SIM cards are dead; Long live e-SIMs.
A report from the Financial Times yesterday afternoon brought news that both Samsung and Apple are close to agreeing on a common architecture standard for an electronic SIM card that would replace physical SIMs completely. It would allow you to change your carrier without having to switch cards at all—an ability that would “fundamentally change how consumers sign up to mobile operators,” as the FT puts it.
Is that a good thing? Well, it depends. On the one hand, you’d be able to switch carriers without switching SIMs. On the other, it means the decline of power amongst the big telecoms and the rise of, well, the phonemakers. Here’s how the Economist explained it last year:
Operators would lose control of the market, but Apple and other device-makers might gain it. They would, if regulators let them, be able to choose which operators appeared on the menu when buyers of their phones and tablets were setting them up. The risk would then be that the SIM card’s demise leads to less choice, and higher prices for users.
So, who decides on the standards that all of these companies use? That would be the GSM Association: A group that represents hundreds of telecom companies and was established all the way back in the early 1980s by European carriers, when mobile phones were the bleeding edge of tech. You can thank the GSM for the way our phones work today: It did everything from figure out where on the radio frequency spectrum mobile phones would sit, to how devices identify themselves (for example, with SIM cards).
ZDNet explains how a group of 13 countries literally wrote the book on the first wireless phone system in Europe, a “global revolution:”
Before GSM, Europe had a disastrous mishmash of national analogue standards in phones and TV, designed to protect national industries but instead creating fragmented markets vulnerable to big guns from abroad.
They hoped for maybe 20 million users by the end of the century; by the time 2000 arrived, they had quarter of a billion.
SIM cards were just one of the specifications they created. Officially, SIM stands for subscriber identity module—on that circuit is stored a number called your international mobile subscriber identity, often as long as a dozen numbers, that identify you across networks, along with several other crucial pieces of security info and data.
1995 patent for a mobile phone and SIM card (completely with wrist strap).
The first SIM cards to make it onto the market were made by a German security firm that has been around since the 1850s. Called Giesecke & Devrient, the company was originally focused on developing banknotes—they printed the money for many of the pre-German states until the 1870s. The company survived into the modern era, and patented a number of systems for authenticating modern tech, including credit card stripes and identification systems for wireless communication. They also made the first commercial SIM card in 1991, selling 300 of the chips to a Finnish telecom known today as Elisa Oyj.
What’s interesting about the developments in those early days of cellphones is how closely they mirror our own. Back when the GSM was developing an agreed-upon set of standards for encryption, there was reportedly a major argument between European countries about how strong the encryption of A5/1, the cipher that GSM uses, should really be. Just like government agencies today are debating whether there should be a “back door” in encryption, governments in the 1980s couldn’t agree about whether encryption standards should be strong or purposefully flawed.
The SIM card is what carries those encryption keys, though today, they’re an almost trivial security feature. And as we learned in 2013, the NSA—and who knows how many other government or non-government actors—could easily break the A5 algorithm used to secure most SIM cards, no problem. In fact, the NSA itself has even patented a technique to detect when a SIM card is removed and replaced.
This spring, we learned that a group of NSA and GCHQ spies had actually hacked the system of the world’s largest SIM maker—Gemalto—giving themselves access to the encryption keys of the company’s billions of SIM cards, making it even easier to decrypt mobile communications. The Intercept reported on the breach, explaining how the theft of these SIM keys lets government agencies “sidestep” traditional barriers like warrants for wiretapping. “Stealing the keys, on the other hand, is beautifully simple, from the intelligence agencies’ point of view, as the pipeline for producing and distributing SIM cards was never designed to thwart mass surveillance efforts,” Jeremy Scahill and Josh Begley wrote.
It would be easy to pretend that switching to a software-based SIM would allow for better, more nimble encryption protocols. But we won’t know whether the new electronic SIMs are actually any better until the GSM announces the protocol that phonemakers have agreed upon, probably within the next few months. The Financial Times says the new protocol could be implemented as soon as 2016.
Either way, the era of effective SIM card encryption is long since over. As The Intercept’s Scahill and Begley concluded in February, “The only effective way for individuals to protect themselves from Ki theft-enabled surveillance is to use secure communications software, rather than relying on SIM card-based security.”
Image: 2012 patent US20130267106 A1.