[JoachimSchipper]

The SIM card is a smart card, i.e. a secure piece of hardware, that protects the telephone network from the subscriber - most importantly, it ensures that the network has someone to bill.

In most western countries, SIMs do little else; however, they are full application platforms, allowing stuff like Kenya's mobile payment network https://en.wikipedia.org/wiki/M-Pesa.

For what it's worth, you really don't want to have every network provider negotiate with Samsung for the particular access policy of that network. "Not compatible with your telephone" indeed!

[userbinator]

The SIM card is a smart card

If you have a credit/debit card with a chip, look at the arrangement of the contacts and compare to a SIM card. It's essentially the same standard (ISO 7816) at the lower layers, but with different application-layer protocols on top.

Also, as a matter of being the only device in posession of the subscriber but arguably owned by the telco, I'd definitely prefer it to be a removable piece which communicates over a standard interface. The alternative of embedding it into the handset is far worse from the perspective of lock-in and perhaps security.

[gcb0]

/me puts on tinfoil hat

the sim card has one important difference. It lives in a device that provides it with 24/7 battery and radio access.

That is really worrisome when you think about. A tiny computer running applications you have no idea/access. powered 24/7. Always with you. With access to battery, network, mic, etc. And the other side of the network that could monitor it's traffic for malicious actions is owned by the very people that could abuse it in the first place.

[umurkontaci]

It's no different than having no SIM, if your phone wants to spy on you, it doesn't need a SIM card. It's the phone that transceives the signals, and it can do so without a SIM card. SIM card authenticates you to the network, but you control the device and the network around the device, there's no need for a SIM card.

[colechristensen]

If there was an open standards-compliant protocol it could be implemented open-source and trusted. You could create an entire open operating system and use open hardware to know everything happening on your phone. That is different than having a SIM, which is a piece of mystery hardware the phone company could do anything with.

[Laforet]

They already have control of all your traffic so what's the harm? Take the sim out of your phone in case you are really worried, but that would cut you off the network as well.

I'd be far more concerned with the hundreds of microcontrollers running proprietary code.

[colechristensen]

The SIM, being a physical piece of hardware plugged into my phone, could easily be used as an attack vector for my phone company to root my phone. Hardware plugged into my phone is a much more vulnerable attack surface than control of network traffic.

[gcb0]

the selling point of the sim is that it it "trusted computing". meaning the user is left out by design.

[amelius]

Yes, but now your Telco can also do those things.

[gcb0]

so? the point is that the sim IS there already. yeah you can have more vulnerabilities, but that one is a given.

[derefr]

> powered 24/7

Is it? When you turn on "airplane mode" on a phone, is there a reason for the SIM to still be receiving power at that point?

[zamalek]

> Is it?

Easy to test: add a SIM pin, turn on airplane mode and reboot your phone.

[gcb0]

yes.

the sim has direct access to the radio and other modules, by design. it only needs the actual phone cpu/os for use interface.

if it wants to take the radio out of silent mode it can.

[derefr]

That seems like it wouldn't comply with FAA regulations.

I always presumed "airplane mode" was the specific set of features required by the FAA to enable the phone to do the same thing as a phone that's off, from the perspective of potential interference with a plane's communications.

If the SIM can still enable and use the radio despite "airplane mode" being on, then "airplane mode" is not really "a mode for making your phone safe to stay on while on an airplane."

[nucleardog]

It's actually an FCC regulation that prevents people using cellular devices on airplanes, and the issue isn't "interference with avionics" but "violating some fundamental assumptions that the existing cellular network is based on" like devices not travelling 600mph or having the ability to transmit signals for dozens of miles.

[milcron]

You can actually enable wifi yourself even while airplane mode is enabled - try it!

[gcb0]

yes and that is not new.

try this: enable airplane mode and then open any app that has system permission to change gps or Bluetooth or wifi settings. it will enable those radio and the ui will still show the little airplane there.

[milcron]

For tinfoil wearers, the sim card is not as much of an issue as the baseband modem itself.

[jjawssd]

Phones can be directly accessed over a network via IMEI

[jwatte]

That's what Sprint did, and why you couldn't use Sprint LTE equipment (that would otherwise be compatible) abroad. They basically hardwired the SIM to an existing design...

[amelius]

Yes but if we have credit cards which can be charged simply by copying a few numbers that can be read visually off the card, then why do we need SIMs really?

In other words, SIMs seem disproportionally secure w.r.t. credit cards.

[Strom]

In Estonia, you can use your SIM to create a government recognizeed digital signature. [1] Thus, you not only identify yourself to the mobile operator, but you can also identify yourself to banks, government services, and more.

[1] https://e-estonia.com/component/mobile-id/

[anlif]

The same idea is used in Norway. Most banks and public services (e.g. tax returns) use this system for online two-factor authentication.

[1] https://www.bankid.no/en/

[shshhdhs]

Didn't NIST just say two factor via mobile is a "bad idea"? Have Norway or Estonia responded?

EDIT: Thank you whoever downvoted an honest question that added to the discussion

[brainfire]

The bad idea is being sent a (potentially interceptable) SMS with a code.

The Estonian method is described as using a private key present on the SIM card, just like a normal smart card used for authenticating/signing.

[candiodari]

That's how every bank I know in Australia, at least 2 US banks and 4 European banks do it. Transfer (sometimes login too) ? Code over SMS.

Besides, pretty much all banks simply use 2 or 3 factor authentication as an anticompetitive tactic (half the businesses in most countries pay the banks 2-300$ per month just for scheduled download of transactions)

[captn3m0]

I think that was for SMS, not specifically mobile.

[rimantas]

Same in Lithuania. Have been using mobile signatyre as it is called for yeats, very convenient.

[RyJones]

Here is a great video[0] with an exploration of using SIMs for a (very) micro telco, including a discussion of the APIs available

[0] https://www.youtube.com/watch?v=_-nxemBCcmU

[mherrmann]

Doesn't every login form on the web also protect the respective operator from the subscriber? Why can't a "software SIM" simply be a username and a password?

My explanation is that it's difficult to change something that literally the entire world uses.

[user5994461]

Because username and password is a disaster for security. It's sole purpose is let ANY guy ANY where on the planet connect to your account.

SIM cards are cryptographic hardware tokens. They are much more secure than passwords.

In fact, they do need a password as well on top of the hardware token, that's the 'PIN code' you have to enter when you (re)boot your phone.

[nly]

In practice SIM cards don't give you much physical security anyway.

I transferred my mobile phone number etc over to a new SIM card the other week and all I needed was name, address, DOB and proof of ID... of course my network didnt have any of these on file yet, so I had to first tell them these details, and then show ID to verify that I was who I had just told them that I should be. Yeah... this is the state of consumer mobile security.

None of this required physical access to the phone, I just had to login to their website, with a username and password, and change my details.

On most networks you can steal someones mobile number with just a few minutes of physical access and a bit of planning.

[URSpider94]

But that's the choice of the network operator. The SIM itself is still completely unique and identifiable, they just chose to allow customers to re-map SIM's on the fly.

[gcb0]

and this is the norm all over the world. And SIMs cannot exist without the network operator. So in the end, this is the worst vulnerability of SIM cards.

[makomk]

SIM cards come from an era where mobile phone contracts were much less common and more expensive, and therefore cloning phones cost the providers a lot of money. I assume the security requirements for reissuing SIMs were also higher back then.

[mherrmann]

Most of the internet runs on usernames/passwords. I understand that a hardware token (with a PIN) is more secure. But is it worth the added complexity?

[pjc50]

The SIM protects the carrier against "account sharing". It allows them to be sure that a subscriber is only using one phone at once - although it's portable between phones.

It means that carriers don't have to maintain "sessions" centrally. The SIM can authenticate you to the base station without the base station having to check back to see if you're logged in elsewhere - vital in reducing the latency of cell changes.

(It also stores various bits of technical information for SMS/MMS routing, and was intended to be a platform for "value added" applications.

[jacquesm]

Account sharing in a telco context is a bad thing all around. Which phone would you like to ring? How do you ensure the charges really are made by (and to) the right person? How will you protect against messages with important information landing with the wrong party?

Authentication in a telco context is a good thing, the fact that the web doesn't have it enabled a large number of applications to flourish, it also made some other things devilishly hard, or even almost impossible.

[bogomipz]

Carriers do maintain sessions centrally though. These are the HLR and VLR - home location register and visitor location register. This is how "hand offs" between towers work. Handsets don't authenticate to the base station, the base station proxies those back to the MSC, mobile switching center and are looked up in the EIR - Equipment Identity Register.

[eropple]

Do you happen to know of a good breakdown of how mobile networks work? I'd love to know more, but it's hard to get a handle on it to get started.

[baybal2]

>It allows them to be sure that a subscriber is only using one phone at once

Only on home network, everybody who knows your IMSI and have low level access to phone network can clone your identity in roaming.

[user5994461]

There is no added complexity. Just buy a SIM card and put it in your phone. It is very simple and straightforward.

The alternatives are worse in usability AND security.

[jacquesm]

> But is it worth the added complexity?

If you don't want your account to be hacked: yes.

[Sanddancer]

I'd very much argue that a hardware token is more secure, and less complex, especially with multiple devices. It's a lot easier to remember where you put your smart card than to need to get a password store somewhere shareable, to secure that, to remember to put passwords in the store, etc.

[kalleboo]

We're moving away from usernames and passwords though, into 2-factor systems such as... smart cards (Chip and PIN). Regressing phones back into usernames and passwords is a clear step backwards in security.

[esquivalience]

Yes, and remember too that SIMs are standardised technology from the mid-1990s, originating in GSM. It's not a trivial matter to change security in globally standardised technology.

(and Even if you did, it would need to be backward-compatible and still support SIM cards)

There is a good deal more to telecoms tech than just the tech side - the standardisation process brings a whole bunch of competitor companies into a room to develop a solution, incrementally over a number of years.

This applies from physical aspects all the way up to higher level concerns like security. It's a fascinating development process.

[jacquesm]

Who would you want to hold your 'software SIM' username and password? What's to stop someone else from logging in to your account once they have your credentials?

[mherrmann]

I have hundreds of usernames and passwords for various web sites and don't see a problem in having one more(?)

[jacquesm]

Interesting. I try to keep the number of usernames and passwords I have to an absolute minimum because I don't trust any of those to keep that secret, nor do I trust my computer to not spill the secrets somehow through a browser bug or other drive by exploit.

At the same time I totally trust my sim, it's never been more than 10 meters away from me in the last decade or two, hasn't failed me even once and it would be very hard to get it to cough up its secrets without my cooperation (so rubber hose cryptography would still work).

Contrary to www security the phone system seems - from my perspective - at least to have done a half decent job at integrating 2FA when your average website - 20 years later - is still making up its mind about whether or not that might be a useful thing to add.

[Strom]

If you use actual strong passwords then you are an outlier. Most people use basic words like "password" as shown by every password dump in history. Indeed, most people would use the very same weak password they use for their e-mail for their mobile, and this would reduce protection against spoofing versus continuing to use the SIM system.

What we need is a SIM-type system on the web as well, not to bring the broken web password system elsewhere.

[Sanddancer]

Client TLS certificates have been a thing since forever, but browser makers keep it a pain in the ass, and too many "modern" software stacks don't even consider leveraging the decades of infrastructure that would make their job easier. Add to the fact that identity aggregators want to be producers, but rarely allow themselves to be consumers and we get stuck in the hell that is identity online.

[another]

Furthermore, any security system that effectively relies on the user possessing more than one computing device (e.g., using your laptop for access to a password manager or email address) fails for the significant and increasing swath of humanity for which their phone is their [first and] only such device.

[RandyRanderson]

Even small carriers have software customizations done to phone firmware deployed on their network. This is common.

I believe he's contrasting this between a built-in solution. So say Samsung would put a hardwired UICC (SIM) in the phone and ATT say would make Samsung give ATT an "area" (Security Domain" in UICC parlance) to provision. For all intents and purposes it would work the same. If you wantd to switch carriers I'm guessing there would be a 'virtual' switch SIM app or some such.

If you're bored, you can read about it here:

https://www.globalplatform.org

[uola]

Yeah, while I can appreciate the question (curiosity is a good things) I don't think anyone with experience of software should be surprised. When you consider things like passwords, credit cards, wifi login and e-mail addresses the question is really why aren't more things like sim cards. (which is kind of what Apple is trying to do these days?)

[bonzini]

The Yubikey Neo and similar gadgets are pretty much the same thing as USB smart cards. The software could be improved but in the end it is a pretty convenient way to achieve two factor authentication.

[glennos]

I hadn't thought about the security of being a physical token. Feels like you could do 2FA using someone's email (or similar) to protect against some scenarios, but take the point that someone having to steal something physical changes the attack surface.

[agumonkey]

I recently read the Wikipedia pages for health cards, and was surprised that these are demi-computers (by that I mean, no IO, no power). Standard chips are 4MHz >8bits these days (with added crypto etc). A Gameboy Air.

[arsmoriendi]

I'd love to study a piece of software like M-Pesa.