purposes it would work the same. If you wantd to switch carriers I'm guessing there would be a 'virtual' switch SIM app or some such.

If you're bored, you can read about it here:

https://www.globalplatform.org

I recently read the Wikipedia pages for health cards, and was surprised that these are demi-computers (by that I mean, no IO, no power). Standard chips are 4MHz >8bits these days (with added crypto etc). A Gameboy Air.
I'd love to study a piece of software like M-Pesa.
SIM card provides hardware-based, simple and secure authentication of subscribers to mobile network operators. Until manufacturers start to embed standardized secure element on all phones, alternative software based solutions (password, etc.) are more complicated and insecure.
If you have an iPad there is already a software solution: http://www.apple.com/ipad/apple-sim/

It contains what is known as a remote provisioning SIM: https://www.gsmaintelligence.com/research/?file=81d866ecda8b...

So clearly the only thing stopping the industry is the telcos who would very much like to make it as difficult as humanely possible for you to switch carriers. Especially in the US where there is a lot of competition and hence high churn.

SIM cards actually make it far easier to switch carriers. Compare the competition in the European market where SIM portability has been there from day 1 to the situation with CDMA carriers in the US and their refusal to reprogram ESNs.

A software solution would quickly devolve into the US CDMA system where you have to get a whole new phone to change providers.

There are some solutions out that are in software that are "eSIM" which allow devices to switch carriers through an OTA update.

Also see a company called SIMless.

There's a lot of market momentum around SIM cards and it keeps a telco's offering really sticky. It is more effort for people to swap hardware instead of software.

> There's a lot of market momentum around SIM cards and it keeps a telco's offering really sticky. It is more effort for people to swap hardware instead of software.

I'd love to see evidence of this. Switching SIMs is something non-technical users do regularly.

I'm afraid I don't have hard evidence. The logic is for normal cell phone use it's more friction to swap a SIM than to have the phone automatically switch network profiles (non-roaming) or for the user to switch network profiles via software setting.

For IoT cellular the logic is it's more effort to recall a device and swap a SIM card than to reprovision the SIM profile via a software dashboard.

I'm sure we could put our minds together to come up with a robust user study. Thoughts?

It takes ~30 seconds to switch SIMs on my phone. Most phones I've had in the last 10 years have had dual SIM slots as well.

It's not swapping the SIMs that provides friction when changing providers.

> For IoT cellular the logic is it's more effort to recall a device and swap a SIM card than to reprovision the SIM profile via a software dashboard.

If you can reprovision it remotely, you're one flaw away from a hacker being able to reprovision it. Meanwhile, the SIM design means there's little reason you'd need to recall it rather than simply send out new SIMs and have users swap them in.

For some perspective, check electronupdate's recent 'decapping': http://electronupdate.blogspot.com.au/2016/10/decap-of-cell-... It is not just a little block of secure RAM labelled a 'smartcard'. It contains as much CPU as a low end phone. Amazing.
And it runs Java!
Runs Java or the phone runs Java code stored on the SIM?
Runs java, it has its own smartcard processor.

SIMs are smart cards in the exact same way as your NFC-enabled credit card, or other cards, and many systems use the SIM to store payment data actually.

Android Pay could do exactly that, too – but doesn’t, because one US network prevented them from storing that on the SIM, so instead it’s stored in normal memory, which led to safetynet, which led to Android phones being less user-servicable than even Apple devices.

Name the culprit.
If it's a US cell provider being shitty and restricting technology, it's got to be Verizon.

They hate anything that isn't under their control.

There are way too many people in the US who think Verizon is their only option because they haven't tried other providers in a decade.

The CPU on the card itself runs (a variant of) Java.
If anyone is interested, there is a very interesting talk at Defcon 21 called "The Secret Life of SIM cards". They managed to run their own network and sold SIM cards at the conf for EFF. https://simhacks.github.io/defcon-21/
I think it is more of a traditional security approach of "pairing hardware with hardware" and a case of "not fixing what is not broken" instead of making consumers suffer. It just works.
Fair assessment. I'd just like to be able to have a few SIMs loaded in software for travelling, given the typically extortionate roaming fees.
Locking devices to networks (as US telcos do) makes it harder to switch providers than swapping a $5 SIM.

Same with switching devices and keeping a provider. Using a SIM, takes about a minute. Not using a SIM? Call them or whatever, maybe pay a fee.

> Feels like this is probably the result of telco networks wanting as much friction as possible to change providers, but is there something more to it?

In 3rd world countries, people regularly swithch their SIMs as they travel across borders because no one has cross-country access. Taking a SIM out only uses up a minute of your time, and standizing on a hardwardware dongle like that is great because if company A goes out of business, you just grab a new SIM and stick it in.

It's a bit harder in the US, where phones are locked to their providers, and you need IDs to buy SIMs but that's really all just a regulation issue, not a technical one.

That's also a 1st world thing. If you travel often between two European country it might be cheaper to have two SIMs, one for your country and one for the other one, especially if you pay as you go. Cross border roaming fees are getting cheaper because the European Commission wants so (luckily) but telcos are doing their best to regain those money by any other means.
SIM: Subscriber Identity Module almost says it all, on top of that a SIM can store your contacts (up to a certain number).

The SIM is what separates your identity from the hardware of the phone (which has its own identity called 'IMEI').

A 'software solution' would need a carrier, that carrier IS the SIM.

Another nice benefit of having the SIM device is that it makes it much harder to 'clone' a subscriber ID, something that would regularly happen in the days before the SIM card, note that the SIM was a development that came along with GSM, and that GSM was the first mobile phone standard resistant against cloning. It's one part of the 2FA (something that you have) that gives you access to the phone network (the other being the PIN code (something that you know) required to unlock the SIM).

When ppl mention a "software SIM" they mean the same basic chip embedded in the handset that you can switch with software. It has the same level of security as removable chips.
I don't recall ever needing a PIN to unlock a SIM card.
The ability is there. Many people don't bother setting it.
Every SIM card I ever received came with a random pre-set PIN.
> on top of that a SIM can store your contacts (up to a certain number).

This presented a usability nightmare back in the days of feature phones, where if you didn't specifically say where to store contacts, it would often default to the phone's storage rather than SIM, or if you breached the number of contacts on a SIM you'd have overspill onto the phone memory (sometimes without realising)

This presented a lot of unnecessary confusion when it came to upgrading devices, or if you damaged your phone.

Well by the same token, sims offered a simple way to move contacts between devices, which was otherwise difficult to do without a pc and proprietary cables/software to export data from the phone.
It still is an issue - carriers (at least in NZ) still ask you if you've backed up SIM contacts before switching the phone number to a new card.
'eSIM' is on the way to replace sim cards. The biggest challenge of 'downloading a sim card' to a secure enclave on a phone is of course security.

The GSMA and members (i.e. telcos) have been working on secure remote provisioning. I think it'll take a while for the technology to make it in to consumer devices, though it's likely to be used in IoT relatively soon.

It takes a long time to spec these things up collaboratively and then even longer for telco's to act on it!

See: http://www.gsma.com/rsp/2016/04/27/esim-opportunity-operator... and http://www.gsma.com/rsp/ (Warning: Lots of marketing BS)

Actually there is at least one company already offering Remote-Sim-Provisioning. https://medium.com/@ComfortWay_Glob/cwsim-freedom-of-connect...

They are selling local data-plans abroad without switching the SIM card by implementing RSP. Calls are coming in 2017, also promising a portable phone number later that year.

another interesting company in this space is FlexiroamX, they have a super flat sim that sticks on top of your existing sim. It lets you soft-switch the SIM using a "SIM Application" (like mentioned elsewhere in the thread) - appears as if it unplugs and replugs to the phone.

See picture of the process here: https://twitter.com/lathiat/status/758979125751054336

Works fantastically and gives me $30/GB data in pretty much any country at often 4G speeds - with a 12 month expiry on the data (does cost $20 a year or something for 'membership' but still, usually costs far more than that for a sim starter pack in every different separate country you go to). Good for frequent travellers!

Obligatory please use my referral link if you signup :-) Bonus 100MB for both me and you. http://www.flexiroamx.com/referYXBBCJ / Code YXBBCJ

Super interesting. So the overlay tricks the phone into thinking there's 2 SIMs in the phone?
It's more like a "proxy" for your SIM card where it can act as its own SIM, or as a passthrough, depending on software settings.
>$30/GB

Some European operators still have cheaper roaming data plans

As an example, I pay £20/month for 30GB, that can be used anywhere in the EU, USA, Canada, Australia (and a few other countries).
If it's "Feel at home" from Three, you can use it only for short trips and tethering is forbidden.
Sure, they do remote provisioning, but it's not eSIM in that there is still a sim card! I assume they use some special USSD codes to switch to their provisioning carrier and use a normal network connection to do that.

In the case of a true eSIM, there is no sim card at all, it's stored on the device it's self with a lower level bootstraping profile (i.e. not an alternative pre-programmed carrier)

(comment deleted)
On the contrary, it is the result of a concerted effort to reduce friction.

With SIM cards, users can switch to a new phone by just moving the SIM, or switch to a new provider while keeping their phone (assuming its unlocked) by just replacing the SIM.

Prior to SIM cards phones where frequently programmed to be tied to a specific provider.

A pure software solution could work, but requires the network operators to be able to trust the phone manufacturers to secure it well enough to not let end users change things in ways they're not supposed to (e.g. consider a hacker harvesting authentication details from phones). The SIM card is the simple solution.

I take the point on the security of physical + pin for protection. I guess I'd just love a solution where I could simply switch between accounts without physically swapping something or having a multi-SIM phone.
But why? Multi-SIM phones are cheap and easy to come by.
Not in the US
Well, of course it's hard to come by a dual-sim iPhone. You need to look for other brands.
Go to Shenzhen. They like to make iPhone clones that are cheaper while having better specs, including multiple SIM card support.
The iPhone-lookalike phones you can buy in China don't run iOS, so I don't consider them 'clones'.
To be fair, "multi-" here typically means "dual-", but even w/o going to Alibaba, they're definitely out there:

  - http://www.androidauthority.com/best-dual-sim-android-phones-529470/
When I had to travel a lot, I had a small booklet of sim-cards that I could pop into my single-SIM phone (this was the 90s), in most regions I visited to get (much) cheaper rates than I was getting for world-wide roaming from AT&T at the time (this was before AT&T was really Southwestern Bell). Except Japan. (Curse you, and your island-nation cell-phone local-only standards, Japan!)
Heh, I'd disagree. I picked up a dual-sim Windows phone, unlocked, for $150 at the Microsoft store.

I've already taken advantage of it being unlocked by switching carriers (saved some bucks) when I saw the prices on one were now better than what I'd been paying.

Unless you personally know some heads of some major carriers you can't say that and also it's unlikely carriers do things to reduce friction.

Unlocked phones are still relatively rare in the US so I don't agree with your second point either.

Network operators trust Gemalto, etc to write the SIM card software and also the provisioning and tower software. They also trust the phone manufacturer software as they rigorously test it before it's pushed to it's subs. That's actually why updates take so long (excl apple, of course).

Note that I have actually worked for some major carriers and have been in discussions with VPs discussing this very issue. See my other answer further down the thread.

> > With SIM cards, users can switch to a new phone by just moving the SIM, or switch to a new provider while keeping their phone (assuming its unlocked) by just replacing the SIM.

> Unlocked phones are still relatively rare in the US so I don't agree with your second point either.

As you point out, where GSM networks are concerned, this observation is mostly specific to the US - swapping phones and swapping SIMs has been a reality in the rest of the world for years.

Instead, the main source of friction is frequency bands. When swapping phones, it's not often an issue when switching between locally distributed phone models, since they are the Asia/international models with more band compatibility. When swapping SIMs domestically, it's not an issue for the same reason. When swapping SIMs internationally, phone service typically works, but if you want high speed data _then_ you check for band compatibility.

I'd say that for most of the world, the reduction in friction is real. It's a pity that the US market is so different.

I'm all for reduction in friction and I believe software sims will reduce this. I mean I can conceive of a world where connecting to a 3g+ network is little harder than a WIFI network.

It wouldn't be good for the carriers but it'd be great for consumers.

> swapping phones and swapping SIMs has been a reality in the rest of the world for years.

It's still prevalent here in the UK, although the competition is fierce enough for you to be able to find a vendor that sells a phone unlocked.

In the rest of the world, though, unlocked phones are super common. Also, with sim cards, if my phone dies while I'm out on vacation, I can swap it into my backup phone with a minimum of effort. Software actually makes that harder because all the security benefits of a physical device go out the window. In order to be secure, I'd need to make a secure password, one which I'll probably forget five minutes later. At which point, I'd need to store it on some password aggregator. Thus, when I'd actually need the username and password, I'd not have access to the one device needed to access that information.

Usernames and passwords suck. A lot. We should be striving to get rid of them, not make more places need them.

Yes, I can say that. The history of GSM is well known, and SIMs were introduced because having phones that were programmed specifically for one provider and that needed to be replaced or taken in to a provider to reprogram was seen by everyone including the providers themselves as an impediment to adoption.

> Unlocked phones are still relatively rare in the US so I don't agree with your second point either.

That leaves the vast majority of the world market. The US is not even the largest cellphone market any more, and haven't been for a while.

> They also trust the phone manufacturer software as they rigorously test it before it's pushed to it's subs.

Not GSM network operator has no control over what devices are on their network, just what SIMs are on it. They may or may not have control over their own subscribers, but roaming ensures that any random GSM capable device can appear on their network, E.g. I have some Chinese phone that my network operator probably haven't heard about.

> Note that I have actually worked for some major carriers and have been in discussions with VPs discussing this very issue. See my other answer further down the thread.

Unless said VPs were VPs in European carriers or manufacturers ~30 years ago, when the discussions in CELP and later ETSI led to the adoption of SIMs in the GSM standard, that is quite irrelevant.

My 5 yo phone eventually died at the beginning of October. I put the SIM in my tablet and I kept going until I received the new one two days later. A pure software solution would have worked as well, but the SIM is an authentication token. 2FA are all the rage nowadays and if we went pure software I bet we'll have to use a separate token anyway.
As others have pointed out, SIM cards are basically smart cards. There's PKI, private keys, the ability to perform mutual authentication (although that's not usually done, at least in .us), and much more.

Honestly, I wish their use would expand into other areas of our lives -- replacing username and password combinations for various devices (working for an ISP, home routers are one good example).

As much as I'm against the idea of a mandatory "national ID", I'm convinced that it will happen someday (in .us, where I live). When it does, I believe it'll be something similar to US DoD's CAC [1]: a physical identification card that doubles as a smart card. The private keys stored on the card will allow you to prove your identity to your banks/financial institutions, e-mail account (100% encryption of all e-mails? Yes, please!), and so on.

[1]: https://en.wikipedia.org/wiki/Common_Access_Card

The national ID thing happened long ago, the thing that is on the verge of happening is 100% digital communications and interaction with the government.
Sadly, encrypting e-mail will break all current anti-spam methods.
An intermediate solution?: All encrypted email senders have to be while-listed by the receiver. All clear email will be allowed by default, and usually be the first way of reaching somebody, either for legitimate or illegitimate (spam) purposes.
Not exactly. Some methods won't be nearly as effective (such as filtering on the message body) but others (such as SPF, DKIM, and RBLs) will still work just as well as they do today.

Now that I think about, just the encryption itself will increase the computational cost of sending out spam e-mails. While today a spammer can blast out an e-mail to 100 recipients very quickly, it'll take a fair bit longer to do once the spammer has to query and retrieve 100 public keys (one for each of the recipients) and then encrypt the e-mail 100 times over.

A large part of spam detection remains machine learning on message bodies. Something this would make impossible.

As for encrypting the e-mail 100 times. AES acceleration is great in CPU's, and you can cache public keys. The only real-ish bottleneck could be key-generation.

That said, someone else had a decent idea. Require white-listing for encrypted e-mail.

> Feels like this is probably the result of telco networks wanting as much friction as possible to change providers

No, it is the opposite.

It is exactly done like this so you only need to get the sim card and not need to have the operator decide for you (of course people shoot themselves in the foot by signing a long term contract while getting a locked mobile phone)

I imagine one of the main reasons it was done like this was because when the GSM standard was designed, a non-insignificant number of phones were fixed mounted into cars (due to the sheer bulk), and then being able to bring your smartcard with you in your wallet and swap between phones (cars) would be a very handy feature.
The SIM smartcard is a cryptographic device that prevents people from stealing/copying/hijacking/cloning other phones/accounts/billing/credit/etc.

Each SIM has a unique ID that is used to track/bill/identify your phone.

> Each SIM has a unique ID

To be more precise, the SIM is actually a crypto CPU that stores a private key, and can perform crypto using that private key on behalf of the phone, without betraying the key itself.

This is also how Chip-and-PIN debit/credit cards are designed to work (so that a rogue terminal/skimmer can't just clone the card number), although there are various real-world implementation flaws with most of those.

Because of a power struggle between os vendors, hardware makers and telcos. The SIM provides a neutral way for them to coexist. Also, this decouples a lot if certification. A SIM and a phone are easier to work with than a phonesim
The actual reason it's still a thing is because changing how thousands of network operators work in over 200 countries is quite difficult to coordinate. Even Apple tried to push a soft-SIM and couldn't get it going.

But I'm glad for it, because the foresight of the designers of GSM to put your private key in a smartcard has absolutely improved consumer choice worldwide. I can buy an unlocked phone, travel to any country, buy a SIM card at the airport and pop it in my phone and the GSM(/UMTS/LTE) standards say it must work.

A software-based system will quickly devolve into a "oh we haven't approved this phone on our network, sorry we won't activate it" and other anti-consumer activities you saw on the ESN-registration-based US CDMA networks.

Hopefully when the GSMA adds eSIM to the standard, they add protections for consumer choice, but in the current corporate climate I fear they won't.

IMO the fact that the device subsidy is so popular with both consumers and network operators in the US means that all of this ostensibly anti-consumer stuff will be with us for a while. The (hard) SIM cards don't even offer the desired portability if you have to go beg for the device to be unlocked.
> The (hard) SIM cards don't even offer the desired portability if you have to go beg for the device to be unlocked.

It's not the SIM card that is not portable, but the phone that you bought.

The phone can theoretically work but the network operator can still ban your phone, even if it has a valid SIM, by manufacturer, software version, baseband version or a host of other reasons.
I work in the industry. I somewhat agree with you, SIM cards are a hassle, and I hope they will go away at least partially.

As for why you still need them, I see some reasons:

1. The alternative may be worse. At least with SIM cards you can switch operator when you want (if the phone is not carrier locked, bleh), or use a local prepaid SIM when abroad.

2. Inertia. Removing the physical SIM would require getting operators and phone manufacturers to coordinate.

3. The IM card is what securely identifies the owner of a phone number, and makes sure they are not two phones with the same number. With a software SIM, if it is done wrong, you risk getting malware that steals your phone number.

Personally, I think we will eventually see SIM-free data only connections without a phone number. You really should be able to buy an LTE tablet, get online and just pay for some data. Apples has been trying a bit with the Apple SIM, but it is US only, and only works with a few operators.

There is actually an eSIM (embedded sim) specification (http://youtu.be/mLouo2mYjAU) that was released quite a while ago by the GSMA and its mostly up to the device manufacturers and carriers to implement it now.

It lets you virtually subscribe to a network, so for example if you're traveling, you don't need a local card just pop up some software and choose a new network.

Apple already has some devices that implement it, AFAIK, the iPad Pros use this. Apple calls it Apple SIM (https://techcrunch.com/2016/03/23/explainer-alert-heres-what...)