Several of my android phones have come with a slot that can take either a microSD or a second SIM, so they wouldn't have to remove it if that's what they were going for.
> iPhone 13 models already support multiple eSIM profiles, allowing users to subscribe to several cellular plans digitally and switch between them, […]
There was one really good talk about from black hat or defcon [1] but there's also this [2] which seems more thorough so I'm gonna watch it too later. I happen to have a friend who writes software for simcards so that's what really was my main source.
Why do you think it is horrific? Haven’t had the chance to look into it so all I know about it is that it uses Java ME which is a very limited subset of Java SE.
I would much rather a defined protocol rather than arbitrary code. It also means you can require multiple distinct applets on your phone for each card provider.
Progress for the sake of progress... SIM cards have plenty of advantages, all of which relate to control of your hardware. With a physical SIM card you retain control of the number and can swap it easily. As other comments have shown, with an eSIM, you rely on the provider to provision it for you.
I hated having to call the provider when I was with Sprint and Verizon Wireless in the US, when I wanted to change the phone I was using. And that was mostly free and they had 24-hour hotlines. If you have to pay and can only call during business hours, it is a huge regression.
Unfortunately they are the only eSIM supporting carrier in the country. Maybe this will help, but looking at the other comments here mine is not the only carrier that does so.
many advantages, If your phone dies, you just move sim card and the new phone works has your old phone number.
You buy a new phone, say you have an android and buy an iphone or reverse... you can easily move the sim card as you want. I'm not even sure how you would do that with eSIM.
Couple of years ago I went to Africa, bought two local SIM cards from children on the road while sitting in a car, they had to take a picture of my passport with their mobile phone and activate the cards, but it worked. Having esim being sold like that would probably not be possible.
so, anything one can do if one wants to work with this technology on their own. I suppose an Asterisk extension or something, I tried searching for eSim on github but seems it's a pretty generic acronym for people to pick.
Not everywhere, as others in this thread have mentioned. As a frequent traveler I'll be probably holding onto the last physical sim iPhone for many years until everywhere I travel to has it all ironed out.
As a frequent traveler I can’t imagine going back to physical SIMs, now I can carry all my data plans on my phone and don’t have to waste time looking for a place to buy a prepaid plan.
There are a ton of websites where you can immediately get esims for almost every country, why bother with physical sims?
In some places the e-sim plans are inflated and poorer value compared to the deals on physical sim cards sold. For example the unlimited data plans might be only available by sim rather than purchasing data packs
As a traveler you can have 10 or more eSIM profiles. That means you can have a great 130 multi-country eSIM like the AIS eSIM2Fly or if you go to a single country you could get their local travel eSIM ( for example the Thailand DTAC Tourist eSIM ). Just switch between your active eSIM as needed. iPhones have more than enough eSIM slots to accommodate your travels, with no more need for plastic chip fiddling.
Thanks to Apple, this industry won't make any progress otherwise. You can watch all 3 service providers finally waking up and provide eSIM. You can even watch all the Android manufacturer follow the suit. I am tired of using u-pins to change sim cards. Buying physical circuit to put in the phone just to communicate some numbers is barbaric.
Android here. Not much of a sim hacker here - but I once suffered an over the air sim hack. Phone ceased to work, gmail accessed, PW changed and phone was changed to another number. Freedom advised there was no human engineering involved - they reverted the phone reverted to my control and I selected a 7 digit PIN and my file was locked so it needs me in person as well as that new PIN. gmail was recovered and a USB dongle was added at home to secure that. No problems since. Police and Federal(RCMP) police investigated. I could not figure why me? - apparently it was a hack aimed at the Australian ambassador to Canada, whose gmail ID was the same as mine with a 1 digit numeric suffix on his. Was this - Chinese?? They got nothing from me or him as he had a secure embassy hardware secured and encrypted message system he used for all embassy business. Gmail was just for online shopping, friends etc. He has since retired and I often get, in error, emails intended for him, which I dutifully forward and erase and we occasionally chat.
They are correct, and you are not. The 12 is as you say. With 13, you can have either 1 nano and 1 esim or two esim simultaneously. You can also have other esim plans stored and not in use.
> With iPhone 13 Pro Max, iPhone 13 Pro, iPhone 13, and iPhone 13 mini, you can use Dual SIM with either two active eSIMs or a nano-SIM and an eSIM. iPhone 12 models, iPhone 11 models, iPhone XS, iPhone XS Max, and iPhone XR, feature Dual SIM with a nano-SIM and an eSIM.
eSIMs are good but it doesn't eliminate the bureaucracy/paper work involved with acquiring an actual network connection, esp for those traveling across countries. Unless ofcourse you are willing to pay those listed roaming charges(some of which appear as hidden charges). Not sure what eSims or even Apple as a company can do about that?
Here in Switzerland eSIMs are actually massively worse - you can't swap them around on most operators without calling (!) their support line to manually release and regenerate the eSIM token.
Meaning that swapping between phones now requires calling, possibly expensive, support lines and you better hope your phone issue didn't happen during holidays. And that you have a working backup phone. And you're not in a foreign country trying to put your SIM back.
It's a massive regression of convenience against simply swapping a small chip.
yes iff you would need to contact a support hotline everytime you switvh the audio source or the headphones itself.
if you are mocking the notion that it was courage to get rid of the headphone. Then you are correct But then again I got a phone with headphone jack but still prefer Bluetooth. Especially now when wearing masks,... no cables that get in the way of.taking off and putting on a mask.
I noticed this is a bone of contention among the HN community. It is clear why: both wired and wireless headphones have their advantages and inherent problems that had been discussed ad nauseam. In general, there is no problem as we are free people able to choose what we want and need. The problem appears when a company with a dominant position in the market declares one of these technologies dead and pushes their users towards the other one.
It's not just wireless audio. The same happened with the Ethernet: while most people use WiFi, Ethernet (especially Gigabit and faster) also has its advantages. Removing an Ethernet port is not an improvement: it is a statement.
I think this battle is long over and done with, but the Ethernet jack is not that big. A Thinkpad T470s/T480s has it and it is plenty thin. There are even some laptops with a collapsible RJ-45 port which allows it to be even thinner.
A USB port is also not that thick yet it has been dropped on many recent laptops, although a Thinkpad X1 Carbon shows it is possible to have USB, HDMI etc on a 2lb / 1kg machine.
The parent doesn't mention the T480, but the X1 Carbon which comes with a full range of USB and HDMI ports. The Macbook Pro is 1.55cm thick, the X1 Carbon is 1.49 cm thick.
Lenovo also sells the T480s, those are not substantially thicker (1.6 cm high) and beefier and come with a built-in ethernet (!) port.
A serious question: what is the advantage of thinness for you, personally? I have several laptops and I'm on the move all the time. The only disadvantage of thicker ones for me is weight - but it's negligible, even when I'm cycling and my laptop is in my backpack (or, sometimes, laptop bag). Weight aside, the thinness itself has zero advantage for me. I'd much rather have all the functionality removed at the cost of it (not just Ethernet - I care much more about user-replaceable SSDs and RAM).
It's aesthetics/psychological. Weight is also important to me because I travel and the thinness affects my perception of the weight. It's a bit strange that the new Pro feels thicker than my old laptop, the 2015 Macbook Pro, despite actually being thinner. It's because it doesn't have the taper that the old laptop has. Take a look:
I mentioned the T480s. The T480 is much more user-serviceable than a Macbook Pro, with upgradeable RAM, SSD, Battery etc, and much cheaper, so not a valid comparison.
As per telecom regulation, you cannot get a new eSIM online. The only way is visiting telecom service center in person, verify your ID, pay the fee (about 10 USD), finally got a printed eSIM QR code.
It implies you must pay $10 when you switch to a new phone every time. worse than Physical SIM card.
I believe it depends on the provider - in Italy there are three that currently support esims. A couple (Tim, Vodafone) let you rescan the qr-code multiple times with different phones. The third (Wind) provides a one time use qr-code, you need to show up at the shop and buy a new code (no idea if the serial is the same or not).
In every case you still need to wait for the qr-code to be posted at your mailbox (even if you can sign the contract online).
My carrier in Canada has one-time use eSIM tokens that you can only buy in-store and only from select stores and it costs four times as much as an actual SIM card (20$ for an eSIM token QR code vs $5 for SIM card). If you need to use the eSIM on another phone, you need to buy another 20$ QR code.
If a sim is digital, couldn't Apple put the eSim into your 'wallet' for example?
I appreciate that it's not currently designed like that, but given we are just talking bits, just because it's not a fully baked system yet, it can't be?
You get it. And this IS how it works now. You can have 10+ eSIM profiles on your iPhone with one of them active at a time. Just active the eSIM based on the country you are in. No more tracking plastic bits.
> What can go wrong when everybody can program your SIM remotely?
That's bollocks. An eSIM module is exactly the same chip as in a normal SIM card - right down to the electric specifications and communication protocols, so you can hook up a provisioned eSIM module to a phone or a SIM card to a device using an eSIM chip and it will Just Work (tm).
The only difference is that the eSIM module is allowing the baseband chip to flash a new set of cryptographic keys, a process that will (usually) require the cooperation of the main SoC to get and transmit said keys.
The only scenarios where an attacker could reprogram your SIM remotely is either a malicious actor in the provider network (at which point there is the question why an attacker would want to reprogram your SIM at that point, given all they can do is give your SIM card access keys to another network) or a malicious actor with an IMSI catcher.
In both scenarios the attacker would require an exploit in your specific baseband and the correct cryptographic keys (or yet another exploit) for the eSIM to accept the new profile... and at the degree of knowledge, hardware and the actual exploits required to get to the point a successful attack requires, your attacker will be a government or an NSO-scale enterprise. And seriously, at that point you already have lost anyway because they have exploits for the OS you're running on whatever device you use, they don't need to deal with taking over your SIM card.
This is already a problem with regular SIM cards and people social-engineering customer support reps into getting their SIMs provisioned with other people's numbers.
Carrier incompetence will exist regardless of if the SIM is physical or virtual.
> If I can move my eSIM to a new phone, so can an attacker.
No, they can't - there is (at least for modern SIM cards and eSIM modules, see [1]) no way short of decapping the chip to extract the secret keys once they are on the chip, and even de-capping is something that the chip industry has gotten pretty good on defending against.
An attacker would have to request a new eSIM profile (aka, new keys) from your provider to hijack your number, which is an entirely different threat model.
I don’t know how you can say they can’t. The eSIM is just a number. An attacker can install it exactly the same way I did: I copy-pasted some numbers from an eSIM provider’s app.
I’m not talking about getting the number from the phone, but directly from the operator.
A lot of phones already support eSIM. Apple will claim they invented it and some will copy the no Sim slot but there are still carriers that don't support eSIM so I don't see this taking off like removing the headphone jack.
Can anyone discuss the privacy implications here please? I assume to use eSim you'll be required to have a working internet connection - there are still many dark spots in the world. What data does eSim need? Can anyone outline the data structures being sent from my device?
It's still possible to access the network pesudo-anonomously with a physical sim, I can only assume a "selfie to activate eSim" is going to happen sooner rather than later.
Owning a device that can connect to the internet doesn't mean it can at that moment.
We need to stop assuming humans can connect to an endpoint over a network 24/7 365. There are times when you may not be able to, for all sorts of reasons, make a HTTP request at a given moment.
Networks fall over, riots happen, dictators just shut it off. Dangerous precedent to set.
Yea and many authoritarian government can simply block websites and if it happens to be apple asn? I think there should be fallback otherwise its going to be debacle.
You only need an internet connection the moment you're activating the eSIM for the cryptographic keys to be downloaded. From that moment forward it acts just like a regular SIM card.
You'll need to have a connection once when you provision the eSIM. There may be some way in the spec for the device to use the network itself for that connection, similarly to how you can make emergency calls without a SIM card.
But even if you don't have a connection now and try to provision it, I'd assume the phone would just cache the SM-DP code for later provisioning in the background when a connection is available.
Privacy-wise, there is no difference. It gives the carriers more opportunities to be assholes and justify some new hostile requirements due to the switch to eSIM, but once an eSIM is provisioned it behaves just like a physical SIM.
Question: will the new AWS offerings eventually allow us to escape from mobile providers altogether? (I haven’t looked into it and even if I do I won’t understand the details well enough)
J2ME was so bad that it once made me throw my Sony Ericsson soap bar shaped cell phone down on the floor so hard in furious anger and frustration that I smashed it, and it felt so wonderful, and was well worth it.
I threw my phone to the wall with full force when I was a kid due an argument over the phone. The screen got wrecked as a result. Had to tell my parents I dropped it accidentally because I can't explain what happened.
In one of my pubescent year, the same incident happened again; But this time, threw it to the ground and glass screen protector ate all the damage except the home button. Remember cutting my finger pressing it.
The final one is back in 2018. Threw my phone and it ended up breaking the wall instead.
I don't understand this sentiment, instead of pleading with a phone manufacturer to implement certain features why not put your money where your mouth is and, you know, buy any of the pleothra of phones out there that do have a headphone jack.
It's just tongue-in-cheek banter, don't take it too literally. Besides, Apple devices make a sizeable portion of the market and have 'ecosystem' buy-in features that many other phones (w or w/o h jacks) don't have.
Yes, because the ONLY feature I take into account when buying a new device that I carry in my pocket literally every day of my life is how good the headphone jack is.
Because it's not possible. I need a ~5.5" Android phone, with SD Card, OLED, 2 SIM, headphone jack and 3 years of software updates. Not sure there is a phone like that, so I don't know what I will be doing when my current phone dies.
I have more or less the same requirements and the Fairphone 3+ did it for me. Only downside is that spare parts take a long time (3+ months) to be back in stock.
Maybe check out last gen phones that are supported by LineageOS?
That's what I'll do once my OnePlus 3 (still getting updates with LOS) dies or is too slow.
The Sony Xperia line up has SD card slots, headphone back, and dual SIM capability. I don't think they have OLED, but the screens get good reviews. Looks like you can expect only 2 years of updates though.
It's very good indeed, but last I recall it measured slightly worse than the built-in 3.5mm Jack in previous iPhones. But it still likely exceeds transparency especially for the form-factor and use case.
This is absolutely not true, there are a ton of phones with better DAC/amp combos than the one on the Apple dongle (and even when the dongle is better, it's frequently not better by enough to be audibly different). Unfortunately some of the best analog audio came on phones that were made by LG who threw in the towel last year.
Fantastic. Now I will have no easy way to transfer my number from one phone to another.
Currently I carry on my trips a spare phone that I can use to transfer my SIM card to and keep being able to receive various SMS messages needed for me to function at all.
I can't understand why anyone would want this. Being able to physically swap sims so I don't ever have to deal with carrier customer service is a /good/ thing, especially when it's in the carrier's interest to make this as difficult as possible.
SIM swapping has nothing to do with a physical SIM. It's convincing the carrier to reissue a new SIM and associate it to the previous account. It can be done just as well with e-SIMs - in that case the carrier will give you an SM-DP code instead of a physical SIM.
SIM Swapping attacks are not performed by physically stealing a SIM from someone’s phone. They usually involve having someone who works at the carrier making changes in the system to route calls/data to a different IMEI. Physical or eSIM would be irrelevant in that case.
The long term SIM cards (Virgin UAE, Three HK, Lifecell Ukraine) with phone numbers I can easily transfer by going on the carrier apps or websites.
But we’re rapidly headed towards a data-only world where the SIMs are essentially disposable, there’s nothing you’d care about transferring except perhaps some prepaid data you have left.
I mean, cars are a great example of a technological advancement that absolutely ruined lots of places around the world:
- city centers, rendered noisy, rotted out of businesses, and replaced with parking lots
- rural areas rendered completely car-dependent since roads are no longer walking-friendly
- small towns who lost their entire downtown strip because people would rather drive their car to wal-mart
- millions of pedestrian deaths worldwide per year because cars make it very easy to "accidentally" kill people
So... I guess the lesson is that it is exactly that kind of debate, and that there are pros and cons on both sides?
I tried to activate an iPhone on an existing Google Fi plan using eSIM, and it was a nightmare. The frontline support is responsive, but can't do anything about it. The specialists I was escalated to were useless, and only reachable by email every day or two.
After a week of this nonsense, it occurred to me that maybe I could start over with a physical SIM card. I chatted with frontline support again, and he said he was positive that would work. (So why didn't anyone suggest that?!) I couldn't use the old card, because it was clearly beyond their capabilities to reactivate a perfectly good SIM card, but I was able to buy a new one at Best Buy and complete the process in about five minutes.
I would have swapped the card in the first place and been blissfully ignorant of the eSIM fiasco, but I somehow had it in my head that the iPhone used a smaller card than the five-year old phone it was replacing. It may not be eSIM's fault, per se, but if the design is dependent on carrier competence, it's fatally flawed, as far as I'm concerned.
You are aware you can have 10 or more eSIMs plans on an iPhone, right?
You are free to swap between them as you wish? You are only locked into a single carrier if you purchase the iPhone thru that carrier. Always purchasing and unlocked phone is what solves this.
All of this depends on the good graces of the company that wrote the software, and I don't see how they can be trusted over good ol' physically removing a card and putting a different one in. Especially when they have a track record of being abusive to customers.
While I love (and sometimes use) eSIMs, the physical SIM has a huge advantage in that it gives me freedom. It's the revolution that GSM brought: just take your SIM and move it to a different phone. No permission required.
Arguably we've become slaves to ecosystems of either Apple or Google at this point, as pretty much nobody uses a phone as "just a phone", you need to have an account with one of those behemoths in order to use just about any app. But still. The physical SIM is (was?) one of the last remnants of the freedom we had to switch phones.
It exist, yes. But isn't used much in practice (where I live at least). I think it is illegal to charge to unlock them so the incentive for them to exist disappeared entirely.
Which kind of highlighted that it was a dark-pattern that only served to trick customers.
Kind of reinforces the notion that we should be worried...
The e-SIM provisioning process is under the control of the carrier. They give you a QR code (or SM-DP string) which you scan/enter, your phone then contacts the carrier and after some back and forth acquires cryptographic keys which are stored in the eSIM chip.
There is no way to extract these cryptographic keys and enter them into another phone. Instead, you have to repeat the whole process and get a new QR code from the carrier. They may charge for this, or just be a pain in general and make it difficult or refuse for whatever reason.
I can see them taking advantage of this to prevent travellers using local SIMs for example - sure you can delete your eSIM and get a local one, but getting your own eSIM back will be difficult or outright impossible if you're still travelling (they may require physical ID verification, etc).
That’s literally how it works… You can have as many eSIMs as you’d like, I currently have 8 on my phone and can choose which two I want to have active at any time.
I’m not sure why nextgrid is constructing this weird technological strawman.
Apologies - I was not aware you can have multiple eSIMs stored. If that's the case it lessens the impact, though switching between phones is still a problem.
True - my point was that the carrier can't prevent you from physically switching SIMs and locking them at the network-level to an IMEI would cause backlash as it would break long-established conventions.
With eSIM, not only are they in control of switching eSIMs between devices but it also gives them a clean slate to introduce the aforementioned network-level restriction under excuses such as security (though again since they're in control of switching eSIMs they can just block it there or be annoying in other ways - some carriers already charge for reissuing eSIMs despite it being a completely automated process).
eSIMs significantly reduce the friction of switching between carriers and will inevitably force carriers to suck less. Especially in a world where people increasingly only care about data.
> There is no way to extract these cryptographic keys and enter them into another phone. Instead, you have to repeat the whole process and get a new QR code from the carrier. They may charge for this, or just be a pain in general and make it difficult or refuse for whatever reason.
Even worse, in many real cases. Let me give you an example, happened to me this October:
I get a new phone. I browse my carrier's website to find out how to transfer the eSim to the new one, but find nothing. I call them, they tell me it's impossible. I ask them to double check because this doesn't seem realistic - after one day of internal checks, they contact me saying they found a way! I just have to request to be migrated back to a physical SIM (costing me 15 EUR and 1 week of waiting), and when it will arrive I'll be able to migrate it to an eSIM again!
Isn't technology amazing?
This was in Germany, the operator is Congstar, an MVNO using Deutsche Telekom's network.
In all fairness, this is Congstar being shit, a low-cost MVNO. They could also be shit by locking your SIM to the first IMEI they see on their network, so the only difference is that they need to establish a porting process for eSIM but haven't done so.
Exactly. I did not wanted to respond anymore, as the downvotes discouraged me to continue the discussion. I believe the “they are taking our freedoms!” do gather more attention.
When I wanted to move to a new phone, I simply deleted the data profile from my old phone and scanned the QR code on the new one, as the provider suggested. It just worked.
This assumes the provider wants to be nice and make it that way - yours does in this case. eSIM however gives them the option to make the QR codes single-use and require payment or additional verification before giving out another one.
Some commenters here are correctly saying that the carrier could technically prevent physical SIMs from being moved between phones by restricting which IMEIs are connecting to the network, but that's not usually done and there's an established convention that SIM cards can be moved around. eSIM gives them a blank slate to start over and break that convention without much backlash.
This was my thoughts as well. It seems like we just drove around in a circle and ended up back where we have to contact the provider when we change phones.
There’s still IMEI locks. A lot of prepaid carriers in Europe won’t or can’t sell you a SIM card for a US phone (one man claimed it was due to carriers trying to reduce phone theft). Note, my phone was fully paid for, and therefor unlocked.
With my Samsung Android phone I had to call my carrier's customer support and obtain the unlock code from them. So it wasn't unlocked automatically after it was fully paid for. When I traveled to Europe I just bought a local carrier SIM from a vending machine at the airport.
Automatic unlocks is mostly an iPhone thing. iOS manages SIM locks differently (in fact on modern devices the modem itself isn't even locked, instead it's all done at the OS-level; Apple has a mapping of serial number to authorized carrier(s), to which the carriers can request changes remotely without having to provide an unlock code or requiring any user action).
I share your concerns but at the same time I think, why would we even need a SIM? Isn't it simply a device for accessing account on someones system?
We don't have SIMs for ADSL or Fiber internet? We don't have SIMs for Reddit ot Twitter? Why would we have SIMs accessing GSM networks? There's no fundamental reason why we simply don't sign in into these networks like signing in to HN.
Surely, it adds a layer of anonymity and freedom where you simply use the system by paying it however there's an ongoing trend all over the world of de-anonymisation. In many places they are asking for ID and other documents in order to provide you with a SIM.
Physical SIM now means, it's yet another obsolete tech that costs money and takes space inside the devices only to sustain anonymity that is no longer desired.
SIM is just another causality on the way towards the tightly controlled world.
IMHO, it needs to happen at some point but we also need to rethink our rights in a world that is run by these huge networks.
Wouldn't be nice if our phones could have simply scanned for the networks, receive the offers from the available networks, pay and start using it?
Because SIMs require the physical card. You cannot forge a SIM without the SIM itself. There's a physical second factor. Usernames and passwords get leaked all the time, and since Reddit et al are meant to be accessed by multiple devices, device-locking them would be antithetical and anti-consumer.
A phone service is implicitly device-locked (well, doesn't have to be, but it doesn't make sense to allow multiple devices per number anyway). Just using device credentials could allow anyone to log in with that information and use your subscription or pose as you.
As for ADSL or other forms of internet, there is already a second factor - ISPs generally know from which vicinity you are connecting from, and when you log in with your account information in your modem, they can match what's on your account to your physical "drop" and assert that it is at least within the same neighborhood - again, creating a physical second factor. This is also why your internet service generally needs to be "moved" whenever you change your residence.
A SIM card allows the freedom as the GP mentioned, without requiring someone from the centralized authority to process the request somehow.
There is a huge difference if you think about it for a bit.
SIM is the second factor when it comes to proving that this device with this physical SIM is indeed accessing the network.
Fraudulent SIM swaps are attacking a different layer of the system, they are social-engineering underpaid idiots to associate a new SIM with a given account & number.
You could in theory social-engineer a bank to reissue someone's payment card and somehow intercept it in the post or steal it from their mailbox. That doesn't mean chip & PIN is insecure.
And from my understanding, these social engineering and sim swap problems are mostly ( if not all ) US specific. I have never heard anything near the order of magnitude of US sim swap from any other country. Most countries have Personal ID that are required and issued by government as verification. But even places like UK will require address and Driving License / Passport proof along with security questions.
I can only assume it's not more common because other scams are more profitable and/or not enough targets (banks, etc) use SMS 2FA as their only method of authentication so a SIM swap wouldn't give you much.
SIM cards are famously the weak link in the 2FA. They have all kind of security issues as they are computers themselves.
The way forward is to get rid of the SIM and access those carrier networks through credentials, ideally I would love to see it as a cryptographic receipt that you get from your payment provider and pass it to the the carrier as a proof of right for account and usage of their networks.
SMS-based 2FA's weakness is not due to SIM cards. It's due to carriers being shit.
SMS-based 2FA is not exploited by breaking any cryptography or exploiting some software vulnerability. It's by "asking nicely" the carrier's customer support idiots to associate a new SIM to the target account & number.
Replacing the SIM with username/password wouldn't do anything - instead of the attackers having to associate a new physical SIM they'll just associate a new set of credentials.
Those SIM engineers should build other unhackable systems too!
Anyway, it's not only social engineering but even if it was it simply means that it's useless for security.
Just yesterday, a friend of mine got a fringe hacking incident or a bug. We are not still sure if it was hack but somehow the SIM card in her phone identified as another number from another carrier. Who knows what happened, her SIM wasn't swapped it simply think that it's another number as she found out when started receiving notifications about her new number. Maybe it was Apple's bug or something but who cares, the physical SIM did not change anything.
> Those SIM engineers should build other unhackable systems too!
They did - see EMV payment cards for example.
> it simply means that it's useless for security.
It's not - SIMs close one attack vector where credentials can't be stolen by malware/bruteforced. Current SIM-swap attacks don't scale well; imagine how worse the problem would be if any Android malware could silently take over your number even after you've wiped the device clean.
The solution is to close the social-engineering attack vector by making carriers liable for any losses, not to remove a different layer of security because it's currently being bypassed by a different flaw.
> Who knows what happened
I doubt it was nefarious, I'll place my bets on misconfiguration somewhere. The telephone network is a massive mess and it could very well be that some carrier/equipment in the path rewrote the caller ID as something else.
Again, if you're skeptical of the government itself and allowing them to tap your communication lines, then I understand your hesitation here (although 2FA won't protect you against warrants), but outside of that it's actually simple incompetence of the carriers - SIM swap fraud attacks are common in North America but surprisingly fewer outside despite having the exact porting capabilities, probably because there's a waiting period (usually 48 hours) enforced where the current holder of the SIM card gets warnings about the impeding deactivation in other countries. Annoying if you lost your SIM card, sure, but is much better than having an unauthorised person getting a shiny new SIM card without warning.
> probably because there's a waiting period (usually 48 hours) enforced where the current holder of the SIM card gets warnings about the impeding deactivation in other countries
Not sure what's going on in other countries, but back when I was a phone store monkey in the UK this was not the case. A SIM swap could be done immediately and the previous SIM doesn't get any notification. If I remember right we needed to check ID, but we had no way nor proper training to tell a potential fake ID, nor what counts as an acceptable ID (the UK doesn't have mandatory ID cards, so a lot of people don't have ID) - I would defer to my manager in this case but I'm pretty sure the whole process was really at their discretion and whether the whole thing "feels" legit. Making it look like we'd get a sale is an easy way to sway the odds in your favour (we'd need to access the account anyway to make the sale, so you can play along and buy a new plan, and once we pulled up the account you can mention "oh BTW I need a new SIM" and we would oblige).
Fun fact: to access someone's account in-store we had to either text them a code and enter it in the web UI (good!) or provide knowledge-based answers such as amount of last bill, some digits of the ID/driver's license number or a security question answer. There was bruteforce protection, but here's the fun part - it was presumably implemented on the frontend only because you could reload the page on the last attempt and reset the counter of attempts! There were no consequences that I know of (neither from the company nor a notification/follow-up with the customer) to locking out an account either.
At least part of the system was Java-based (it blew up occasionally displaying a full stack trace full of PII) and was available over the Internet (there was a site-to-site VPN for the store, but the URL nevertheless loaded on a standard internet connection when I tried it probably due to misconfiguration, so it's very likely all of that was exposed during the Apache Struts or Log4J vulnerabilities).
I think the reason SIM Swap fraud isn't as common in the UK is either because getting the money out is more difficult or because other scams (authorized push payment fraud, scammers pretending to be tech support or tax authorities, etc) are just more profitable.
> There was bruteforce protection, but here's the fun part - it was presumably implemented on the frontend only because you could reload the page on the last attempt and reset the counter of attempts! There were no consequences that I know of (neither from the company nor a notification/follow-up with the customer) to locking out an account either.
Back when I had to use AllScripts EHR software, if I messed up my password three times, I'd just restart the client application. Bam, three more attempts, no need to wait ten minutes.
(I don't know if this is still the case, but I sure hope it's not.)
If you are skeptical of government, live off grid.
Sure are a lot of rugged individuals who can do it all (they claim) yet seem to not notice they hardly accomplish any more than anyone else without the help.
I’m skeptical of other humans period. You’re regurgitating the most reinforced rhetoric in your experience. You’re decoupled from the actual work implementing solutions to these problems, and the ease at which theft and fraud occur without technology.
There’s no such thing as a 100% secure system. Physics doesn’t allow it. Accept it. Lean into your biology to self soothe.
I may mistrust the government but like everything else it’s just people, not a black box.
Come on internet geniuses; open source and hardware are right there for you to make this happen. Get funding. Prove you can do better. Show you’re more than syntactic and semantic drivel.
The collective of people making your phone work are incompetent, says the person whose probably never tried. What a joke.
Yes - carriers managed to find a company even more incompetent than themselves and outsourced sensitive data to them. It doesn't make SIMs insecure. No amount of authentication will help if the party you're authenticating to then decides to send your data to a compromised third-party.
By the way, CDR processing (aka parsing CSV files and figuring out how much to charge - rocket science I know) is also routinely outsourced to the lowest bidders with no doubt terrible security practices: https://berthub.eu/articles/posts/5g-elephant-in-the-room/
> but it doesn't make sense to allow multiple devices per number anyway
Why not? This is a useful behavior that is currently emulated by forwarding calls to laptops and tablets with the same account when the devices are on the same Wi-Fi. You could get rid of the Wi-Fi requirement if those devices all simply had an eSIM with the same number.
Number assignment is handled at the network level. I have the exact functionality you speak of (single number to multiple devices) on my company's good old physical SIMs.
Phones & SIMs don't even know nor care about their own number. The SIM has a field for that but in fact it's often left empty (iOS devices discover their own number by texting a known Apple number and getting the response via the Internet, they'll then populate this field out of courtesy but it's not necessary for functionality).
When a call comes in, the carrier decides which SIM it should be routed to. When a SIM makes an outbound call, the carrier decides which number to set as caller ID.
The functionality you speak of has nothing to do with SIM vs eSIM, it's about carriers having to actually innovate and do some engineering. Their current oligopoly means there's no commercial pressure for them to do so, and there's no reason why they would suddenly do this with the switch to eSIMs.
> iOS devices discover their own number by texting a known Apple number and getting the response via the Internet, they'll then populate this field out of courtesy but it's not necessary for functionality
TIL! Is that why in some countries and some SIM cards my iPhone can automatically report its own phone number (when I look at my own profile under 'Contacts') and in some countries it doesn't do that?
Carriers who assign numbers to SIMs in advance could set that field directly. Others, either because they don't assign a number at the time of the SIM manufacture/personalization or just because they can't be bothered as it's not functionally necessary will leave it blank - in that case from my experience iPhones will populate the field with the number they get back from the iMessage & FaceTime provisioning step but again that's not actually necessary for functionality. The field is also user-editable in Settings -> Phone if you wish.
I didn't say either of those things weren't true. Perhaps I should have used "cloned" instead of "forged" to be clearer. You can't remotely clone a SIM unless you use an OTA exploit or something. It's not the 'normal' case.
The SIM card is even less secure than a username and password because someone just calls the carrier, reads out some sob story and gets your sim credentials transferred over to them.
The sim is nothing more than an auth token which can easily be duplicated.
> I share your concerns but at the same time I think, why would we even need a SIM?
In the Before Times: handy for travel. Having a (e)SIM for your personal number (but perhaps disable data), and when you arrive at your destination just pop in a new physical SIM for local data (and calling).
> We don't have SIMs for ADSL or Fiber internet?
I wish we did. At least for ADSL you can use PPPoE to login into a network with whatever hardware you wish to use instead of the telco's often janky, underpowered stuff. With fibre (GPON) they often lock in the MAC of the optic, so good luck using something else besides whatever is provided. If you're lucky you can remove the SFP module and put it into whatever you want.
This may not be useful for 99% of the population, but given this is HN we're on, I think a lot of folks can appreciate being 'hardware agnostic'.
Otherwise we're back to the 1960s when only Officially Approved™ equipment can be connected:
AFAIK PON based system needs encryption/decryption by ONU because it separates single fiber passively so downlink can be tapped. Encryption key is burned to each ONU.
(All? Most? Many?) ONTs support 802.1X for authenticating network access, which supports EAP. And EAP-SIM is one available mechanism, though usually used on the wireless side of networking.
In Canada, Bell had their "Home Hub 3000" and plenty of folks took out the optic and put it in their own hardware; this possibility was 'discontinued' with the Home Hub 4000, which no longer has a removable optic. There is nothing inherent on the ONT that limits connectivity except the arbitrary telco design choices.
Fiber is actually quite complex. Most residential fiber going in today is GPON, and those systems are authenticated by the ONT, which is somewhat analogous to a hardwired SIM. Theoretically, you could reverse engineer the ONT and create your own, but you can expect to get your account closed if they catch you.
Then you have companies like AT&T who also force you to use their godawful routers and actively work to close off methods that allow using your own router.
And if you have metro-E, chances are the ISP provides their own media converter. Doesn't matter that they charge a $12k install fee and $1200/mo (for 500/500 - actual Comcast bill in Nashville, TN), they still won't hand you an SFP+ module.
The reason for it is because they are physically provided to your house so it would be redundant, but if that wasn't a case, imagine if we did have SIM for ADSL or Fiber. Getting access to your Internet service wherever you go without extra charges.
> We don't have SIMs for Reddit ot Twitter?
> Why would we have SIMs accessing GSM networks? There's no fundamental reason why we simply don't sign in into these networks like signing in to HN.
We have login and password, which are like SIM, but you can memorize them.
Imagine if your access to Reddit, Twitter, HN was tied to your computer, because that's essentially what you're advocating for.
> Imagine if your access to Reddit, Twitter, HN was tied to your computer, because that's essentially what you're advocating for.
You have missed the point. OP is talking about how ridiculous having a physical bit of plastic to log in to the cell towers is. The physical sim provides next to no value.
And it comes at a heavy cost in space inside the phone as well as annoyance waiting for a new sim to ship in the mail. While esim providers email you a QR code and you are good to go immediately.
> Arguably we've become slaves to ecosystems of either Apple or Google at this point
I’m far more worried about the SIM cards than Apple or Google.
Did you know that SIM cards run Java? Or that they can send text messages from your phone directly to the baseband without going through the phone itself? Your SIM is probably sending data to your carrier without you knowing. ( https://scribe.rip/telecom-expert/what-is-at-t-doing-at-1111... )
Get rid of SIM cards and let’s move everything to purely digital number porting. That doesn’t mean you can’t add or change your provider when you travel, it just means you do it through the user interface instead of removing a little card that runs Java and has access to your baseband.
Sure, but the sim doesn't have access to the main CPU, main memory, storage, or sensors (without help from an app which can just as easily leak data without help from the sim) I fail to see how it compromises security any more than an eSIM.
The full portability won't be the same across multiple regions, especially internationally. Also, there is a good chance it gets tied to the device/contract you are on, similar to how the phone contracts in the US were a few years ago.
> Get rid of SIM cards and let’s move everything to purely digital number porting. That doesn’t mean you can’t add or change your provider when you travel, it just means you do it through the user interface instead of removing a little card that runs Java and has access to your baseband.
Here a different perceptive on this.
SIM: Great! my phone just broke and I need to call my insurance to get it replaced. Oh lucky I saved my older phone! That is so perfect because I can take the SIM from my primary phone and put it in the older phone. viola it works! all of that take within 5 mins.
Without SIM: Great! my phone just broke and I need to call my insurance to get it replaced. Oh lucky I still have my older phone... oh wait, they don't have a SIM. So I am stuck without my phone for a week and need to have access to my phone now! Wait let me see if I can open my older phone and see what I can do. turns on yay it still works... no cellular signal? Oh right right, I forgot this phone don't have SIM. Oh ok I guess I have to go through the internal app to get it over to this phone. Why this app kept failing?! C'mon I just need my phone to work because I am expecting calls for potential future job that I might get it! two weeks later with new phone at the door Great... I didn't get the job because the mobile company and insurance been dragging this long as possible. All of this might take two weeks.
This is why people favors SIM because it can be taken out and put in other phone within minutes. In other side, people will be stuck without phone for a while because of this stupidity.
> It's the revolution that GSM brought: just take your SIM and move it to a different phone. No permission required.
In virtually all countries sans a couple of dictatorships and other authoritarian regimes, you have many network providers to choose to buy an eSIM from - the US alone has 109 MVNOs plus the five network providers per https://en.wikipedia.org/wiki/List_of_United_States_mobile_v.... You also have the right to have your phone number ported.
When you want to switch your phone and your provider does not allow you to request a new eSIM profile, you can switch both the phone and the provider.
There are many things to criticize about modern phone markets - the lack of a right to root your phone and the lack of portability between app stores (not just purchases, but also stuff like game progress!) are the most important ones - but the switch to eSIM is not a problem at all.
Last time I was in SE Asia it wasn't uncommon to see people carrying multiple SIM cards. They were sold cheap and providers were constantly undercutting each other on mobile data. This was almost a decade ago now, but given how Asian variants of phones still have dual SIM slots I'm guessing it's still common.
Asian eSIMs are common now. For example the Thai travel sim you would get at the BKK airport can be purchased online as an eSIM - so you can skip that local queuing and currency exchange experience.
I have 4 SIM cards from 4 different countries that I need to keep. Mostly because I have bank accounts in those countries and banks either dislike foreign mobile phone numbers or accept them but then are unable to send any 2fa tokens quickly enough to those foreign phone numbers for the 2fa tokens to still be valid.
So, I actually wish I had a quadruple sim phone, as it is I have two dual sim phones to handle this (with one that mostly stays at home).
The viewpoint of never needing to change sim cards is very US centric (or better said, affluent people in a lot of other countries tend to need multiple SIM cards).
Presumably this will be an inflection point for eSIM availability and you'll be able to add all 4 plans to your phone and switch to any 2 of them on the fly.
You can't do quadruple esim, but arguably the experience with 4 esims on a single device is much better than carrying 4 sims.
"You can store more than one eSIM in your iPhone, but you can use only one at a time. To switch eSIMs, tap Settings, tap either Cellular or Mobile Data, and then tap the plan you want to use. Then tap Turn On This Line." [1]
On the iPhone 13, you can actually use two esims at the same time.
Out of the 4 sim cards I have, only one provider supports eSIM. And yes, I'm aware that some iphones can use dual sim with an eSIM but the HK model which is better is dual SIM (with no eSIM).
Need to send my phone to repair soon, if they say it will take more than a day then I will rent a phone from them. I can put my current sim in their replacement phone in a few seconds. Can't imagine how long it would take with the eSim.
"You don't do it so often" is not an argument for eSims
> It's the revolution that GSM brought: just take your SIM and move it to a different phone. No permission required.
This is not really true:
1. SIM-lock is a thing, where providers prevent you from using the phone with another SIM (because they sold you the phone below cost and you're paying it back through your subscription cost)
2. IMEI lock is a thing too, unfortunately. The situation might be different now but in 2011/2012 it was near impossible to use a local SIM in your phone in Japan because phone providers wanted to sell you a phone with a SIM so you can't use your desired phone.
In EU, an eSIM gives you the same "rights" as a physical SIM.
The biggest difference is that a physical SIM gives you a slightly higher level of security, at least in theory (then, phone carriers do a lot to screw this up anyway).
> eSIM gives you the same "rights" as a physical SIM.
What does this mean in practice though? Some carriers already charge to reissue an eSIM.
With a physical SIM you can use the same one until you break it. An eSIM is "consumed" when it is provisioned into a phone and you need the carrier's cooperation to get a new one which gives them the option to charge or just be assholes in general.
Where I live (Germany) this is completely unfeasible and untrustworthy for yet another reason: telcos and ISPs (the big telcos here are ISPs as well). There are not many industries where contract agreements are handled by electronic and manual processes so unreliably, erroneous and intransparently as they are at ISPs and telcos. I wouldn't trust them with managing an eSIM for me ever. Given how important a phone number is these days, again, never. When the simplest processes don't work (point in case: wanted to change a prepaid plan online (should be possible) -- it was not possible, buttons simply greyed out for no reason and/or missing, customer rep totally clueless).
You don't need a google account to use an android phone, there are fantastic open source apps on f-droid, and you can even access the play store without a google account using aurora store. If you have root you can fully degoogle (PITA but gratifying), even without it's a big privacy upgrade to just disable the google apps and log out of google.
I'm actually more worried about a different problem - I don't care about removing the physical SIM slot but I'm really concerned about halving the amount of numbers someone can have on a single device.
Phone numbers are an utterly terrible system. Having to give a single number out to everyone is a stupid beyond belief design that we just tolerate year after year. That SIM-based 2FA exists makes this even worse.
Apple has already shone a light on this and basically shown their customers that having a single primary-key-for-contact circulate to everyone is insane - which is why they now have the private relay for e-mail. I have my own reservations about the relay, but we really should move to single-number-per-contact and make that the norm.
And yes, I realise this wouldn't be supported by the current phone networks, which is why Apple/Google need to be the people to introduce a vendor-agnostic system as a layer above the current phone networks (akin to a private relay for phones).
This is not unprecedented - they've collaborated on a lot of standards before (matter is a recent example that comes to mind).
Multiple numbers is already technically possible and does not require eSIM. It does require the carrier to innovate and actually do some engineering though, and there's no market pressure for them to do so.
Vodafone UK still associates your contract with a phone number. That is, if you wanted to keep the contract and re-associate your phone number with a new contract that is not possible without paying for the remaining months on the contract.
Potentially, but my point is that it's a commercial decision or incompetence (maybe the number is used as the primary key for the contract record?) - technically there is no reason for this.
It’s incompetence driven by the market conditions: nobody on the market can do that and therefore no one is motivated to do that. I can understand that maybe not many customers ever need this too. AFAIK the engineer on the other side of the call said nobody provides such a service in the UK.
FYI, iPhone 13 generation devices already have 2 eSIMs, as in you can have dual standby without a physical SIM. I'm not a fan of this direction but I don't think we're going to lose dual SIM support.
I haven't thought about this too deeply, but I was thinking if you can have every phone come with "free" global network access - just data. i.e. get rid of the current tech for voice calls, so that all phone calls will be over a VOIP type service. And you can't use the phone without an active account with one of the providers that participate in this global access program. Each provider can bill other providers on the backend when a roaming subscriber uses their network.
This is exactly how I imagine it would work, albeit with a standard provision being made by Apple and Google as a starting point, something like a universal federated VOIP (they'll come up with a decent brand name for it obvs). If you're on Android you can get UFVOIP in your Google One subscription, or with Apple I'd assume it would be an iCloud+ feature. And then obviously slick contacts integration at the O/S level so that it's seamless to add a new contact - something like when you want to add someone you click "Add Contact" and it gives you a QR code for them to scan on their device to add you.
This could even generate a new relay e-mail for them in the same process so that a single QR code gives them the name and both a unique-to-them phone number and e-mail address to contact you, and adds it to their contacts automatically.
Sharing of contact details could be done by a side-channel:
1) Someone I already know and trust asks to share my contact details to a third party.
2) I get a prompt on my device asking to confirm I want to connect with this new person.
3) A diffie/hellman exchange sets up a secure channel between myself and this new third party.
4) We both confirm we want to add each other.
5) A unique e-mail address and phone number is generated on each device and sent across the channel to the other party.
6) Both parties have now established a new contact for the other party with contact details completely unique to them.
This would entirely resolve a whole class of issues around data protection/harassment/privacy.
If anyone at any time wishes to rescind contact permission they can just burn that contact link. Sure, you could be contacted via someone else that also knows both of you but there's a massive disincentive to pass along your details without your consent - you'll know who passed along your details because they'll be the same unique details you issued to someone else, and you can freely burn their contact link too.
To transfer an eSIM to your new iPhone, you can scan the QR code your network provider gave you, use your network provider's iPhone app or install an assigned mobile data plan. When your mobile data plan is activated on your new iPhone, the plan on your previous iPhone will deactivate.
There’s also https://support.apple.com/en-gb/HT210655: Find out how to transfer an eSIM or physical SIM from your previous iPhone to an eSIM on your new iPhone. You can also convert your physical SIM to an eSIM on your iPhone.
I think phones still can be SIM-locked, but AFAIK nothing changes there with eSIMs.
I just got a new iPhone and transferring a prepaid T-Mobile (US) eSIM from my old iPhone was not supported. T-Mobile say it themselves on their website.
> but AFAIK nothing changes there with eSIMs.
For all the advantages of eSIM, this is absolutely not true.
Oh you think the cookie bs right now is bad for your privacy, can't wait for this eSIM shit show to come to light in a few year, it will be absolute privacy nightmare.
> If you have purchased a recent smartphone directly from AT&T or T-Mobile, then you very likely have nothing to worry about here. However, if you’re using an unlocked device or a device on a custom ROM, then you’ll want to pay attention to what’s coming. Since AT&T whitelists devices for VoLTE compatibility, you won’t be able to BYOD to the carrier starting February 2022 unless the carrier changes its practices or whitelists a lot more devices.
Get a Huawei !! It's actually liberating: nothing Google made works on those, so you're forcefully put on a Google diet, it's not Apple, Huawei stuff are only really good if you'in China: you're stuck with F-Droid and the Aurora Store, surviving as you can without ANY integrated ecosystem.
It seems silly but I never felt so free, esp after I turned on an all-blocking firewall that only whitelist the apps I want, when I want.
But it's so easy to move an eSIM to a different phone - if this suddenly stopped you'd get a lot of public backlash, much like if moving a physical SIM stopped working. In the meantime, this works just fine switching eSIMs between devices, so your concern is just hypothetical, or have I missed something?
Waterproofing is a spectrum (https://support.apple.com/en-us/HT207043), and seals fail over time. The fewer holes from the outside of the device to the inside, the fewer points of failure for the waterproofing. It was an openly stated reason for the move, and the first Apple phones to ditch the jack were the first to hit IP67 as a result.
Sure, and those standards are immersion "up to 30 minutes" sort of scenarios. Do it day in and day out and the seals will fail over time.
Fewer seals, fewer seal failures. (Salt water can be fun on the metal contacts, too.) I expect Apple to go induction-only charging at some point, for similar reasons.
I think we'll see a big rise in phishing attacks if this comes to pass. Unlike physical SIMs where you can move them about yourself, you often have to call support to change an eSIM. So, mobile companies are going to have to make it even easier to change eSIMs. And it's not like mobile providers are known for security. T-Mobile gave up my personal details to the world along with 50 million others a few months back.
Depending on the country they cannot, in mine there are regulations, where they cant/wont move my number without my fingerprint verification and otp verification from an existing device
Presumably Apple executives, by virtue of working for a global company, are more likely than average to use dual-SIM or swap between SIMs when travelling. Don't they see that for a large segment of their existing market not having this feature might make it a deal-breaker when upgrading?
> Presumably Apple executives, by virtue of working for a global company, are more likely than average to use dual-SIM or swap between SIMs when travelling.
I’d imagine it’s the opposite. Presumably the company pays for their roaming charges so swapping SIMs is a foreign concept for them.
It's most profitable to get people on a weekly/monthly plan and every industry is trying to do this. In the future you will rent everything (phone included), and own nothing.
People are saying this is bad because you won't be able to swap phones without relying on the carrier to provision a new eSIM for you. I have the same gut reaction, but with my current physical SIM, I have to install the carrier's app, and there are many phones which don't work with my carrier, despite being unlocked phones and unlocked SIMs. And let's not forget that locking phones and SIMs has been common practice for awhile. So, while I don't have a good feeling about this, I'm not sure that the freedom of choice argument really holds water.
Your mobile network provider demands you to install an app? Thats… unique in my UK based experience.
Over here any provider apps are entirely optional and just a convenience AFAIK; and phones you’ve bought outright (or reached the end of the contract period on) are unlocked (or you have the right to have them unlock it).
Thats why this is a big change and potnetially bad news for many smaller UK operators who don’t currently have eSIM support baked into phones
I have literally never had to worry about my phone not taking the SIM out of the box. Put the SIM in, maybe reboot, and I'm off to the races. Is this a USA carrier thing??
One of the nice things about the internet is that IP addresses can't be (legally) tied to the person using it.
Smartphones are personal devices, and without SIM cards a network connection can be tied to the person using it. This is a fundamental change and we should think hard if we want that to happen.
I'm sure it's not all the evidence they had. You can definitely use an IP to aid an investigation but there's too much plausible deniability for "beyond a reasonable doubt" if all you have is a computer or an IP associated with a crime.
That'd be great for some specific countries or markets. One gateway to a network being removed isn't bad news. More traffic and bandwidth is used by Wi-Fi nowadays.
Just in case that future phone will be connected to a headset or IOT devices, it makes sense to give less priority to GSM functionality.
531 comments
[ 3.7 ms ] story [ 349 ms ] threadIt would certainly be against the industry as a whole!
> iPhone 13 models already support multiple eSIM profiles, allowing users to subscribe to several cellular plans digitally and switch between them, […]
Did you know your simcard contains Java Runtime Environment?
1. https://www.youtube.com/watch?v=scArc93XXWw
2. https://www.youtube.com/watch?v=31D94QOo2gY
I wonder if any environment uses log4j? (jk I hope. The JavaCard spec is fairly limited so maybe it's accidentally safe :D )
I used to have my main number as an eSim, and then inserted a travel SIM. Had to convert my eSim back to a real SIM card. Luckily it has dual SIM.
I hated having to call the provider when I was with Sprint and Verizon Wireless in the US, when I wanted to change the phone I was using. And that was mostly free and they had 24-hour hotlines. If you have to pay and can only call during business hours, it is a huge regression.
You buy a new phone, say you have an android and buy an iphone or reverse... you can easily move the sim card as you want. I'm not even sure how you would do that with eSIM.
And this is the first time I've heard of it. (and in with https://xkcd.com/1053/ before someone else does)
There are a ton of websites where you can immediately get esims for almost every country, why bother with physical sims?
I’ve probably used their sims in 30+ countries at this point, they’re even available in more exotic places like St Barthelemy or Moldova.
https://support.apple.com/guide/security/apple-pay-component...
From https://support.apple.com/en-us/HT209044
Meaning that swapping between phones now requires calling, possibly expensive, support lines and you better hope your phone issue didn't happen during holidays. And that you have a working backup phone. And you're not in a foreign country trying to put your SIM back.
It's a massive regression of convenience against simply swapping a small chip.
Yeah it's beginning to sound like replacing wired headphones with BT ones
if you are mocking the notion that it was courage to get rid of the headphone. Then you are correct But then again I got a phone with headphone jack but still prefer Bluetooth. Especially now when wearing masks,... no cables that get in the way of.taking off and putting on a mask.
It's not just wireless audio. The same happened with the Ethernet: while most people use WiFi, Ethernet (especially Gigabit and faster) also has its advantages. Removing an Ethernet port is not an improvement: it is a statement.
A USB port is also not that thick yet it has been dropped on many recent laptops, although a Thinkpad X1 Carbon shows it is possible to have USB, HDMI etc on a 2lb / 1kg machine.
Lenovo also sells the T480s, those are not substantially thicker (1.6 cm high) and beefier and come with a built-in ethernet (!) port.
Old: https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/SP...
New: https://awsimages.detik.net.id/community/media/visual/2021/1...
As per telecom regulation, you cannot get a new eSIM online. The only way is visiting telecom service center in person, verify your ID, pay the fee (about 10 USD), finally got a printed eSIM QR code.
It implies you must pay $10 when you switch to a new phone every time. worse than Physical SIM card.
In every case you still need to wait for the qr-code to be posted at your mailbox (even if you can sign the contract online).
You're looking for a solution created for a problem that doesn't need to exist.
Of course they do, eSIMs allow companies like airalo to exist. Surely Apple moving fully to eSIMs will bring even more competition to this space.
That's bollocks. An eSIM module is exactly the same chip as in a normal SIM card - right down to the electric specifications and communication protocols, so you can hook up a provisioned eSIM module to a phone or a SIM card to a device using an eSIM chip and it will Just Work (tm).
The only difference is that the eSIM module is allowing the baseband chip to flash a new set of cryptographic keys, a process that will (usually) require the cooperation of the main SoC to get and transmit said keys.
The only scenarios where an attacker could reprogram your SIM remotely is either a malicious actor in the provider network (at which point there is the question why an attacker would want to reprogram your SIM at that point, given all they can do is give your SIM card access keys to another network) or a malicious actor with an IMSI catcher.
In both scenarios the attacker would require an exploit in your specific baseband and the correct cryptographic keys (or yet another exploit) for the eSIM to accept the new profile... and at the degree of knowledge, hardware and the actual exploits required to get to the point a successful attack requires, your attacker will be a government or an NSO-scale enterprise. And seriously, at that point you already have lost anyway because they have exploits for the OS you're running on whatever device you use, they don't need to deal with taking over your SIM card.
Carrier incompetence will exist regardless of if the SIM is physical or virtual.
No, they can't - there is (at least for modern SIM cards and eSIM modules, see [1]) no way short of decapping the chip to extract the secret keys once they are on the chip, and even de-capping is something that the chip industry has gotten pretty good on defending against.
An attacker would have to request a new eSIM profile (aka, new keys) from your provider to hijack your number, which is an entirely different threat model.
[1]: https://www.kaspersky.com/blog/sim-card-history-clone-wars/1...
I’m not talking about getting the number from the phone, but directly from the operator.
A lot of phones already support eSIM. Apple will claim they invented it and some will copy the no Sim slot but there are still carriers that don't support eSIM so I don't see this taking off like removing the headphone jack.
If this happens though, all carriers will be forced their hand. Sometimes it's the only chance
It's still possible to access the network pesudo-anonomously with a physical sim, I can only assume a "selfie to activate eSim" is going to happen sooner rather than later.
In Germany you are already required to ID yourself for normal SIMs.
My father had to download a provider app to access a video call where he had to show his ID.
We need to stop assuming humans can connect to an endpoint over a network 24/7 365. There are times when you may not be able to, for all sorts of reasons, make a HTTP request at a given moment.
Networks fall over, riots happen, dictators just shut it off. Dangerous precedent to set.
But even if you don't have a connection now and try to provision it, I'd assume the phone would just cache the SM-DP code for later provisioning in the background when a connection is available.
Privacy-wise, there is no difference. It gives the carriers more opportunities to be assholes and justify some new hostile requirements due to the switch to eSIM, but once an eSIM is provisioned it behaves just like a physical SIM.
In one of my pubescent year, the same incident happened again; But this time, threw it to the ground and glass screen protector ate all the damage except the home button. Remember cutting my finger pressing it.
The final one is back in 2018. Threw my phone and it ended up breaking the wall instead.
(bit of sarcasm but I really miss headphone jacks in mobile phones)
Buy a USB-C/Lightning to 3.5mm dongle and leave it permanently attached. Not ideal I know.
But one benefit is that the DAC Apple designed in that dongle is so good that the sound quality far exceeds any phone with a built-in 3.5mm jack.
This is absolutely not true, there are a ton of phones with better DAC/amp combos than the one on the Apple dongle (and even when the dongle is better, it's frequently not better by enough to be audibly different). Unfortunately some of the best analog audio came on phones that were made by LG who threw in the towel last year.
[1]: https://www.audiosciencereview.com/forum/index.php?threads/r...
Currently I carry on my trips a spare phone that I can use to transfer my SIM card to and keep being able to receive various SMS messages needed for me to function at all.
So what do I do after the change?
As far as I can tell the physical sim slot is just a complete waste of space, I can’t use it anyway without toggling one of my esims off.
The long term SIM cards (Virgin UAE, Three HK, Lifecell Ukraine) with phone numbers I can easily transfer by going on the carrier apps or websites.
But we’re rapidly headed towards a data-only world where the SIMs are essentially disposable, there’s nothing you’d care about transferring except perhaps some prepaid data you have left.
- city centers, rendered noisy, rotted out of businesses, and replaced with parking lots - rural areas rendered completely car-dependent since roads are no longer walking-friendly - small towns who lost their entire downtown strip because people would rather drive their car to wal-mart - millions of pedestrian deaths worldwide per year because cars make it very easy to "accidentally" kill people
So... I guess the lesson is that it is exactly that kind of debate, and that there are pros and cons on both sides?
After a week of this nonsense, it occurred to me that maybe I could start over with a physical SIM card. I chatted with frontline support again, and he said he was positive that would work. (So why didn't anyone suggest that?!) I couldn't use the old card, because it was clearly beyond their capabilities to reactivate a perfectly good SIM card, but I was able to buy a new one at Best Buy and complete the process in about five minutes.
I would have swapped the card in the first place and been blissfully ignorant of the eSIM fiasco, but I somehow had it in my head that the iPhone used a smaller card than the five-year old phone it was replacing. It may not be eSIM's fault, per se, but if the design is dependent on carrier competence, it's fatally flawed, as far as I'm concerned.
While I love (and sometimes use) eSIMs, the physical SIM has a huge advantage in that it gives me freedom. It's the revolution that GSM brought: just take your SIM and move it to a different phone. No permission required.
Arguably we've become slaves to ecosystems of either Apple or Google at this point, as pretty much nobody uses a phone as "just a phone", you need to have an account with one of those behemoths in order to use just about any app. But still. The physical SIM is (was?) one of the last remnants of the freedom we had to switch phones.
Which kind of highlighted that it was a dark-pattern that only served to trick customers.
Kind of reinforces the notion that we should be worried...
The e-SIM provisioning process is under the control of the carrier. They give you a QR code (or SM-DP string) which you scan/enter, your phone then contacts the carrier and after some back and forth acquires cryptographic keys which are stored in the eSIM chip.
There is no way to extract these cryptographic keys and enter them into another phone. Instead, you have to repeat the whole process and get a new QR code from the carrier. They may charge for this, or just be a pain in general and make it difficult or refuse for whatever reason.
I can see them taking advantage of this to prevent travellers using local SIMs for example - sure you can delete your eSIM and get a local one, but getting your own eSIM back will be difficult or outright impossible if you're still travelling (they may require physical ID verification, etc).
I’m not sure why nextgrid is constructing this weird technological strawman.
With eSIM, not only are they in control of switching eSIMs between devices but it also gives them a clean slate to introduce the aforementioned network-level restriction under excuses such as security (though again since they're in control of switching eSIMs they can just block it there or be annoying in other ways - some carriers already charge for reissuing eSIMs despite it being a completely automated process).
Even worse, in many real cases. Let me give you an example, happened to me this October:
I get a new phone. I browse my carrier's website to find out how to transfer the eSim to the new one, but find nothing. I call them, they tell me it's impossible. I ask them to double check because this doesn't seem realistic - after one day of internal checks, they contact me saying they found a way! I just have to request to be migrated back to a physical SIM (costing me 15 EUR and 1 week of waiting), and when it will arrive I'll be able to migrate it to an eSIM again!
Isn't technology amazing?
This was in Germany, the operator is Congstar, an MVNO using Deutsche Telekom's network.
Utter nonsense. There's no technical requirement to get a new QR code, this is up to the carrier.
Why are there so many people spreading straight up lies in this thread?
When I wanted to move to a new phone, I simply deleted the data profile from my old phone and scanned the QR code on the new one, as the provider suggested. It just worked.
Some commenters here are correctly saying that the carrier could technically prevent physical SIMs from being moved between phones by restricting which IMEIs are connecting to the network, but that's not usually done and there's an established convention that SIM cards can be moved around. eSIM gives them a blank slate to start over and break that convention without much backlash.
We don't have SIMs for ADSL or Fiber internet? We don't have SIMs for Reddit ot Twitter? Why would we have SIMs accessing GSM networks? There's no fundamental reason why we simply don't sign in into these networks like signing in to HN.
Surely, it adds a layer of anonymity and freedom where you simply use the system by paying it however there's an ongoing trend all over the world of de-anonymisation. In many places they are asking for ID and other documents in order to provide you with a SIM.
Physical SIM now means, it's yet another obsolete tech that costs money and takes space inside the devices only to sustain anonymity that is no longer desired.
SIM is just another causality on the way towards the tightly controlled world.
IMHO, it needs to happen at some point but we also need to rethink our rights in a world that is run by these huge networks.
Wouldn't be nice if our phones could have simply scanned for the networks, receive the offers from the available networks, pay and start using it?
A phone service is implicitly device-locked (well, doesn't have to be, but it doesn't make sense to allow multiple devices per number anyway). Just using device credentials could allow anyone to log in with that information and use your subscription or pose as you.
As for ADSL or other forms of internet, there is already a second factor - ISPs generally know from which vicinity you are connecting from, and when you log in with your account information in your modem, they can match what's on your account to your physical "drop" and assert that it is at least within the same neighborhood - again, creating a physical second factor. This is also why your internet service generally needs to be "moved" whenever you change your residence.
A SIM card allows the freedom as the GP mentioned, without requiring someone from the centralized authority to process the request somehow.
There is a huge difference if you think about it for a bit.
Fraudulent SIM swaps are attacking a different layer of the system, they are social-engineering underpaid idiots to associate a new SIM with a given account & number.
You could in theory social-engineer a bank to reissue someone's payment card and somehow intercept it in the post or steal it from their mailbox. That doesn't mean chip & PIN is insecure.
I was a phone store monkey in the UK a few years back and a dedicated attacker can absolutely bypass this: https://news.ycombinator.com/item?id=29714400
I can only assume it's not more common because other scams are more profitable and/or not enough targets (banks, etc) use SMS 2FA as their only method of authentication so a SIM swap wouldn't give you much.
The way forward is to get rid of the SIM and access those carrier networks through credentials, ideally I would love to see it as a cryptographic receipt that you get from your payment provider and pass it to the the carrier as a proof of right for account and usage of their networks.
SMS-based 2FA is not exploited by breaking any cryptography or exploiting some software vulnerability. It's by "asking nicely" the carrier's customer support idiots to associate a new SIM to the target account & number.
Replacing the SIM with username/password wouldn't do anything - instead of the attackers having to associate a new physical SIM they'll just associate a new set of credentials.
Anyway, it's not only social engineering but even if it was it simply means that it's useless for security.
Just yesterday, a friend of mine got a fringe hacking incident or a bug. We are not still sure if it was hack but somehow the SIM card in her phone identified as another number from another carrier. Who knows what happened, her SIM wasn't swapped it simply think that it's another number as she found out when started receiving notifications about her new number. Maybe it was Apple's bug or something but who cares, the physical SIM did not change anything.
They did - see EMV payment cards for example.
> it simply means that it's useless for security.
It's not - SIMs close one attack vector where credentials can't be stolen by malware/bruteforced. Current SIM-swap attacks don't scale well; imagine how worse the problem would be if any Android malware could silently take over your number even after you've wiped the device clean.
The solution is to close the social-engineering attack vector by making carriers liable for any losses, not to remove a different layer of security because it's currently being bypassed by a different flaw.
> Who knows what happened
I doubt it was nefarious, I'll place my bets on misconfiguration somewhere. The telephone network is a massive mess and it could very well be that some carrier/equipment in the path rewrote the caller ID as something else.
To drive the point home - this is a SIM card: https://upload.wikimedia.org/wikipedia/commons/5/55/Thuraya_... (although you can remove the mini-sim in this revision, originally they were exactly like modern EMV cards).
Again, if you're skeptical of the government itself and allowing them to tap your communication lines, then I understand your hesitation here (although 2FA won't protect you against warrants), but outside of that it's actually simple incompetence of the carriers - SIM swap fraud attacks are common in North America but surprisingly fewer outside despite having the exact porting capabilities, probably because there's a waiting period (usually 48 hours) enforced where the current holder of the SIM card gets warnings about the impeding deactivation in other countries. Annoying if you lost your SIM card, sure, but is much better than having an unauthorised person getting a shiny new SIM card without warning.
Not sure what's going on in other countries, but back when I was a phone store monkey in the UK this was not the case. A SIM swap could be done immediately and the previous SIM doesn't get any notification. If I remember right we needed to check ID, but we had no way nor proper training to tell a potential fake ID, nor what counts as an acceptable ID (the UK doesn't have mandatory ID cards, so a lot of people don't have ID) - I would defer to my manager in this case but I'm pretty sure the whole process was really at their discretion and whether the whole thing "feels" legit. Making it look like we'd get a sale is an easy way to sway the odds in your favour (we'd need to access the account anyway to make the sale, so you can play along and buy a new plan, and once we pulled up the account you can mention "oh BTW I need a new SIM" and we would oblige).
Fun fact: to access someone's account in-store we had to either text them a code and enter it in the web UI (good!) or provide knowledge-based answers such as amount of last bill, some digits of the ID/driver's license number or a security question answer. There was bruteforce protection, but here's the fun part - it was presumably implemented on the frontend only because you could reload the page on the last attempt and reset the counter of attempts! There were no consequences that I know of (neither from the company nor a notification/follow-up with the customer) to locking out an account either.
At least part of the system was Java-based (it blew up occasionally displaying a full stack trace full of PII) and was available over the Internet (there was a site-to-site VPN for the store, but the URL nevertheless loaded on a standard internet connection when I tried it probably due to misconfiguration, so it's very likely all of that was exposed during the Apache Struts or Log4J vulnerabilities).
I think the reason SIM Swap fraud isn't as common in the UK is either because getting the money out is more difficult or because other scams (authorized push payment fraud, scammers pretending to be tech support or tax authorities, etc) are just more profitable.
Back when I had to use AllScripts EHR software, if I messed up my password three times, I'd just restart the client application. Bam, three more attempts, no need to wait ten minutes.
(I don't know if this is still the case, but I sure hope it's not.)
Sure are a lot of rugged individuals who can do it all (they claim) yet seem to not notice they hardly accomplish any more than anyone else without the help.
I’m skeptical of other humans period. You’re regurgitating the most reinforced rhetoric in your experience. You’re decoupled from the actual work implementing solutions to these problems, and the ease at which theft and fraud occur without technology.
There’s no such thing as a 100% secure system. Physics doesn’t allow it. Accept it. Lean into your biology to self soothe.
I may mistrust the government but like everything else it’s just people, not a black box.
Come on internet geniuses; open source and hardware are right there for you to make this happen. Get funding. Prove you can do better. Show you’re more than syntactic and semantic drivel.
The collective of people making your phone work are incompetent, says the person whose probably never tried. What a joke.
By the way, CDR processing (aka parsing CSV files and figuring out how much to charge - rocket science I know) is also routinely outsourced to the lowest bidders with no doubt terrible security practices: https://berthub.eu/articles/posts/5g-elephant-in-the-room/
Why not? This is a useful behavior that is currently emulated by forwarding calls to laptops and tablets with the same account when the devices are on the same Wi-Fi. You could get rid of the Wi-Fi requirement if those devices all simply had an eSIM with the same number.
Phones & SIMs don't even know nor care about their own number. The SIM has a field for that but in fact it's often left empty (iOS devices discover their own number by texting a known Apple number and getting the response via the Internet, they'll then populate this field out of courtesy but it's not necessary for functionality).
When a call comes in, the carrier decides which SIM it should be routed to. When a SIM makes an outbound call, the carrier decides which number to set as caller ID.
The functionality you speak of has nothing to do with SIM vs eSIM, it's about carriers having to actually innovate and do some engineering. Their current oligopoly means there's no commercial pressure for them to do so, and there's no reason why they would suddenly do this with the switch to eSIMs.
TIL! Is that why in some countries and some SIM cards my iPhone can automatically report its own phone number (when I look at my own profile under 'Contacts') and in some countries it doesn't do that?
Carriers who assign numbers to SIMs in advance could set that field directly. Others, either because they don't assign a number at the time of the SIM manufacture/personalization or just because they can't be bothered as it's not functionally necessary will leave it blank - in that case from my experience iPhones will populate the field with the number they get back from the iMessage & FaceTime provisioning step but again that's not actually necessary for functionality. The field is also user-editable in Settings -> Phone if you wish.
Your SIM provider certainly can issue a duplicate. Also, SIMs can be spoofed.
The sim is nothing more than an auth token which can easily be duplicated.
In the Before Times: handy for travel. Having a (e)SIM for your personal number (but perhaps disable data), and when you arrive at your destination just pop in a new physical SIM for local data (and calling).
> We don't have SIMs for ADSL or Fiber internet?
I wish we did. At least for ADSL you can use PPPoE to login into a network with whatever hardware you wish to use instead of the telco's often janky, underpowered stuff. With fibre (GPON) they often lock in the MAC of the optic, so good luck using something else besides whatever is provided. If you're lucky you can remove the SFP module and put it into whatever you want.
This may not be useful for 99% of the population, but given this is HN we're on, I think a lot of folks can appreciate being 'hardware agnostic'.
Otherwise we're back to the 1960s when only Officially Approved™ equipment can be connected:
* https://www.cybertelecom.org/notes/att_antitrust.htm
In Canada, Bell had their "Home Hub 3000" and plenty of folks took out the optic and put it in their own hardware; this possibility was 'discontinued' with the Home Hub 4000, which no longer has a removable optic. There is nothing inherent on the ONT that limits connectivity except the arbitrary telco design choices.
Fiber is actually quite complex. Most residential fiber going in today is GPON, and those systems are authenticated by the ONT, which is somewhat analogous to a hardwired SIM. Theoretically, you could reverse engineer the ONT and create your own, but you can expect to get your account closed if they catch you.
Then you have companies like AT&T who also force you to use their godawful routers and actively work to close off methods that allow using your own router.
And if you have metro-E, chances are the ISP provides their own media converter. Doesn't matter that they charge a $12k install fee and $1200/mo (for 500/500 - actual Comcast bill in Nashville, TN), they still won't hand you an SFP+ module.
The reason for it is because they are physically provided to your house so it would be redundant, but if that wasn't a case, imagine if we did have SIM for ADSL or Fiber. Getting access to your Internet service wherever you go without extra charges.
> We don't have SIMs for Reddit ot Twitter? > Why would we have SIMs accessing GSM networks? There's no fundamental reason why we simply don't sign in into these networks like signing in to HN.
We have login and password, which are like SIM, but you can memorize them.
Imagine if your access to Reddit, Twitter, HN was tied to your computer, because that's essentially what you're advocating for.
You have missed the point. OP is talking about how ridiculous having a physical bit of plastic to log in to the cell towers is. The physical sim provides next to no value.
And it comes at a heavy cost in space inside the phone as well as annoyance waiting for a new sim to ship in the mail. While esim providers email you a QR code and you are good to go immediately.
I’m far more worried about the SIM cards than Apple or Google.
Did you know that SIM cards run Java? Or that they can send text messages from your phone directly to the baseband without going through the phone itself? Your SIM is probably sending data to your carrier without you knowing. ( https://scribe.rip/telecom-expert/what-is-at-t-doing-at-1111... )
Get rid of SIM cards and let’s move everything to purely digital number porting. That doesn’t mean you can’t add or change your provider when you travel, it just means you do it through the user interface instead of removing a little card that runs Java and has access to your baseband.
There's a common misconception that SIM == number. That's not the case. The SIM is simply the identity of your device to a carrier.
> a little card that runs Java
I believe (it's now been a few years since I've skimmed the spec) that the eSIM chip can also run Java and download applets.
Here a different perceptive on this.
SIM: Great! my phone just broke and I need to call my insurance to get it replaced. Oh lucky I saved my older phone! That is so perfect because I can take the SIM from my primary phone and put it in the older phone. viola it works! all of that take within 5 mins.
Without SIM: Great! my phone just broke and I need to call my insurance to get it replaced. Oh lucky I still have my older phone... oh wait, they don't have a SIM. So I am stuck without my phone for a week and need to have access to my phone now! Wait let me see if I can open my older phone and see what I can do. turns on yay it still works... no cellular signal? Oh right right, I forgot this phone don't have SIM. Oh ok I guess I have to go through the internal app to get it over to this phone. Why this app kept failing?! C'mon I just need my phone to work because I am expecting calls for potential future job that I might get it! two weeks later with new phone at the door Great... I didn't get the job because the mobile company and insurance been dragging this long as possible. All of this might take two weeks.
This is why people favors SIM because it can be taken out and put in other phone within minutes. In other side, people will be stuck without phone for a while because of this stupidity.
In virtually all countries sans a couple of dictatorships and other authoritarian regimes, you have many network providers to choose to buy an eSIM from - the US alone has 109 MVNOs plus the five network providers per https://en.wikipedia.org/wiki/List_of_United_States_mobile_v.... You also have the right to have your phone number ported.
When you want to switch your phone and your provider does not allow you to request a new eSIM profile, you can switch both the phone and the provider.
There are many things to criticize about modern phone markets - the lack of a right to root your phone and the lack of portability between app stores (not just purchases, but also stuff like game progress!) are the most important ones - but the switch to eSIM is not a problem at all.
Discloser: I sell eSIMs.
So, I actually wish I had a quadruple sim phone, as it is I have two dual sim phones to handle this (with one that mostly stays at home).
The viewpoint of never needing to change sim cards is very US centric (or better said, affluent people in a lot of other countries tend to need multiple SIM cards).
"You can store more than one eSIM in your iPhone, but you can use only one at a time. To switch eSIMs, tap Settings, tap either Cellular or Mobile Data, and then tap the plan you want to use. Then tap Turn On This Line." [1]
On the iPhone 13, you can actually use two esims at the same time.
[1] https://support.apple.com/en-us/HT209044
"You don't do it so often" is not an argument for eSims
This is not really true:
1. SIM-lock is a thing, where providers prevent you from using the phone with another SIM (because they sold you the phone below cost and you're paying it back through your subscription cost)
2. IMEI lock is a thing too, unfortunately. The situation might be different now but in 2011/2012 it was near impossible to use a local SIM in your phone in Japan because phone providers wanted to sell you a phone with a SIM so you can't use your desired phone.
The biggest difference is that a physical SIM gives you a slightly higher level of security, at least in theory (then, phone carriers do a lot to screw this up anyway).
What does this mean in practice though? Some carriers already charge to reissue an eSIM.
With a physical SIM you can use the same one until you break it. An eSIM is "consumed" when it is provisioned into a phone and you need the carrier's cooperation to get a new one which gives them the option to charge or just be assholes in general.
Phone numbers are an utterly terrible system. Having to give a single number out to everyone is a stupid beyond belief design that we just tolerate year after year. That SIM-based 2FA exists makes this even worse.
Apple has already shone a light on this and basically shown their customers that having a single primary-key-for-contact circulate to everyone is insane - which is why they now have the private relay for e-mail. I have my own reservations about the relay, but we really should move to single-number-per-contact and make that the norm.
And yes, I realise this wouldn't be supported by the current phone networks, which is why Apple/Google need to be the people to introduce a vendor-agnostic system as a layer above the current phone networks (akin to a private relay for phones).
This is not unprecedented - they've collaborated on a lot of standards before (matter is a recent example that comes to mind).
This could even generate a new relay e-mail for them in the same process so that a single QR code gives them the name and both a unique-to-them phone number and e-mail address to contact you, and adds it to their contacts automatically.
Sharing of contact details could be done by a side-channel:
1) Someone I already know and trust asks to share my contact details to a third party.
2) I get a prompt on my device asking to confirm I want to connect with this new person.
3) A diffie/hellman exchange sets up a secure channel between myself and this new third party.
4) We both confirm we want to add each other.
5) A unique e-mail address and phone number is generated on each device and sent across the channel to the other party.
6) Both parties have now established a new contact for the other party with contact details completely unique to them.
This would entirely resolve a whole class of issues around data protection/harassment/privacy.
If anyone at any time wishes to rescind contact permission they can just burn that contact link. Sure, you could be contacted via someone else that also knows both of you but there's a massive disincentive to pass along your details without your consent - you'll know who passed along your details because they'll be the same unique details you issued to someone else, and you can freely burn their contact link too.
Transfer an eSIM from your previous iPhone
To transfer an eSIM to your new iPhone, you can scan the QR code your network provider gave you, use your network provider's iPhone app or install an assigned mobile data plan. When your mobile data plan is activated on your new iPhone, the plan on your previous iPhone will deactivate.
There’s also https://support.apple.com/en-gb/HT210655: Find out how to transfer an eSIM or physical SIM from your previous iPhone to an eSIM on your new iPhone. You can also convert your physical SIM to an eSIM on your iPhone.
I think phones still can be SIM-locked, but AFAIK nothing changes there with eSIMs.
> but AFAIK nothing changes there with eSIMs.
For all the advantages of eSIM, this is absolutely not true.
https://www.xda-developers.com/t-mobile-att-require-volte-ph...
> If you have purchased a recent smartphone directly from AT&T or T-Mobile, then you very likely have nothing to worry about here. However, if you’re using an unlocked device or a device on a custom ROM, then you’ll want to pay attention to what’s coming. Since AT&T whitelists devices for VoLTE compatibility, you won’t be able to BYOD to the carrier starting February 2022 unless the carrier changes its practices or whitelists a lot more devices.
It seems silly but I never felt so free, esp after I turned on an all-blocking firewall that only whitelist the apps I want, when I want.
Should? Maybe not. One goal of removing SIM and headphone jack is to reduce opportunities for water intrusion.
Fewer seals, fewer seal failures. (Salt water can be fun on the metal contacts, too.) I expect Apple to go induction-only charging at some point, for similar reasons.
Waterproofing is possible right now and works for almost all normal use cases. No need to remove features.
What Apple is doing is definitely not for waterproofing.
I don't know why you believe.
So are you going to venture that Tim Cook is using an iPhone built for the American or Chinese market?
[1] https://support.apple.com/en-us/HT209086
I’d imagine it’s the opposite. Presumably the company pays for their roaming charges so swapping SIMs is a foreign concept for them.
Thats why this is a big change and potnetially bad news for many smaller UK operators who don’t currently have eSIM support baked into phones
Apple keeps making it very difficult for me to want to keep purchasing their products.
Smartphones are personal devices, and without SIM cards a network connection can be tied to the person using it. This is a fundamental change and we should think hard if we want that to happen.
FBI does it all the time. They send in an IP, then we track the MAC to the device. Seen a few arrested based on this.
Just in case that future phone will be connected to a headset or IOT devices, it makes sense to give less priority to GSM functionality.