Ask HN: Why are SIM cards still a thing?

The SIM card is a smart card, i.e. a secure piece of hardware, that protects the telephone network from the subscriber - most importantly, it ensures that the network has someone to bill.

In most western countries, SIMs do little else; however, they are full application platforms, allowing stuff like Kenya's mobile payment network https://en.wikipedia.org/wiki/M-Pesa.

For what it's worth, you really don't want to have every network provider negotiate with Samsung for the particular access policy of that network. "Not compatible with your telephone" indeed!

On the contrary, it is the result of a concerted effort to reduce friction.

With SIM cards, users can switch to a new phone by just moving the SIM, or switch to a new provider while keeping their phone (assuming its unlocked) by just replacing the SIM.

Prior to SIM cards phones where frequently programmed to be tied to a specific provider.

A pure software solution could work, but requires the network operators to be able to trust the phone manufacturers to secure it well enough to not let end users change things in ways they're not supposed to (e.g. consider a hacker harvesting authentication details from phones). The SIM card is the simple solution.

The actual reason it's still a thing is because changing how thousands of network operators work in over 200 countries is quite difficult to coordinate. Even Apple tried to push a soft-SIM and couldn't get it going.

But I'm glad for it, because the foresight of the designers of GSM to put your private key in a smartcard has absolutely improved consumer choice worldwide. I can buy an unlocked phone, travel to any country, buy a SIM card at the airport and pop it in my phone and the GSM(/UMTS/LTE) standards say it must work.

A software-based system will quickly devolve into a "oh we haven't approved this phone on our network, sorry we won't activate it" and other anti-consumer activities you saw on the ESN-registration-based US CDMA networks.

Hopefully when the GSMA adds eSIM to the standard, they add protections for consumer choice, but in the current corporate climate I fear they won't.

SIM: Subscriber Identity Module almost says it all, on top of that a SIM can store your contacts (up to a certain number).

The SIM is what separates your identity from the hardware of the phone (which has its own identity called 'IMEI').

A 'software solution' would need a carrier, that carrier IS the SIM.

Another nice benefit of having the SIM device is that it makes it much harder to 'clone' a subscriber ID, something that would regularly happen in the days before the SIM card, note that the SIM was a development that came along with GSM, and that GSM was the first mobile phone standard resistant against cloning. It's one part of the 2FA (something that you have) that gives you access to the phone network (the other being the PIN code (something that you know) required to unlock the SIM).

You know if that happen then flip phone users will have hard time because network will promote only high end selective phones. SIM card gives you freedom of putting it in $25 or $640 phone and it works just fine. People with security, budget and privacy concern go for flip phones. Just like net neutrality, phone neutrality is a good thing. One should never be forced to purchase smart phone if he does not want it. A dumb phone just works fine for calling and text messaging. I have never used internet on my phone and I will never be excited about it (3G 4G, 5G or anything). I carry my laptop everywhere I go and it serves my need well.

I must add you can find flip phones cheaper than cost of lightening cables.

'eSIM' is on the way to replace sim cards. The biggest challenge of 'downloading a sim card' to a secure enclave on a phone is of course security.

The GSMA and members (i.e. telcos) have been working on secure remote provisioning. I think it'll take a while for the technology to make it in to consumer devices, though it's likely to be used in IoT relatively soon.

It takes a long time to spec these things up collaboratively and then even longer for telco's to act on it!

See: http://www.gsma.com/rsp/2016/04/27/esim-opportunity-operator... and http://www.gsma.com/rsp/ (Warning: Lots of marketing BS)

A form of this has existed for a while but never caught on for fairly understandable reasons.

Quite a few years ago (2005?) a family member purchased a Samsung-branded dumbphone on a contract. (Monochrome LCD (something like 128x64?), polyphonic ringtones, 3 fixed games, a (really slow, GSM data) WAP browser; that was it. Model SGH-something, I vaguely recall.)

It had no SIM card slot. It was locked to the network (Orange - in Australia FWIW) via software. In order to unlock it we had to call up the telco and go through some process, which we decided not to do in the end (whatever it was, I don't recall), since the phone had less capabilities than the Nokias that flood India and similar places, so we concluded there was no point selling it by the time we dug it out one day and tried to figure out what to do with it. (It's still buried in a box somewhere IIRC.)

I think this is why SIM-less phones are reasonably rare - it's really, really hard to de-contract them, unlock them and put them into sellable (or whatever) condition. Then once you've done that the recipient has to go through some equally arcane process to get the thing linked to a plan/contract too. And considering the ability to pass a phone on is a fairly major selling point - phones aren't solely purchased [preconfigured] on plans, then disposed - I think this was explored somewhat by the industry but ultimately left alone.

Some of the other things I've found in this thread are really interesting, although I wonder how difficult it is to "unconfigure" such a device to sell or pass it on.

For some perspective, check electronupdate's recent 'decapping': http://electronupdate.blogspot.com.au/2016/10/decap-of-cell-... It is not just a little block of secure RAM labelled a 'smartcard'. It contains as much CPU as a low end phone. Amazing.

Because they handle private keys that is soldered to chip and can't be retrieved at all. Before sim cards there was something in the phones that can be easily reprogrammed and you always have to walk to your carrier office to "program" your phone. Swapping of sim cards is much easier.

> Feels like this is probably the result of telco networks wanting as much friction as possible to change providers, but is there something more to it?

In 3rd world countries, people regularly swithch their SIMs as they travel across borders because no one has cross-country access. Taking a SIM out only uses up a minute of your time, and standizing on a hardwardware dongle like that is great because if company A goes out of business, you just grab a new SIM and stick it in.

It's a bit harder in the US, where phones are locked to their providers, and you need IDs to buy SIMs but that's really all just a regulation issue, not a technical one.

There are many poor design decisions in the cellphone infrastructure, but the SIM card is probably one of its best pieces.

Broken phone? Pop the SIM card into another phone, and you can immediately make and receive calls & texts on the new phone using your phone number.

If you had no SIM card, how would you authenticate yourself to the cell network (that's what the SIM card does)? Going online and then providing a username/password? This would be horrible security-wise as we all know people are terrible at picking secure unique passwords. So hackers could try to guess your password, then they would use your account, receives your calls & texts, and they could steal your cell data, causing you to receive large cellphone bills, etc. A total nightmare.

> Feels like this is probably the result of telco networks wanting as much friction as possible to change providers

No, it is the opposite.

It is exactly done like this so you only need to get the sim card and not need to have the operator decide for you (of course people shoot themselves in the foot by signing a long term contract while getting a locked mobile phone)

I work in the industry. I somewhat agree with you, SIM cards are a hassle, and I hope they will go away at least partially.

As for why you still need them, I see some reasons:

1. The alternative may be worse. At least with SIM cards you can switch operator when you want (if the phone is not carrier locked, bleh), or use a local prepaid SIM when abroad.

2. Inertia. Removing the physical SIM would require getting operators and phone manufacturers to coordinate.

3. The IM card is what securely identifies the owner of a phone number, and makes sure they are not two phones with the same number. With a software SIM, if it is done wrong, you risk getting malware that steals your phone number.

Personally, I think we will eventually see SIM-free data only connections without a phone number. You really should be able to buy an LTE tablet, get online and just pay for some data. Apples has been trying a bit with the Apple SIM, but it is US only, and only works with a few operators.

Personally I really appreciate the fact that providers have SIMs. Verizon (major network in the USA) used to NOT have SIMs, and it was a huge pain to change phones out. Now it's as simple as swapping out the SIM.

I hear you that it should be doable in software, although I'd argue that if anything you should still need the SIM as a sort of second factor. (Otherwise you run the risk of people stealing your phone account remotely).

As others have pointed out, SIM cards are basically smart cards. There's PKI, private keys, the ability to perform mutual authentication (although that's not usually done, at least in .us), and much more.

Honestly, I wish their use would expand into other areas of our lives -- replacing username and password combinations for various devices (working for an ISP, home routers are one good example).

As much as I'm against the idea of a mandatory "national ID", I'm convinced that it will happen someday (in .us, where I live). When it does, I believe it'll be something similar to US DoD's CAC [1]: a physical identification card that doubles as a smart card. The private keys stored on the card will allow you to prove your identity to your banks/financial institutions, e-mail account (100% encryption of all e-mails? Yes, please!), and so on.

[1]: https://en.wikipedia.org/wiki/Common_Access_Card

My 5 yo phone eventually died at the beginning of October. I put the SIM in my tablet and I kept going until I received the new one two days later. A pure software solution would have worked as well, but the SIM is an authentication token. 2FA are all the rage nowadays and if we went pure software I bet we'll have to use a separate token anyway.

SIM card provides hardware-based, simple and secure authentication of subscribers to mobile network operators. Until manufacturers start to embed standardized secure element on all phones, alternative software based solutions (password, etc.) are more complicated and insecure.

> Using SIM cards in mobile phones seems antiquated.

In the U.S., LTE is the first time that CDMA phones have had sim cards, that's ~2 years ago.

The software solution (using IMEI and PUK) is the old technology. It's less secure; verizon and sprint will charge you ~$40 activation fees, etc.

The software equivalent would be a TEE (Trusted Execution Environment), but it relies on hardware support. Only a few arm processors and a few Android phone support this option. Apple has its secure enclave, but you cannot download trusted application in it, only Apple can do that.

A 100% purely software solution can be built based on white box encryption. It's slower and may be more easily attacked than a hardware protection (you never know if/when some genius mathematician or physician (quantum cryptographic attacks) breaks your encryption. But it has the advantage that it can run on all devices. cf. eg. https://www.trustonic.com/solutions/trustonic-hybrid-protect...

Then of course, there's the problem of key management and distribution thru software. Using a physical token has several good security properties. Replicating them in software (encryption) is difficult and error-prone. For end users, and service provides, it's much easier to swap a SIM card, than to install securely cryptographic keys and authentication tokens into his trusted execution environment even with the help of well written software.

I think they are still a thing because of the following:

1) One SIMs are a bit harder to tamper with than the OS of a phone which I am assuming would be the alternative to a SIM card i.e storing the same information on NAND flash accessible to the OS. SIMs have some threshold(it used to be 3) of unsuccessful attempts to read the card. A lock is activated and can only be unlocked entering the unlock code.

2) Carriers can talk directly to the SIM - A "SIM" is basically a Java applet that runs on UICC(Universal Integrated Circuit Card - the smart card itself.) I think a lot of people don't know that SIMs run Java - well Java Card. This mean that they can remotely lock a SIM card to prevent it from further accessing their network. If someone stole my phone or even just my SIM card I could call my carrier and they could lock the SIM remotely and consequently unlock it. They can also use the SIM to push new PRLs - preferred roaming lists. This is generally called OTA or over the air provisioning.

3)Convenience, if I use a pre-paid services with an MVNO or travel to another country and buy a pre-paid SIM while on holiday, I don't need to do anything else except insert the new SIM and power on the phone. What would the non-SIM card alternative look like? Its hard to imagine it being easier.

4)Carrier-locked phones, such as what you get when you are under contract to a carrier. The way phones are locked is by having the phone only accept SIMs from the carriers network. An unlocked phone will accept a SIM from any carriers network.

If anyone is interested this DEFCON presentation - "The Secret Life of SIM Cards", is pretty interesting:

https://www.defcon.org/images/defcon-21/dc-21-presentations/...