Smartphone makers and software vendors are pushing wireless carriers to replace removable SIM cards with embedded chips that tie the subscriber identity module to the device. With embedded SIM, or eSIM, users will not be able to change their SIM cards, but they can easily change carriers, because the eSIM can be remotely provisioned by the carrier.
According to GSMA, eSIM "offers an equivalent level of security and protection to that provided by the removable SIM card." Embedded SIMs can be programmed to request verification from an operator whenever someone tries to change the user profile. This request can only come from the device itself, but a thief with a stolen phone in hand might be able to successfully change the profile.
"In the case where a person steals [the phone], it will be easier for them to switch," said analyst Roger Entner, founder of Recon Analytics. Some would argue that this is not the case, since a thief who steals a phone with an eSIM cannot simply pop the SIM out, insert a new one and move the phone onto a new network. Nor can the hacker download a new profile onto the device without verification from the operator.
The analyst team at Counterpoint Research is not convinced that smartphones with embedded SIM cards are less secure. According to Counterpoint's Satyajit Sinha, eSIM-based devices offer "potentially higher security" along with "re-programmability, and power efficiencies over the traditional SIM card solutions."
The move to embedded SIM cards could reduce the incidence of one hack that relies on human error. Currently, savvy hackers can buy a SIM card and convince an operator to move a customer's profile to the new SIM, even though the customer still has the phone in his/her possession. Then the hacker can put the new SIM into a different phone and steal information from the customer.
According to Entner, when carriers move to eSIM, hackers may continue to call them and "ask them to transfer your number to a new device." He said hackers might be able to give the carrier the IMEI number for the new device and convince the customer service representative to make the change. "It all depends on how lazy and how unmotivated the carrier employee is to actually follow the rules," he said. "Sometimes these people are just trying to please the customer, and instead of pleasing the customer they please the criminal."
Carriers are unlikely to position eSIM as a more secure technology, since they know it will make it easier for their customers to switch to competitors' networks. The U.S. Department of Justice sees eSIM as a consumer-friendly technology, and is requiring T-Mobile and Dish to support eSIM as a condition of the T-Mobile/Sprint merger. In addition to making it easier for consumers to switch carriers, eSIM technology may ultimately give users longer smartphone battery life.
"The device manufacturers want to go to 100% eSIM because they are saving real estate on the board," said Entner. "At a minimum they can put more battery or more sensors ... It is not the handset manufacturers' problem if there are security issues."
Embedded or not, SIM cards are just one way for hackers to access a smartphone. One of the highest-profile victims of information theft is Amazon CEO Jeff Bezos, whose phone was apparently hacked by a video sent to him via WhatsApp. UN investigators suspect that the video, which came from Saudi Arabia's crown prince Mohammed bin Salman, contained malware which infiltrated Bezos's iPhone.