Are eSIMs Bad for Privacy? | Rob Braxman
Summary
Transcript
I got asked a question recently, what is the potential danger of esims? As many of you know, the new phones are eSIM only. An eSIM in combination with a physical sim is a standard on most high end phones. Most of you don’t know much about esims. I’ve always been wary of esims because they’re not removable. But if you do a deeper analysis of what’s possible, then it’s more concerning.
Here’s the problem. Because the technology is closed source, I don’t know some of the details. However, we can do some detective deduction here and we will arrive at a reasonable expectation of what an eSIM could do. And this is going to be based on our understanding of the operation of a standard SIM card. So are esims risky for privacy? From my deductive reasoning, the answer is yes. Do you want to understand exactly what that means and also what we can do about it? If so, then stay right there.
Esims cannot be examined alone. If we do, we will not understand the real threats associated with it, which include the cell based bad modem, the SIM card, and related technologies like IMSI catchers or stingray supple or assistance GPS Wi Fi triangulation and Bluetooth low energy or ble. So this gives you a general view of some of the issues we are going to discuss. To start with, let’s understand how the SIM card works on the phone because obviously the eSIM is a facsimile of the SIM card.
They both do the same thing. If you understand one, then you can assume you can understand the other and that we can analyze the effect of the differences. Fortunately, I do understand standard SIM cards. Ive gotten around searching the Internet on this topic and its amazing how much disinformation there is about this. Maybe even some conspiracy theories on popular websites like Reddit, Quora and stack exchange. What I will tell you is based on my knowledge of interactions of cell phones.
This for example, is well documented with source code on the open source open BTS software, which actually allows you to duplicate a cell base station in your laboratory. There’s also the osmocom BB project which is a free and open source baseband modem firmware. So there are some sources of legit information. The mobile phone is ripe with multiple threats. Some of the threads are based on an always on location beacon which is constantly triangulated.
This threat can come from the carrier or from big tech. This threat is active as long as there’s some Internet connectivity to the device or a cell connection some of the other threats are called proximity threats, meaning the phone is transmitting a radio signal and if there is a receiver that can decipher the signal, then you will be identified as being nearby based on signal strength. Both of these threats are location based threats tied to a phone identity.
Are these important? Yes, they are very important to understand because this information can be used against you and our privacy invading. Just to remind you, the January 6 riots in the capital resulted in around 1000 people being charged. And the basis for the charge was something called geofencing. This is using technology to validate your location at a certain time based on data from your cell phone. There have been many cases where people have been charged with crimes simply from having location data from cell phones.
Also, I’m sure a large population of people, maybe some of you, have provided the source data or pool of candidates where the targets have been taken from this kind of warrantless location. Dragnet has been challenged in court many times as an attack on the Fourth Amendment, which is on unreasonable search and seizure, but yet it continues today. Let’s talk specifically about the behavior of the SIM card on your phone and how this relates to all this.
Without a SIM card, your phone is passive. It is not wasting battery doing useless transmissions with no purpose. If it did, it would be a bad design. And phone manufacturers are very concerned about power usage. With no SIM card, the radio transmissions are limited to WiFi and Bluetooth. Again here I’m talking about radio transmissions, but when it comes to radio reception, the phone is actively listening. Radio reception does not use up much power.
So this is why a phone with no SIM card can still receive a government alert. But when you dial out using 911 in the USA, this turns on the transmission side of the cell radio and allows a non authenticated connection to any cell tower. By non authenticated I mean that there is no check to see if you have a paid subscription. So any cell tower should react to a 911 call and establish a connection.
Again, understand this, the transmission is triggered by dialing 911. Without that the phone remains passive in radio reception mode on the cell data side. Now lets insert a SIM card. What happens then? First of all, what is a SIM card? SIM card is an IC chip and this chip has the carrier identity on it. It is specific to the carrier billing entity and not just the network provider.
So for example, MYT is a mobile virtual network provider or MVNO and it uses the t mobile carrier network. The SIM card is specific to mint since it is the billing entity. The SIM card also has an identifier called the IMSI or international mobile subscriber identity. Then in modern LTE networks, the SIM card also has another value, the Ki, which is a security code derived from the IMSI.
Once you insert the SIM card on your phone, the baseband modem, which is typically qualcomm on USA phones, begins to initiate a connection signal. This will transmit the carrier identity and the Ki code and some random numbers. Towers affiliated with the carrier identity will respond to this signal. These towers will take the Ki code and the related random number, and from that will be able to derive the IMSI.
If the tower is not affiliated with the carrier identity, then the signal is ignored unless it is a 911 call. If the IMSI is not supported by the tower, then the signal will be ignored as well. It is also important to note here that each carrier network, meaning t mobile at and t and verizon in the US, really listens on different frequencies or bands, so it isn’t likely that they’re crossing signals all day.
The SIM card will know the bands used by that particular carrier, and phones can transmit over these multiple bands. Next, understand that several towers from the same carrier may be able to hear the connect signal from the phone. That signal ping is recorded by the carrier network. However, only the strongest cell tower will actually respond to the phone. Based on the computed IMSI, the one computed from the Ki, and the random number, this tower will see if you’re an active subscriber.
This accomplishes two things. The phone will display the bar showing a cell connection, and the carrier tower then identifies the phone as being in its area. This means the that traffic intended for that phone, like an incoming phone call or text, will be directed to that phone by a tower to phone transmission. Since your phone’s ping to the cell network is recorded on multiple towers, then that is how your rough location is determined.
That is called tower triangulation. It is able to triangulate by comparing signal strength per tower. This location is rough. I’m going to guess between one fourth mile to 1 mile in an urban area and an even larger zone in rural areas. Now let’s narrow down the issue with the phone transmission. There are devices that the government uses that we call stingray or some models use the name Kingfish.
I’m sure newer models use other sea creature names. These devices are generally called IMSI catchers. They are listening devices that can operate in two modes, a passive mode and an active mode. This active mode is when it is used to intercept a call from a known MZ and listen in through the radio nowadays this is kind of a useless feature since they can listen on directly using Kalia wiretapping on the public switch telephone network or PSTN.
So I’m going to say this capability is not as important. The more important feature now is the passive mode. In passive mode, the IMSI catcher can detect all the imsies. This is often used in areas with demonstrations or known areas of criminal activity. These IMSI catchers can be portable and be mounted on drones, be in cars, or even attached to a person moving around the area. Together with the current GPS position of the IMSI catcher device, it can then provide proof that you were in an area because the SIM card causes it to broadcast your phone identity constantly.
The identity which is the Ki and that can be used to derive the IMSI. As we discussed earlier, what happens when you remove the SIM card? As you should expect, the broadcast should stop and there should be no more transmissions for the IMSI catcher to acquire. You could also just turn off the phone and on an Android that will stop the transmission. However, if this is an iPhone, the iPhone becomes an airtag when the phone is turned off.
So really you are still tracked and someone can get your location from Apple. If you have a running Google Android or have some Internet connection, even from some hotspot, your Android will record your location using Wi Fi triangulation, which is a more precise location within 6ft. This is the same capability as on iPhones. I’ve repeatedly said this. You cannot disable this feature with airplane mode or any other setting.
By the way, a de Google phone cannot be tracked by Apple or Google with Wifi triangulation. So a de Google phone is subject only to the more imprecise tower triangulation, but it can be subject to the stingray proximity tracking like any other phone if the SIM card is in place. Here’s another little detail I have to all phones have an assisted GPS feature called Supple. In order for the GPS to work quickly, the GPS radio will find the closest tower in its tower database and then report that tower to Google which owns supple.
It goes to a site called Supple dot google. com dot. The tower location is used by the supple system to determine the closest GPS satellite. Important point here. It does not require a SIM card. This means that by default all phones with or without a SIM card will emit a tower location. At the very least, this is not an exact location by any means and it is not really useful for geofencing, but it is something that you cannot hide.
You cannot say you were in Europe while your phone is pinging a tower in southern California. So you’ve come this far and I haven’t mentioned eSIM. Well, you have to understand that an eSIM is exactly the same as a sim, except it is not removable. And how it is initialized with your subscription information is very important to understand. Remember that a SIm chip, whether SIM card or eSIM in itself, does not have subscription status information.
Only the carrier, through the authentication of your IMSI, will determine in real time if your subscription is still valid. The point here is that if you have an expired SIM card, meaning you stopped paying for it, the phone will not know you stopped paying for it. If it’s still in the phone, then it will keep reconnecting to the carrier towers. And of course you will never get a authenticated and will be ignored by the towers if you do not have an active subscription.
But the important point is that it’s still transmitting the IMSI. So in an eSIM case, you subscribe to the carrier and typically you get a QR code. The QR code is a URL on the Internet and it downloads the required data and loads it on the phone eSIM chip. This I presume, is an image of the eSIM card data like normal. Then you use it. Now lets examine some new scenarios.
What if you change carriers and stop using that carrier? What happens to that eSIM data? Does it get erased? What happens if you now insert a physical SIM? The eSIM of course will no longer function since you stopped making payments, but it still exists, almost like a second SIM card. What happens when the esims can handle multiple carriers, as is now a feature on the modern phones. So it’s made to collect multiple SIM card information, since there is no possibility of pulling out a SIM card.
What transmissions are being sent from the phone off past imsies? What causes past imsies to be erased? What can an IMSI catcher see? You see the concern here, there is no user interface that I can see to wipe the eSIM data. We really don’t know what the eSIM is transmitting, if it was ever used. Maybe some insider can give us an answer here. But my deduction here is that if you did not remove the eSIM information, it would be the same as the SIM card not being removed.
So authentication will be constantly done and rejected. But such emissions can be detected by proximity tracking devices like IMSI catchers. And of course the transmissions can also do tower triangulation because I can have no assurance of what is actually happening here. My recommendation to all is to never use the eSIM as in an emergency like you happen to be in an area of civil unrest, you will be geofenced.
You have the option of removing the physical SIM card. With an eSIM you have no options. With an iPhone you dont even have the option of turning the phone off. Youll have to carry a faraday bag. Thats where I keep my last iPhone by the way. So unless we have some independent assurance of how esims operate, maybe with proper radio testing of the signal I will say stay away from esims.
And since iPhones really have no provision for protection even when off, the iPhones are the most dangerous for geofencing, so stay away from iPhones. The other question is what happens when you have a phone with an eSIM option but you do not use it here? You have to do the same detective deduction work. If the eSIM has never had your imZ then it is quite impossible for it to be transmitting something.
So it would be equivalent to a phone with no SIm card. Based on my understanding of the technology, there should be no threat to an unused eSIM. Some have also asked me what if the IMZ from a standard sim card is recorded somewhere? Well because it has the ki value which is a security code I wouldnt think they would back that up because it would be a security breach.
Also I will assume here that a factory reset should erase what’s in the eSIM. I’m making this guess because otherwise it would be another security breach for the likes of Google and Apple to have traces of a prior owner on a phone. So as a matter of standard cybersecurity practice I will assume this to be a reasonable expectation. For the safest phone option it is best to use a Google phone with a removable sim card since this is immune from Apple and Google geolocation and has the protection from imz catchers.
Some de Google oses, like Braxos on a Brax phones can disable a SIM card via software, so you dont even have to physically remove it. All phone OSs should implement this particularly for eSIM. Also, take a look at our Abrax virtual phone option which is a no SIM card way to use the phone network. You will still need some Internet connection like wifi, but you can take the Sim card out of the equation.
Or if you use a bracs virtual phone over an existing SIM card, the phone traffic would not be intercepted at that point since it’s using the Internet and not cell data. In summary, the complexity of this issue with SIM cards and eSIM show you how far the phone has progressed as a spy device. It really is a surveillance nightmare having this phone in your pocket. Folks. I have a company dedicated to providing solutions for privacy and we have a platform where people of like minds meet and discuss these issues.
This platform is Braxme. We have over 100,000 active users now. The site has a store with various products made for privacy protection. These include the De Google phones, the Brax virtual phone, Braxmail bytes, VPN and Brax router. Our site also has many users of these products, so you can discuss them with the actual community of users. Join us there and check out the product which also support the operation of this channel.
Thank you very much for watching and see you next time. .
See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.
