In a recent announcement by Google and Apple, the firm has taken down two eSIM apps, Airalo and Holafly from their Indian app stores as a response to directives from the Department of Telecommunications (DoT). This has been resorted to after the misuse of unauthorized eSIMs with international phone numbers by fraudsters engaging in cybercrimes within India has been detected and accordingly identified.
The advancement in Cellular Technology again lead to the adoption of “No SIM” environment. This has also picked up in the recent past after the Cellphone have been enabled with the eSIM option and the capability of 5G technology to absorb the new technology. The type of data stored on a SIM Card that is inserted into a Smart Phone, can always be stored in the internal memory of the Handset. Hence, the futile exercise of replacement of SIM or shifting of SIM to a new device, may also entail the migration of the address book, the memory of the SIM being transferred, etc. This now had become a thing of the past with the advent of the Virtual SIM. This e-SIM is what is built into the Smart Phone abinitio and thus needs to only map to a IMSI number allowing hooking on to a Cellular Service provider with additional security or encryption.
eSIM devices could be highly beneficial from a security perspective and convenience. The ability to store more data in an embedded SIM which is well integrated to the Board of the Smartphone adds to more convenience. The advantage of disabling the SIM will inturn also disable the Handset. The ability to track the device if another eSIM configuration is programmed on it, is also an added advantage. The integration of the IMEI with the IMSI, provides for a robust integration and also augments the ability to hook on to the Cellular service provider with ease.
While eSIM devices could be highly beneficial from a security perspective and convenience. The first problem that needs to be addressed is the transfer of the credentials into a different device. SIM cards are designed to not be easily copied and not to be remotely accessed. This means that, if a user’s phone breaks and they want to transfer their details to a new phone, they only need to physically transfer the SIM, itself. If SIM cards are integrated circuits mounted to the PCB in form factors such as QMLF, then this would not be possible. This could mean that eSIM devices cannot transfer their data which may result in users relying on the cloud to store details such as contacts, messages, and other credentials.
Also, the eSIM devices is that, while they offer security and the ability to be reprogrammed, they cannot be physically removed from the device. This may be potentially problematic for those who wish to not be tracked as phone devices with an active SIM card can easily be tracked by the network. Hence the non-removal of SIM from the Phone will service as a means to track the location, making it that much more difficult to prevent a device from being trackable.
The Challenges for Cyber Experts, LEA and Security Agencies
It is a fairly new modus operandi wherein cybercriminals across the border are using “Virtual SIM” cards, generated by a service provider from a foreign country. Also, the cybercrimes facilitated by the exploitation of unauthorized eSIMs can perform acts that can go undetected.
Infact the DoT had earlier notified that a renewed customer verification will be mandatory to extend the eSIM service to its customers in India. Further, the providers of eSIM services were required to obtain a no-objection certificate (NOC) from the DOT and authorised sellers were required to share details of these global SIMs with security agencies. However, vide DoT directive dated 04 Jan 2024 had noticed deviations from these directives and inspecific noticed Airalo and Holafly lacked the authorisation.
In this technology, the computer generates a telephone number and the user downloads an application of the service provider on their smartphone. The number is linked to social networking sites like WhatsApp, Facebook, Telegram or Twitter. The verification code for activating the service is generated by these networking sites and received on the smartphone. The officials said the numbers used were pre-fixed with a country code or Mobile Station International Subscriber Directory Number (MSISDN) number. This then makes the work of Cyber Experts difficult and also forensics of the devices tedious.
From the technology standpoint, the deployment is very simple. It seems likely that eSIMs are the way the mobile device industry is moving, but this with many attached risks. While there are benefits from security and design standpoint; but, there are also drawbacks that this technology brings-in. In India, the technology is already in the market, and the change is inevitable. However, the security threat to the new avatar is already in the news. India has already recorded crimes related to Virtual SIM and also those perpetrators who have been able to cheat consumers in Banking Ecosystem and other related Crimes. The need is for a fool-proof implementation with higher degree of security.