Linked by Thom Holwerda on Mon 26th Mar 2012 22:39 UTC
PDAs, Cellphones, Wireless "Last week, Apple and Nokia got into a very public dust-up over the future of the SIM card - a staple in phones all around the world - thanks to a Financial Times article pointing out that the two had filed competing proposals with the European Telecommunications Standards Institute (ETSI) for the so-called 'fourth form factor (4FF) UICC', more commonly known as the 'nano-SIM'. The nano-SIM proposals seek to standardize a new SIM card that would be even smaller than the current micro-SIM popularized by the iPhone, freeing precious extra millimeters inside the phone's chassis for more circuitry, more battery capacity, and slimmer profiles. We've now had a chance to see the original proposals for the nano-SIM standard from Apple, Nokia, and RIM, and we have a better idea on what the ETSI will be voting on later this week."
Thread beginning with comment 511965
To view parent comment, click here.
To read all comments associated with this story, please click here.
Neolander
Member since:
2010-03-08

How about a phone which would sign or encrypt wireless communications using its IMEI number ?

As long as IMEIs are guaranteed to be unique, registering a new device could be as easy as typing an IMEI on your carrier's website or flashing a barcode at the phone shop. Seems easier than handling a Nano-SIM card to me ;)

Edited 2012-03-27 03:53 UTC

Reply Parent Score: 1

Alfman Member since:
2011-01-28

Neolander,

"How about a phone which would sign or encrypt wireless communications using its IMEI number ? As long as IMEIs are guaranteed to be unique, registering a new device could be as easy as typing an IMEI on your carrier's website or flashing a barcode at the phone shop. Seems easier than handling a Nano-SIM card to me ;) "

Once we move away from the physical authentication mechanisms like sim cards, we need to be careful how we authenticate users. A static number (or barcode even) isn't secure. We wouldn't want to enable funny tricks like registering a victim's cell phone with a fraudulent carrier such that a man in the middle attack is feasible.

I think a one time key from the carrier could be entered into the phone itself to activate it, and the carrier shouldn't care what phone the user activated with. An attacker would have a very limited window in which to use the activation code overheard at the store or on an insecure line, and even if he did the legitimate user would quickly notice that his own phone isn't working. A carrier wouldn't need to know how many networks the phone was activated on, so it could be activated on a US network and French network and have a menu option to flip between accounts. Yep, this sounds better (and cheaper) than nano-sims.

Reply Parent Score: 3

Neolander Member since:
2010-03-08

You are right, this sounds like a significantly better option. What's more, carriers around here are already using one-time keys for prepaid phone credit, so that part of the infrastructure should already be there.

Edited 2012-03-27 05:53 UTC

Reply Parent Score: 1

Moochman Member since:
2005-07-06

I think a one time key from the carrier could be entered into the phone itself to activate it, and the carrier shouldn't care what phone the user activated with. An attacker would have a very limited window in which to use the activation code overheard at the store or on an insecure line, and even if he did the legitimate user would quickly notice that his own phone isn't working. A carrier wouldn't need to know how many networks the phone was activated on, so it could be activated on a US network and French network and have a menu option to flip between accounts. Yep, this sounds better (and cheaper) than nano-sims.


Nice idea, but you trust the carriers *way* too much. Take away the SIM card, and you can bet they'll jump right on that as a way to lock you out of the freedom to switch devices. That's how it already works in the U.S. for all CDMA phones (and some non-CDMA). And then they use that as a means to force you to pay exorbitant fees if you want to use an Android phone on their network (forcing you to pay for ridiculously priced data plans for all users of smartphones, because you have to register the phone through them and so they "know" whether it's a smartphone or not). I've no doubt that European carriers would just love to have things go that way if they could...

Edited 2012-03-27 17:16 UTC

Reply Parent Score: 3

dsmogor Member since:
2005-09-01

I used to swap IMEIs easily using a simple firmware hack in my beloved Sony J5.
So, those guarantees are a bit exaggerated.
Generally burning unique number in any device is a non insignificant factory cost that additionally complicates servicing and logistics. Given that GSM phones start from as low as single $ margins that's not an easy sell to the manufacturers.

Edited 2012-03-27 11:33 UTC

Reply Parent Score: 3

Alfman Member since:
2011-01-28

dsmogor,

"So, those guarantees are a bit exaggerated. Generally burning unique number in any device is a non insignificant factory cost that additionally complicates servicing and logistics. Given that GSM phones start from as low as single $ margins that's not an easy sell to the manufacturers."


I agree IMEIs are not secure. Even if my phone used a write-once flash there'd be nothing stopping another phone from copying my number. But I'm confused by your next statement, manufacturers are already implementing unique serial numbers so I'm not sure why you'd say that it's not an easy sell to the manufacturers? To my knowledge it's part of the spec.

Edited 2012-03-27 15:20 UTC

Reply Parent Score: 2

sithlord2 Member since:
2009-04-02

IMEI numbers are provided by the manufacturers, not the providers. How would the phone know which provider to connect to?

Reply Parent Score: 1

Neolander Member since:
2010-03-08

My idea was that it could either be set up manually, or poll carriers until a connection is accepted.

But as others pointed out, IMEI is not something that one can rely on anyway.

Reply Parent Score: 1