For years, upgrading your smartphone meant physically switching your SIM. These days, phone manufacturers and a growing number of carriers are pushing a virtual alternative. Enter the eSIM, touted as the smarter, hassle-free alternative to that fiddly little card.
But how well do eSIMs stack up on the security front? Do they usher in any new risks we need to be aware of? Here’s a closer look…
eSIMs: the lowdown
Your SIM (subscriber identity module) is a chip that enables you to connect to your carrier network. It usually holds other information, too: e.g. texts, contacts and (depending on your phone configuration) emails.
With the new eSIM system, “e” stands for embedded. Instead of a removable plastic card, the eSIM is embedded into your phone’s circuitry. Start a new contract and your eSIM is activated remotely by the network provider. It’s also reprogrammable remotely.
An increasing number of phones incorporate an eSIM. This includes the current crop of iPhones, the Samsung Galaxy S20 and Google Pixel 3. At present, eSIM support comes alongside a traditional SIM card slot. In the next few years, we’re likely to see eSIMs replace cards completely. Globally, network providers are also starting to switch to eSIM activation.
What are the benefits of eSIMs?
Easier switching. Let’s say you want to ditch your current network in favour of another. With an eSIM, your new contract can be activated remotely there and then. There’s no need to wait for your new SIM card to arrive through the mail.
Multiple networks. With an eSIM, there’s no reason why you can’t house more than one network on the same phone. This may be especially handy for frequent travellers, allowing them to switch between local networks as and when needed.
Smartphone design. When the card tray is eventually phased out, this could mean more room for other features (battery life, for instance). That said, this could be bad news for fans of removable storage cards!
IS an eSIM safer than a SIM card?
SIM swap attacks
- Also known as SIM splitting or simjacking, this type of attack is where a fraudster tricks your network provider or mobile carrier store into activating a new SIM in the fraudster’s possession.
- To launch a sim swap, an attacker firstly gathers information on their victim. This information may be obtained through snooping on social media, through phishing emails, with the help spyware previously activated on the victim’s device, or from information previously exposed through data breaches.
- The fraudster contacts the victim’s mobile network provider (or mobile carrier store who are less educated), impersonating the victim and claiming to have lost or damaged their SIM card. They ask the network provider to activate a new SIM, already in their possession. Once in, they then have access to the victim’s communications.
- In itself, the introduction of eSIMs does nothing to reduce this risk. After all, if a company can be tricked into transferring information from one location to another, the SIM format actually makes no difference.
- Richi Jennings highlighted this recently in TechBeacon. He reports an instance of someone who bought an unlocked iPhone. They went to their carrier store asking for their profile to be switched over to the iPhone’s inbuilt eSIM. This was done with no verification requests - or even having to hand over the old SIM card.
- Mobile carrier stores are soft targets compared to the more educated network provider. Fraudsters are now trying phishing attacks to take over mobile carrier store computers to get access to internal tools that enable SIM swapping.
- Its also very easy to use carrier insiders for SIM swap replacements.
- The lesson is that eSIMs don’t solve ID fraud. For this, smartphone owners should make sure they have strong account protection measures in place. This includes a unique password, along with security recovery questions that can’t be guessed from browsing your online info. And of course, you are still reliant on your carrier and stores actually carrying out those checks before activating a swap.
Device theft
Some thieves are not looking for data: they just want your phone. Currently, so long as they can disable any device restrictions, a thief can hard-wipe the phone and remove the existing SIM to make it ready for resale.
An eSIM makes this a lot harder. It’s not possible to delete an existing eSIM profile without the owner’s password. Nor is it possible to add a new profile without the existing owner’s authentication. If someone is foolish enough to buy a stolen phone with someone else’s profile still active, it’s going to be pretty easily traceable.
Conclusion
In the next few years, removable SIM cards look set to go the same way as the floppy disk. So is the eSIM alternative any safer?
In the UK alone, figures from the end of last year suggest that around 5,000 people have fallen victim to SIM swapping scams. Such scams are almost always used as a means of gaining access to the SIM owner’s bank details, resulting in an average loss of £4,000 per-victim.
When it comes to preventing data theft, the arrival of the eSIM actually makes next to no impact. The security weakness isn’t in the format; it’s caused by weak credentials, inadequate checks by the carriers - or a combination of the two.
In terms of physical device protection though, eSIMs potentially offer a welcome safeguard. After all, for an unsophisticated thief with no way of altering the SIM profile, a smartphone becomes much less of a tempting steal!
With eSIM, it will be easy to change carriers without having to get a new SIM and changing your plan in your phone settings. This means less time speaking with carriers, and ordering and waiting for new SIMs.
I also want to be able to have 2 contracts on the same phone for travelling!
I have had a tremendous amount of issues with my phone being duplicated and fraud. It continues to happen no matter what I do. I would really love to pick your brain and maybe design a security that could finally put a stop to this.
So looks like eSIM might result in less phone theft. Unless hackers develop ways to bypass the authentication protocols to delete the victim’s profile.
Or they’ll simply sell it to unsuspecting customers.
We will see.
e-Sim is as secure as a physical sim, the operator’s process is the risk, always has been and always will be. They cant get billing correct so don’t hold your breath. I use my own L2 over L7 process to remove the operator threat.
Hi Nathan,
Hopefully mobile carrier stores will start to take on more of a defensive posture when it comes to moving data around and more of a security triade understanding when working with customers.
Yes they need too!
Would you consider eSIM being more vulnerable to sim cloning attacks?
A welcome sign technology wise , easy for consumer.
Here in India , one has to make a physical visit to carrier store for a SIM replacement. They will take a photograph and bio-metric to check the identity of an existing customer.
hope this e-sim concept should not evacuate the existing physical sim’s becz of the technology development there will surely affects in the area of were rural people will get affected more
I can see more protection on both side, a physical theft and on hackers safety side.
Will be hassle free imo and also difficult for thieves to cash it.
Well written article it made sense and knowledgeable
Just learning of an esim. Wow, I ;s still leaving in 20th century. Thank you Nathan
Using an eSim is like stepping backwards in time to the late 80s early 90s with CDMA and TDMA, where you had to call the Carrier every time you added a new phone or wanted to swap phones. SIM cards did away with that I can go online purchase new phone when it arrives I take my SIM card out of my old phone place it in my new Phone, everything transfers over and I go on about my day. with eSim we’re back to having to get a hold of the carrier to delete the old phone add the new phone wait for the new phone to be provisioned and then I can go on about my day this is just so stupid.
That’s an issue of carrier stupidity, not SIM vs eSIM technology. Enlightened carriers can make activating an eSIM on a new phone as easy as downloading an app and authenticating with the carrier, as Google Fi does. And physical SIM is no guarantee that the process is as smooth as it should be — Verizon still requires a call to their support personnel in some cases.
i would like esim’s to protect everybody’s devices. It could even have additional protection