Hacker News new | past | comments | ask | show | jobs | submit login

Even in relatively technical circles, like HN, many people are not aware of this and I use every opportunity I have to reiterate:

A SIM card is a full blown computer with its own CPU and memory.

Your carrier can upload and run arbitrary code without your consent or knowledge. They can do this at any time.

This means that your "phone" is actually three different computers running in concert - the actual phone itself (iOS or Android or Symbian), the baseband processor running the baseband code, and the SIM card.

It’s probably a lot more than 3.

As an EE, plenty of chips you can get are built-in computers. You’re not going to write code that you make your users run (what a support nightmare!). You build your chip and provide an API.

And as a user, do you really want to figure how to run someone else’s code? Or do you just want a self contained unit that you slap onto your board that you just control via API?

Think of chips as microservices.

Funny that you needed to use microservices as the base analogy for embedded MCUs. It illustrates how large the gaps are between hardware engineering, software engineering, and programming, compared to when I entered the field in the 80's. It was possible for one person to have principal-level knowledge in all three fields. The 90's broke that.

There’s a huge gap but at the same time, each layer is still very similar to each other.

Hardware engineering might be floor 1 of a building and microservices might be floor 19. Yes, they are very far apart, but one day, you realize that every floor has a bathroom. When you go down to floor 1, you might not know where the bathroom is but you know that it exists and how it will probably function. You are already 80% of the way there.

Yes absolutely. I’ve worked from chip design in vhdl to coding microservices and devops. It’s IMO all the same shit with different flavours.

How have you worked so far up and down the stack?

Many different jobs and hats over the last 11 years. Roughly half of my career in each


The shitter of microservices is JSON marshalling. The shitter of hardware is clock jitter.

Really well put analogy

My friend owns his grandfather's "engineering encyclopedia" from the era before WWI. At that time it was possible (and expected) for a single person to have principal-level knowledge in the whole field of "engineering".

That reminds me of a book I had in the early days of the web which contained a list of the websites at the time!

How about a list of all the email addresses in the world? https://openlibrary.org/books/OL1635233M/%21_a_directory_of_...

Yahoo was hand curated in the early days. Wildest timeline.

Yup! My best friend growing up used to report typos and would send copy corrections and stuff to them back during those days.

So crazy to think about that all being done by hand back then.

“The Internet Yellow Pages.” You weren’t the only one to have it.

A former coworker wrote that book. When it came out he had a little party where he declared it obsolete already.

Reminds me of the old quip "how do you know if the spec requirements are out of date?" - the ink is dry.

That's funny, I love that.

"The Network Information Service (NIS) was formerly known as Sun Yellow Pages (YP). The functionality of the two remains the same; only the name has changed. The name Yellow Pages is a registered trademark in the United Kingdom of British Telecommunications PLC, and cannot be used without permission."

I remember seeing those address books in my university c.s library back in '07.

Many a late night was spent in the library looking up those addresses and seeing if some where still available.

Nowadays peripheral ICs are usually accessed over SPI, I2C, onboard USB, or some other indirect method. It is common for complex devices to have a micro on the other side handling I/O requests rather than spilling their guts to the world. That "other micro" could also be a full blown multi-core processor with an MMU running at hundreds of MHz and beyond. The difference back then is that parallel bus interfaces were king and custom ASICs couldn't necessarily afford the gate overhead of an embedded micro at all.

And thus we understand the human brain more, a collection of specialized processing regions, with APIs.

I mean, I’m a front end web developer, and I get fucked up about how little I know about backend web development.

Embedded programming? Dealing with signals?! God forbid, man.

There’s just so much of everything! Terrifying! But fun!

That's funny. I've been doing full-stack embedded development (bootloader assembly all the way to touchscreen UIs) for 30 years but the idea of trying to learn modern web front end scares the hell out of me.

React? Angular? Node? What happened to Notepad and Apache?

> What happened to Notepad and Apache?

* https://motherfuckingwebsite.com

I would recommend to revisit that with fresh eyes.

I’ve found that’s easier to build a simple UI by loading chromium + webapp than having to deal with the intricacies of multitarget crosscompiling.

That ecosystem used to suck heavily as of 3-5 years ago, but I know it's improving. But you still need Node and a bunch of shit running underneath to glue the UI to the drivers.

As much as I'm starting to hate Qt, I can still have it up and taking to hardware in a few minutes. And the onscreen touchscreen keyboard is worth the money.

It does depend on the platform you are using.

One of the devices I’m working on had to use rust (we were looking for some niche libraries, and we found that the C ones weren’t working, while the Rust ones did).

Building GUIs in rust is still a WIP, and I had to spend 2-3 days fixing libs and tweeking stuff to get to something that compiled but was very buggy.

Instead of losing more time on that I set chromium + apache on the thing, and built the GUI as a web app. The rust executable has a simple API with actix that works flawlessly.

In that case it was the perfect solution because I had to add an API for remote management anyway, but I found the approach quite nice to work with.

Node is a nightmare

I can get a decently functional UI app working in native code with just the SDK for whatever platform it’s on, but try to use React and suddenly I’ve got a web of 200 dependencies, each more shady than the last. And that’s just for “hello, world”

Plus the JavaScript engine is single-threaded and insanely slow.. it’s gross. I’m guessing that one of these days app developers are collectively going to snap out of it and throw Node in the trash

No, it's only going to get worse.

As single-board devices get faster and cheaper by the week there's a flood of developers that have cut their teeth on Node/JS/React and they get something working on a Raspberry Pi and think "Yeah, embedded development is a piece of cake. I can do this."

And maybe they're right, because doing it all by scratch and cobbling together robot parts to make a system work is just really getting to be old.

I used to get annoyed at the RPi newbies but now I welcome it as job security because someone still needs to write the bootloader and drivers. And if you read StackOverflow/Reddit you'll see there's nobody teaching that anymore.

Man, I kinda feel like embedded software is doomed. There are only a dozen or so companies where embedded software is a first-tier product for them that gets a lot of resources put into it. It feels like everything is moving toward using super low-quality Chinese drivers/firmware and really badly-designed microkernels (or treating linux like a microkernel) to squeeze all the functionality out of the OS and into bad managed software stacks.

Then again, any company that takes firmware engineering seriously can make devices 5+ years before Moore's Law makes it feasible for others, so maybe there'll always be room for us.

It feels like everything is moving toward using super low-quality Chinese drivers/firmware

You must be a Broadcom user. My sympathies. =)

But I totally hear you. I'm not as pessimistic because I tend to follow parts that the automotive sector uses (yeah, not great right now) and they typically don't put up with random Chinesium parts and code. And yeah, it seems more and more like everyone is just throwing Linux into the mix and hoping that some OSS developer and/or Otavio Salvador swoops in and fixes things up.

RISC-V may be a way out of this. Maybe. Or it will make things ten times worse.

Notepad and Apache are still present and working. Probably not a good choice for a payment processing single page online store, but fine for a simple informational website.

> Probably not a good choice for a payment processing single page online store

Why not, out of curiosity?

I got started making websites with Notepad and eventually Apache.

Nothing wrong with Apache, but syntax highlighting would be nice to have in Notepad.

Having done both frontend and embedded professionally for years, they're about equivalent in difficulty for a moderately complex system.

For self-learning, frontend is orders of magnitude more accessible.

Strong disagree. I do embedded development of varying complexity. I often have to learn and figure out new things, but once I have something figured out, I have it figured out, and I can drill down to hardware register level to figure things out when something is misbehaving.

Every single time I touch anything web-related I discover that the entire landscape has shifted, all the tools I used last time are now abandonware, and I have to figure out everything anew. It may be more accessible if you're starting from scratch, but it's a constant treadmill that you instantly fall off of as soon as you do anything else. And when something doesn't work? Good luck finding out what's happening in the countless layers on top of layers on top of layers.

And yet it’s trivially easy to understand that new shinny thing, and most problems you have, there’s thousands of posts explaining how to solve them.

Embedded has advanced a lot on this front, but for a lot if the industry, good luck finding anything but the original documentation.

Maybe it's just me. Vendor documentation in hardware tends to be kinda crap but there's usually plenty of other sources for information from other people who implemented something using the part, and that information doesn't get stale, ever, and documentation state improves over time. I've had problems finding reliable info on what's going on in webdev, most posts are "do this" solutions which don't really help you understand what is happening under the hood, and there are countless crappy tutorials. To be fair, I'm an extreme case, I touch web stuff once every few years, and only if there's really no way around it, and a lot happens in browser capabilities and javascript in a few years.

> but there's usually plenty of other sources for information from other people who implemented something using the part

That’s only the case if you use the small (tiny!) subset of parts that everyone uses.

If instead of using some nice and common stm32FXX MCU, you need to work with some obscure Renesas or Fujitsu for example, prepare for a world of pain.

The good thing with web stuff is that you can swap frameworks until one does what you want nicely, and leave it at that. You can’t really change the IC in your board just because the I2C module is doing something weird.

I use obscure parts. For example, just this month I've used a part that the manufacturer doesn't admit exists on their website, and a part where the manufacturer doesn't even have a website, and neither is anything widely used. But there's always a small community of people who use the part, and we cling to each other and compare notes vigorously.

Web APIs are most of the time just added, rarely removed or changed. If you ignore all the frameworks and libraries from random celebrities on github and all the FOMO on not updating them constantly, the base platform is quite solid and versatile enough.

Treat MDN as documentation for registers. :)

> all the tools I used last time are now abandonware

I think you are exeggarating. Over last few years, there were no hard deprecations, except for AngularJS. Many tools, popular in past, went "maintanence mode" and receive mostly bug fixes, but these tools are still viable.

Can one self-teach about embedded enough to find employment?

I'd certainly think so. I almost did. I initially learned Java on my own. It's good to know at least one full programming language before diving into embedded programming, I think.

Then got into Arduino programming. There are tutorials for that online. Try communicating with other Chips like a Shift-Register, then something that uses a standard serial protocol (ex. I²C).

When you feel like you have a good grasp of the basics, I recommend getting a development board and doing the same there.

Most Microcontrollers (ARM Cortex Processors at least) are pretty similar: You get a datasheet and a User's Manual. The User's Manual describes a bunch memory addresses, which control the built-in peripherals. There are excellent descriptions of what value will give you what result, but it can be a bit daunting to get your head around it at first.

I recommend a chip that has a so called "Board support Package". I have experience with LPCOPEN. This will make things a bit easier, as you don't have to figure out each register address for each thing and can instead use functions like "Chip_TIMER_Enable(timer_t timer)".

There is a lot more to it, but once you get started, you usually always see the next step.

Neat, thanks for the detailed answer!

I self-taught enough to design and build a working PCB (that passed a bunch of certification testing), including writing programs for an ARM Cortex microcontroller. Took about six months of learning and then a couple months of design/implementation to get a product that can be sold and have the fundamentals in place to make similar kinds of products much more rapidly.

It's very doable with dedicated study and I'd argue it's one of the best ways to get your design ability to rise to the level of being able to build something from scratch, without reference to other code / searching google for answers.

Yes, easily. Though you may find it will pay much less than webdev, even for highly complicated work with Linux capable SoCs based board designs.

> Embedded programming? Dealing with signals?! God forbid, man.

"How does a USB keyboard work? by Ben Eater:

* https://www.youtube.com/watch?v=wdgULBpRoXk

I wonder what a better approach is : do an intro on Assembly programming or get a SoC like Pi or Arduino to learn more about it.

Intro to assembly using an arduino? :P

My strategy has been to get into 80s game consoles where assembly programming was expected but the platform is small and standard enough that I can use emulators with memory views/debuggers & see everything going on.

heck at the end I might even have a game!

Nice, I'd like to do this too. Which console would you recommend starting with? I'd love to see an old timey programming manual and emulators for that platform. I've heard good things about Nintendo consoles, but I don't know where to start.

I think nintendo consoles, by virtue of being the most popular of the era, and therefore the most nostalgia, have probably the best debugging/tools of the lot. Personally I'm not a fan of the 6502 as a general-purpose CPU, but it's just fine for single-tasking games and global variables (there's almost no stack space).

I'm starting out on z80 since I have an MSX and I hope to move to Sega Megadrive/Genesis later since I hear nothing but good things about the motorola 68k. The z80 seems pretty easy to understand (though it's not always consistent).

It's worth checking the limitations of the video and sound hardware to see what you like as well. I'm partial to FM synthesis so Sega consoles make sense to me. 8-bit stuff is going to land you with really tough colour restrictions (often about 3 per 8x8 square, tops). You may want to start with the "16-bit" era, which generally used 4-bit colours (16 for the whole screen, easier to create assets for).

I’ve only read the first couple of pages but this looked really neat: https://famicom.party/book

Only natural that complexity is increasing. When and where that’s warranted will be an eternal debate.

What do you believe is the distinction between software engineering and programming?

Where are you drawing the line between software engineering and programming?

I personally like to compare it to building houses.

Programming is laying the bricks, the cables, etc. Basically doing the actual building.

Software engineering as in other engineering disciplines is more concerned with making sure everything actually works and fulfills certain standards of quality. The planning, design and architecture part of the work.

For the last decades the person doing the programming and engineering were usually the same, but they are more and more drifting apart with more engineering focused roles like software architect.

In much of the world engineer is also a protected title that requires formal education like with doctors or lawyers. The US is using it pretty inflationary.

Shades of the 1980s and prior decades! In the 1980s, I worked in the aerospace division of a Fortune 5 company. A headhunter called me up, was chatting, and asked me what I did. I said I was a "programmer". Silence on the other end and then, "Are there any people who design programs there?" "Umm, yeah, we all do." I was book-aware of this distinction in previous decades, but this was the first time I had encountered it in the real world (of a headhunter). I see that we "programmers" are still regarded as being like the streetsweepers in Victorian London, sweeping out a path in the manure and mud for the software engineers! :) (We had software architects back then.)

There’s no line. Programming a a strict subset of, and is much smaller than, software engineering. Communication, technical writing, customer and stakeholder management, system design, technology awareness and many, many more are what make a software engineer in addition to programming.

Software engineering has a higher level view which is more concerned about the architecture of the whole system.

Programming is more concerned how it's implemented on the specific hardware/language, and how its limitations and advantages play a role in the implementation.

You can know both, they intersect in a lot of places but, programming goes deeper, and software engineering goes higher.

That's a reasonable way to look at it, but there is a missing component. In the early 1990s, I was a subcontractor at a large firm which had software people who were only interested in designing software, down to a medium-level pseudocode, after which the design was handed off to coders. These designers were great people, but, on this project, none of the firm's designers and coders had hands-on knowledge of and experience with the hardware and operating system (an early version of VxWorks). The coders would gain this knowledge and experience from writing and testing the software, but not so the designers.

My missing component was that there was no mind-to-mind feedback loop conveying this knowledge and experience gained by the coders back to the designers, from which it would inform the designers' future designs. (And there was no regular feedback about how well the design fit the problem and if the design required radical changes during coding and testing, although some of that is more an administrative concern than a technical one.) The "coders", by the way, were quite capable of designing their own programs - and did. I don't know why the firm had this subset of design-only'ers; they were smart and maybe the firm wanted to hang on to them and maybe "coding" roles were intended for brand new employees.

I don't know if you can really make the distinction, is anyone actually hired as a "programmer" instead of an "engineer"?

I feel like developer is the best name for what we do, it doesn't limit us to the act of coding and it doesn't make the presumption we're engineers (very few of us actually are).

Then again if I could choose I'd probably prefer computer programmer, it doesn't get confused with property developer and pretty specifically covers what we do.

Competent interns and other skilled juniors are usually good programmers but lack all the business acumen to be good engineers. This can’t really be taught in a curriculum, because it’s something that needs to be internalized by practice.

Kind of disagree, I haven't really needed to learn much about business other than what I picked up in a couple of business papers at uni, there just isn't much to learn about business systems as far as building software is concerned.

Any good degree should be covering all the software lifecycle stuff and general information systems as a concept.

I guess there are definitely people out there that have no interest in the business side of things but I think theyre outliers.

But now that I think about it maybe I'm wrong, I know a lot of business product people and even other developers just assume I don't know anything about business. At least that's what's happened now working for an American company. Working for Aussie companies it's just assumed that were sort of business analysts as well.

It isn't about business systems, it's about understanding the business you're developing a system for.

I know a guy that can architect optimizing compilers but writes shit code.

That's where I draw the line.

One familiar chip that end users might not expect to contain a computer is the IMU or accelerometer. Take a look at this flyer from a recent Bosch smartphone IMU:


You might think an accelerometer just outputs acceleration data. I've used some that were purely analog; as an acceleration moved a mass, a strain gauge or piezo element flexed; the output wires were simply analog signals. But these excerpts:

> ...combines precise acceleration and angular rate measurement with intelligent on- chip motion-triggered interrupt features.

> The IMU provides highly accurate step counting, motion detection

> provides an intelligent power management system enabling motion-triggered always-on features to run inside the ultra-low power domain of the IMU

That ultra-low power domain of the IMU doesn't have dedicated logic to do step counting, it has a processor. The GPS IC has a processor. The power management IC is not just a voltage regulator, it contains a processor. The uSD card or UFS flash IC contains a processor. The camera sensors contain processors. The display controller contains a processor. Looking at a teardown, I can't see too many more ICs on a smartphone motherboard...oh, I suppose the noise-cancelling/speak to wake functions of the microphone ADC are probably also implemented by a processor. Some of those, depending on the manufacturer's vertical integration and the age of the device, are inside the SoC, but many of those functions that you might imagine to be hard-wired are actually running in firmware.

Even the microSSD card likely has an ARM core that can be hacked:


Apple SoCs have something like a dozen CPUs in them all running seperate firmware. a display processor, gpu message processor, etc. Asahi Linux has a write up somewhere.

Yeah, basically everything that you consider a peripheral is a full blown computer with its own CPU and memory. Your nvme controller, your NIC, your USB hub, etc. They main thing people need to care about is whether or not they can connect to the internet without going through the main CPU on the system. I'm not worried about storage controllers for that reason, but I'm relatively afraid of my modem.

Heh, if you really want to go meta, you could talk about the microprocessors inside modern cpus and gpus and, oh man, systems in a chip…

In one SoC I am familiar with, there is a ARM cortex-m3 core (far more powerful than the original PCs), with its own firmware, dedicated to managing power transitions in the SoC like suspend-to-RAM.

There is likely one or more of these in every SoC!

>Think of chips as microservices.

This is a good analogy, but not in your favor.

This is all part of the disease of modern computing where you program against a giant machine with a giant interface and you set a few config variables and have no idea or control over how it will work and your program winds up full of unintended behavior. See: game engines, gstreamer, web frameworks, browser API, HDMI modules, terminal emulators, shells (bash, etc).

The flip side is that the more popular an off-the-shelf tool is, the harder it is to sneak something in. Someone somewhere is bound to notice fishy behavior at a certain scale. It lowers the skill level required to understand the choices you make and make better choices. I wouldn't even know where to begin trying to notice, much less explore, what AT&T is doing at 1111340002.

The more components with a million eyes watching it, the more attention you can direct toward the rest.

> Someone somewhere is bound to notice fishy behavior at a certain scale.

I'm not convinced that this is true to a meaningful degree. It's certainly theoretically true.

However, we've now had a number of events where bad things were found in fundamental and popular OSS software, and those things existed for years or even decades before being found. And who knows how many more exist that haven't been found, or at least publicized, yet (and may never be).

I think the reality is that most devs aren't deeply examining the tools and libraries they use. How could we? We'd spend all of our time vetting software and little time writing it.

So you're saying having giant IP modules inside your electronics is somehow making things more secure? They certainly don't make the product any less buggy.

Sometimes it goes down a dark path, like with Google moving all the important stuff in AOSP into a proprietary app attached to proprietary services most devices end up using to deal with phone vendors not updating. I'm not sure it's possible to come to a real determination here when the viewpoint counter to mine would require someone go find and study all the obscure little modules 2 people in the world know how to work with. The data is stacked in my favor, but it's hopelessly incomplete. I might be wrong.

What's the difference between a human and a cellphone?

A human only has two ARMs.

As I often tell my kids, somebody has to do the dad jokes.

> Think of chips as microservices.

That is an interesting perspective.

> Your carrier can upload and run arbitrary code without your consent or knowledge.

Well, arbitrary sandboxed code.

I agree that by today‘s standards, the APIs that code has access to seem excessive and are well worth trimming down, but some of them are vital to the network‘s internal operations (like OTA updating the list of preferred roaming partners), while others enable new use cases (like M-Pesa mobile payments).

For example, multi-IMSI SIM cards are, in my opinion, an ingenious solution enabling entirely new products and bringing much needed competition to an industry that had been pretty stagnant (international roaming). That would not possible without the SIM application toolkit.

Can a hobbyist mess around with this at all?

Edit: yes, but I wonder how much trouble you'd get in putting this into a real phone?


Probably none at all – such a SIM wouldn't have the required keys to even connect to any real network.

SIM cards are just Java Cards, after all – the secret sauce is the proprietary software running on them (the ones you've linked seem to come with an implementation of that pre-loaded) and of course the keys they hold.

Nobody keeps you from implementing all the SIM specifications in an open-source Java Card application, and I would in fact be very intrigued to see it happening ;) As far as I know, experimental/hobbyist GSM networks, like the ones running at some conferences, are still using proprietary SIM cards, and an open source implementation would be very interesting to study.

TFA has links to the tools used. You'll find Osmocom.org an invaluable resource.

I've put test SIMs in plenty of real phones, before tossing them into an RF chamber to talk to the network simulator. The real network doesn't seem to care.

It makes sense that they don't: If you're using an unregistered/test MCC/MNC id as part of the IMSI, they would just consider your phone a roaming guest that they can't provide services to.

Even if you'd be using an actual IMSI (not recommended – this seems like a legally more gray area), you would just fail authentication with that provider's AuC and the network would not let you register in what would be the GSM equivalent to a device trying to connect to a Wi-Fi with the wrong password.

> some of them are vital to the network‘s internal operations (like OTA updating the list of preferred roaming partners)

That should be the phone's job, not the SIM card.

> while others enable new use cases (like M-Pesa mobile payments)

That should be the phone's job, not the SIM card.

> That should be the phone's job, not the SIM card. [internal operations]

Maybe, but what would inevitably happen is for network operators to demand that only certified devices, or maybe basebands, be allowed on their networks.

SIMs are a big reason of GSMs (and its successors') success: Having a trusted computing device to allow for key management and a few other things inside an otherwise untrusted/sandboxed phone was the compromise.

I'm all for making the interfaces used less opaque and less prone to be used for shady purposes, but the concept of SIM cards is a net win for everyone, in my opinion.

> That should be the phone's job, not the SIM card. [applications]

If you have a smartphone, it is. Many people still don't own one.

USSD is an alternative and is starting to be deployed in many markets previously using SAT, but it seems much more cumbersome to use and is less secure too (no trusted client side storage and tied to the security of the underlying transport protocols).

> Maybe, but what would inevitably happen is for network operators to demand that only certified devices, or maybe basebands, be allowed on their networks.

There was already a battle between AT&T and people who dared connect phones they actually owned to the phone network, and it ended well for the general public and badly for AT&T. The cell network should not get to determine what people attach to it; it should just pass data back and forth.

(In an ideal world, the cell network would have absolutely nothing to do with phone numbers, either; it would just pass data, and phonecalls would always happen over encrypted channels to your actual phone-number provider.)

> the concept of SIM cards is a net win for everyone, in my opinion

Public/private key crypto doesn't require a card that can also do other secret operations. And it doesn't require a smartcard either.

> The cell network should not get to determine what people attach to it; it should just pass data back and forth.

I absolutely agree.

> And it doesn't require a smartcard either.

There are many good reasons why a counterparty does not trust you (fully) with a set of keys.

The biggest one is keys that allow financial transactions or billing events to happen: It makes the "I lost my password" defense for friendly fraud much less credible. Another can be to discourage sharing of a service (i.e. "account sharing").

Now there's two ways to keep "your" keys safe as a service provider: You build a fully locked down platform and only allow devices sold and made by you to attach to it (and play your content, use your phone network, transact on your payments network etc.), or you standardize the interface to the "key jail", keeping the rest of the device open and accessible to independent security research.

You can call such a tamper-proof device holding some issuer's private or symmetric key any way you want – functionally, it will be very similar to a smartcard.

> There was already a battle between AT&T and people who dared connect phones they actually owned to the phone network, and it ended well for the general public and badly for AT&T.

The now reformed SBC/AT&T is doing something similar - only devices on this list[0] can connect to their VoLTE network. Without registering for VoLTE, the phones will not be able to connect to the network.

Even if a phone has full VoLTE compatiblity (the OnePlus 6 series, for example), if the manufacturer does not work with (read: pay) AT&T for certification, it will not be allowed on their network.

This is illegal under California SB822[1], which among other things prohibits the blocking of "nonharmful devices" on networks - but AT&T, along with the other major carriers, are currently acting like this doesn't exist until they're forced to by abide by it by a court of law.

[0] https://www.att.com/idpassets/images/support/wireless/Device...

[1] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...

> Many people still don't own one.

And when my current smartphone dies, I'll be joining the ranks of those who don't own one. I'm aware of two other people who are also moving back to dumb phones. I wonder if this is going to become more common as time goes by.

> [W]hat would inevitably happen is for network operators to demand that only certified devices, or maybe basebands, be allowed on their networks.

This is already the case.

In what way?

I‘ve heard that in the US, some providers are still insisting on this (essentially a leftover practice from the pre-SIM days!), but at least in Europe I‘ve always been able to use any phone I like, even really obscure ones.

My experience is in the US. PTCRB is the standardized one. Even on top of that, AT&T has additional testing (see TRENDI, which is a whole lot better than what they used to require). Verizon has their own idiosyncratic process where you don't learn what standards you need to meet until you submit a request for testing.

The carriers don't use technical measures to keep uncertified devices off their network. It's still usually a violation of the terms of service. And yes, that means that aftermarket PCIe-form-factor cell radio in your laptop is theoretically a problem unless that precise laptop + card combination has been certified.

That requires phone manufacturers to consistently send out updates in concert with many many phone carriers, including new ones no one has never heard of. I do not trust a single carrier to do that

True – not even Apple gets this right, being otherwise pretty good about timely software updates.

My MVNO started being recognized incorrectly as being part of another network years ago, and apparently their engineers have been unable to reach anyone within Apple about the matter and get theem to apply what should be a trivial fix in their IMSI mapping table.

Apple has never been good in this department, according to the folks I've talked to within mobile carriers.

Even Google, a nearly $2T company, operates an MVNO ("Google Fi") that does not work properly on the iPhone, because Apple has not added Fi's GID to the correct list.

Jailbroken users can (in theory) add Fi's GID to T-Mobile's "carrier bundle," and things like Wi-Fi calling, 5G connectivity, etc will work instantly.

Originally there was a technical reason for that: Google Fi uses several carriers, not just T-Mobile, to increase coverage, and at the time preliminary iPhone support first came out for Google Fi, iPhones didn't have support for connecting to two carriers at once and switching back and forth between them based on signal.

So right now, someone on Google Fi with an iPhone and someone on Google Fi with an Android phone can be standing next to each other, and the Android phone could have great signal while the iPhone has zero signal because T-Mobile has no coverage at that location.

I don't know if iPhones now support that; if they do, then there's no longer any technical reason iPhones couldn't have first-class support for Fi.

I believe this is because Apple don't want iPhone to be used in unapproved network. Apple want to sign agreement with network operator to sell iPhone.

> That requires phone manufacturers to consistently send out updates in concert with many many phone carriers

The carriers could still provide information about their network, via a standard API.

I'm talking about how this should work if designed well, not incremental steps to get there with non-cooperating entities.

> I'm talking about how this should work if designed well

I think that I've fantasized about this magical land with literally every system I've ever worked with in my entire career, including ones of my own design. I've come to suspect that utopia simply doesn't exist.

I strongly disagree on the first point. The carriers used are entirely an issue with my carrier. I don't use a phone that's in any way associated with my carrier, and I expect the SIM card to "just work" when I put it in a phone.

Would you rather have to copy-paste an arbitrary list of parameters into some preference menu option every time you travel internationally?

(Ironically, SIMs are falling short on this end quite a lot since they don't allow providing GPRS and MMS related configuration, which means that now we have SIMs and manual lists...)

I'm confused by what you're saying. I'm disagreeing with the comment saying that SIM cards being smart is bad.

Ah, sorry, I must have misunderstood you or mixed up comments!

Yes, I agree that SIMs being (moderately) smart helps them to just work in a new phone without any affiliation with the carrier.

It's not perfect, though – APN settings are annoyingly part of the OS when they should arguably be a SIM and baseband implementation detail like the SMSC, for example.

For mobile payment, the SIM acts as a means to sign messages in a way that is difficult to spoof, as you cannot directly access the cryptographic key on it. This existed and worked long before secure elements or TPUs were on the scene.

> Well, arbitrary sandboxed code.

But a sandbox that has access to very sensitive data.

Much of that data is already available to the provider (the only entity able to install new SIM applications) anyway: Cell location, incoming and outgoing calls, your IMEI... They already know all of that!

There are some notable exceptions, like the ability to initiate voice calls possibly without any user interaction, and I'm all in favor of removing those from the specifications. I'm not sure whether modern devices actually implement these.

The only remaining concern then is weak authentication key security, i.e. allowing unauthorized third parties to control SIM (and by extension phone) behavior, potentially without the operator's knowledge. This seems like a very similar concern to weak phone network signalling stack security (like being able to intercept SMS via SS7), which is an ongoing problem too.

Every device can do things behind the users back. Intel Management Engine runs even when the computer is turned off, contains a full blown operating system and has access to tcp/ip stack.

If privacy is a concern, no device should be trusted. By device I mean anything that contains a chip.

What's worse, people might suspect their phone or PC might be leaking data to third parties, but they will be less suspecting about their TV, their fridge or their car. But since anything is becoming smart these days, one can assume that anything that runs out of electricity is a potential privacy problem.

The NSA specifically orders motherboards without these management components. No one else can typically get them, they’re not available to people like you and me.

I think some things are overblown and unjustified paranoia.

Other things? Justified paranoia.

> No one else can typically get them, they’re not available to people like you and me.

Isn't that just setting the HAP (High Assurance Platform) bit in the ME blob to disable it after bring-up? For Intel platforms it is possible for the end-user to modify the firmware themselves in many cases. https://hackaday.com/tag/hap-bit/

My approach as an practicing paranoic: Use retro Computers.

How much retro are we talking? If retro enough we can't use them for any modern use case.

Maybe something like a RISC-V core written to a FPGA by yourself is pretty safe.

You can have both.

* https://github.com/MiSTer-devel/Main_MiSTer/wiki

Combine retro with FPGA as you like(within the constraints of that development board).

Or waste Watts by using software emulation.

It all depends on the one question: What IS your use case?

Mine is as an tutor on an evening college, casual writer and some dabbling into some embedded projects. For THIS use case my (very retro) Atari 520 ST with 4 MB Ram is totally working. Is it nuts? Yup, but i can be sure that no state trojan is monitoring my totally boring behaviour.

Take this behavior too far and you might just sign up for more monitoring.

"Why does citizen #2743652 have internet/electricity service with no registered devices or online profiles?" *Does deep background check*

Nah, no problem: Just use some cheap tablet for a bit casual time in the "commercinet" (e.g. YouTube)... ;-)

This is the avenue I've started taking, myself.

The IME is just a "smarter than needed" addition, so it's probably not too hard to take it out

But every PC has a SMC which deals with things like power-on, WOL, etc

You can remove “modules” of the management engine but it’s responsible for booting the x86 cores so you cannot entirely turn it off.

I think you were most likely right, coz you just reminded me one incident that I talked with my colleagues regarding solar power one day and just one day after that I received a cold call trying to sell me some solar solutions. There were 3 ppl in the conversation, I was the only one without solar at home and I was the only one received the call too. How likely that would be a coincident?

Such things are so scary but what can we do? For most of the ppl, they cannot prove something like that happened. For me, I might be able to prove it but I cannot easily do it without significant efforts.

>>How likely that would be a coincident?

People say this all the time but literally no one has been able to prove any kind of secretive listening-based advertising.

The best explanation is that either you or someone else in your household has searched for something related and now it's appearing in your ads, or actually more likely, advertisers are incredible at linking cookies to actual users, and it's enough if your friend searched for solar panels and then his interests were associated with you. Like, advertisers can figure out all your friends have solar panels but you don't - so they show you ads for them. It's far easier to do than listening and to your conversations covertly.

If you have "OK Google" or whatever it is turned on, it is indeed listening to you.

I've seen it with my parents. They will talk about it, not to their phones, but around their phones, and they'll start seeing ads for something they talked about.

I've always had that featured turned off (I have to press the button), and I don't notice it.

My wife also sees it with her iPhone with siri turned on. I talked to her about, for example, Jordan Peterson, and her phone starts blowing up with Jordan Peterson on Instagram.

I dont think it's pure coincidence.

>>I talked to her about, for example, Jordan Peterson, and her phone starts blowing up with Jordan Peterson on Instagram.

And why did you talk to her about Jordan Peterson? Is it perhaps because you read an article about Jordan Peterson earlier? If so, I assume you both share the same IP at home - so she starts seeing things you viewed or browsed. Facebook owns Instagram too, so if you look at something on Instagram it's not that wild that your partner's Instagram starts showing her things that interest you - it's just association.

>>If you have "OK Google" or whatever it is turned on, it is indeed listening to you.

Sure, and that's what I meant in the first paragraph - no one has been able to prove that this feature is sending your voice to Google/apple/Amazon servers unless you trigger the key word. Recording and sending voice would create some trace and no one has been able to prove this exist. That's not me saying it doesn't exist, just that for what is supposedly wide spread phenomenon, we have no proof it's actually happening other than anecdotal stories which can be easily explained by other means.

Nothing like this ever happens to me with Alexa or Siri always listening, but I have all my web browsers locked down and I don’t use any Facebook apps/sites

I think you need to look into how pervasive and creepy ad network tracking is: https://www.nytimes.com/interactive/2019/12/20/opinion/locat...

Not sure why it's downvoted, it's been proved many times

Professionals and hobbyists who analyze smart phone app behavior with APK decompilers, reverse engineering suites, personal cell towers, SDN radios, SIM dongles, mobile device emulators, etc: "Facebook apps are not listening to your conversations in the background, if they were we'd have seen it here, here, here, and here."

People with anecdata about which ads they see, who think of cell phones as inscrutable magic: "No, they definitely are. I can't (won't) think of any other way they'd infer my interests in these topics. You can't see it happening because they are too smart."

Yeah, I hate Facebook as much as anyone, but they’d have way too much to lose by deploying some sort of zero day-based hidden listening tools

I guess the financial incentive might be there for some shady ad network to do it, but that’s just so much risk to take on for such a tiny gain per infected phone..

I was talking about youtube. They do listen to show more relevant videos. I live in a very quiet household and if we say something out loud low and behold it will be in our recommended later.

Again, anecdotes are not data. YouTube is extremely good at guessing things you might be interested in, you could try being completely mute in your household and then after a week you will have to arrive at only one of two conclusions

1) YouTube can read minds and they know what you just thought about

2) with statistical data from literally billions of people it's not so weird to guess what you might be thinking about and show you a video about it.

Again, if they(your phone? Watch? Toaster?) were listening someone would have found some evidence by now, a trace of voice recordings being sent or even something that looks like it might be voice recordings. Yet we have zero. It's not happening, the much easier and much more probable explanation is that we're already tracked through every online service we ever touch, but also we are linked to people we live with or people we interact with, and for a company that possesses exabytes of data it can analyse it's easier to trawl that than try to sneak out voice recordings out of your phone.


I, a layman, have had similar experiences. It seems tinfoil-tier to think my phone's mic is always on and running some NLP. If I wasn't loosely technical I would dismiss it as such.

But why is it tinfoil-tier?

It's basically common knowledge that if you turn on "hear me say OK Google" that it needs to always be listening to hear "OK Google". That's a green light to start parsing everything said all the time, which will be turned around for advertising. Because that's how Google makes money.

Expecting Google to use data to advertise isn't tinfoil?

The tinfoil part is the parsing.

Actual nlp parsing all audio, or even a tiny subset of devices, is far beyond Google's capabilities. It's not a trivial task to process.

Your phone locally has some extremely basic recognition for "ok google", after which selective actual nlp parsing takes place.

But detecting “oh, this is voice” is easy. Recording the time where that happens is also easy. Knowing when people are chatting around the phone, and roughly what the fundamental frequency of their voice is, could make $0.001 per person. At Google's scale, that's worth it.

So long as they don't get caught, anyway, because that's all sorts of illegal. Especially at Google's scale. (I don't think Google does this… probably.)

What's you're saying is possible and what we're talking about are two entirely different things though.

The fundamental frequency of the voice doesn't tell you what words they were saying.

It's probably that psychological effect where if you buy a red car, all you can see is red cars. How many times have you received a completely random, unrelated cold call?

I think that's the the Baader–Meinhof phenomenon.

From Wikipedia: Frequency illusion, also known as the Baader–Meinhof phenomenon or frequency bias, is a cognitive bias in which, after noticing something for the first time, there is a tendency to notice it more often, leading someone to believe that it has a high frequency of occurrence – a form of selection bias.


Shouldn't that be necessary if you want to boot your PC from the network?

Realistically, how many real people actually use PXE? It must be tiny. Seems strange to include what is essentially a business function in a product for normal people.

I consider netbooting like drawers in the kitchen, where I grab tools according to task. Be it preparing meals, or actually eating.

In a reversal of what you call business function, I'd consider it as my business to do what I want in my space when I want, how and where.

That shrinkwrapped pre-installed OS/Appstore is just another business sector, which the masses have been conditioned into accepting.

Convenient. But sometimes not, rather the opposite.

Any IT department that images devices, for starters. The number of people who actually use it is quite small, but the number of devices those people image with PXE is massive.

Right, but "IT department" falls under business use. I was talking about people who aren't technically inclined.

This was driven home to me many years ago when I popped a SIM from a Mexican carrier that had an embedded Dominos Pizza app on it. Suddenly the Windows Mobile phone I was testing had a new icon on it.

Likely the app was not embedded in the sim. It was likely a carrier profile that the sim activated that triggered the download and install of the app.

Maybe, but you'd be surprised what kinds of SIM application toolkit based products there are in the world. These are actually running on the SIM, with your phone only proxying input/output!

For example in many African countries, you have M-Pesa [1], which was at least initially entirely based on SAT.

[1] https://en.wikipedia.org/wiki/M-Pesa

Essentially, the OS has a backdoor to allow commands from the SIM. I wonder what other uses are there for this method?

Is it still a backdoor if it is publicly documented?

Also, the API is somewhat limited. "Installing applications" here means "downloading code to the SIM card", which arguably has always been the phone provider's property.

It's definitely not possible to install apps on the application processor OS via SIM-OTA. That would be OS-based carrier profiles, which the OS vendor has deliberately implemented.

You may know there is one but you still don't know how to open/use it.

The more important question is, can the SIM itself be remotely updated.

If so, any entity with a court order, can install anything it wants on your phone.

Alternatively, any entity it wants can use the sim itself to track beyond the norm...

Not really updated, but new applications can be remotely installed and then interact with the baseband and (to a limited extent) the smartphone OS.

It‘s not "any entity", though – the provider’s keys are needed to do this, and they can already do much of that tracking using other, network-side means.

If the signing keys are compromised, though, bad things can happen: https://www.srlabs.de/bites/rooting-sim-cards

Couldn't installations be observed though?

They could (using a setup like the one in the article), but the payload is usually encrypted in addition to being authenticated, and such OTA updates are done for legitimate reasons all the time.

A distinction without difference from the end-user's perspective.

Many years ago, I worked on a serial link (think SATA, PCIe, USB 3, etc.) that had a small embedded processor to self test the link, perform analog component calibration, link equalizer calibration, and even make an eye diagram for link characterization. We could patch it with a few instructions over the JTAG port. There are way more processors in ICs than you would ever imagine.

> A SIM card is a full blown computer with its own CPU and memory.

I read something to this effect years ago and mentally filed it away as “huh, that’s interesting.” This article is the first time I’ve understood what it actually means in practice, and it’s an eye-opener.

Also worth noting is that most of SIM cards are Java cards, running Java applets

Java Card is not very similar to Java, Javascript is more like Java than Java Card is

To my understanding it’s an actual subset of Java, a very limited subset, but a subset of the real Java nonetheless. Java Card applets are compiled using a real Java compiler, and then the bytecode is translated into a simplified format for running on the card.

This video from defcon gives a good overview of what Java Card applets is, the limitations and what it can do: https://www.youtube.com/watch?v=31D94QOo2gY

It doesn't resemble JS. It's a JVM/Java subset. You can even write apps using the Java Servlet API with JC 3.x

That's only on JavaCard 3 connected, though – which is dead: https://stackoverflow.com/questions/9546812/javacard-3-in-re...

But I agree – Java to JavaScript is not the best comparison. Maybe a better one would be C programs written for a Unix system vs. C on a microcontroller: Same language; vastly different instruction set, OS and hardware capabilities and APIs available.

Unlike C on microcontrollers, Java Card applications are hardware and OS agnostic, though!

That's what I said, it's so limited compared to Java that saying SIM cards run "a thing like Java" is massively overstating it. It doesn't even have floats.

It's a UICC not a SIM card anyway.

> Your carrier can upload and run arbitrary code without your consent or knowledge. They can do this at any time.

Is that equally true of SIM cards and eSIMs?

I'm in the process of setting up a new T-Mobile phone and they say they support eSIM but they are really pushing me to use a traditional SIM card. I've been wondering why they care.

More really. Secure Enclave on iOS is its own computer as well.

The touchscreen controller has one as well. And the NAND flash parts. And the Motion coprocessor on older models.

And lightning -> AV cables have an arm SoC


Computers everywhere. Even ikea lamps have emm now :)

How susceptible is eSim? More? Less?

Pretty much the same, I would say.

An eSim is essentially a virtualization solution with each eSim profile effectively running in a container which can be set up, deactivated, and deleted only by the profile manager.

The profile manager communicates with the provisioning infrastructure in an encrypted and authenticated way, so the profiles being loaded, i.e. their code (if any) and data, are as inaccessible as those on a physical SIM.

While active, an eSim profile has all the same capabilities as a physical SIM, including remotely loading Java applications, issuing proactive commands to communicate with the network, registering for event notifications about location changes and incoming/outgoing calls…

So an iOS device with an eSIM is running a JVM in the eSIM?

Yup! I have at least two eSIMs myself that have SIM applications running in them that wouldn't be able to function otherwise. (The operators do IMSI switching based on SAT event triggers, from the looks of it.)

The Oracle JVM installer wizard isn't lying when it's saying that there is billions of devices running Java in the world :)

This is blowing my mind. I'm not sure what's real anymore...

Considering that sim cards do a lot (think roaming on cheapest partner etc) .. you can bet that eSIM are equally capable and maybe even more capable.

I’d like to know the same thing! Maybe the config files are more observable?

They are encrypted and authenticated, since they contain the symmetric keys used to access the network.

Without the keys of a legitimate eSim (i.e. those chaining up to a GSMA-approved vendor) you won‘t be able to inspect a profile even if you know the activation code.

+1 I came to ask the same question

The interesting question is: what APIs and data does the SIM card have access to?

This spec is a good starting point:


Generally speaking, the SIM interacts using both "proactive commands" (e.g. "send an SMS to this number) and event downloads (think "whenever the base station identifier changes, please let me know").

Sorry, should have linked out the CAT specification instead: https://www.etsi.org/deliver/etsi_ts/102200_102299/102223/14...

The former just refers to the latter for event downloading.

Thanks! Out of these, the following seem most concerning/abusable:

* "setting up a voice call to a number held by the UICC" - effectively allows turning the phone into a bug (although not a very stealthy one, since presumably the normal call UI would be shown).

* requesting the terminal to launch the browser corresponding to a URL - triggering exploits

* providing local information from the terminal to the UICC; -- depends on what exactly the card can request, doesn't look like much except location which is discussed below

* running an AT command -- depends on the AT commands available, but I don't expect anything ground breaking

* requesting the terminal to start an application on the terminal -- depends on what exactly can be triggered (e.g. if it can trigger an app install it'd be extremely concerning, already installed apps less so), but I think it's only launching or listing already installed carrier apps.

* requesting the terminal to report geographical location information to the UICC -- fine grained tracking. This is the most concerning for me, and I wonder how/if Android shows when/if that happens (or if it is allowed). I also wonder if this can be used even when the phone is in airplane mode (to collect data and upload it later).

Great analysis, I agree on all points!

The geographic location seems to be only network-based (i.e. this doesn't poll the phone for GPS data, but only accesses data available to the baseband).

Hopefully, the following requirement also covers flight mode implementations:

> Where location information or Network Measurement Results has been requested and no service is currently available, then the ME shall return TERMINAL RESPONSE (ME currently unable to process command - no service).

If both are the case, then this does not leak more to the network than it could just determine itself from signalling data. In any case, as many things in these specifications, it leaves quite a lot of wiggle room for implementation mistakes, genuine and otherwise.

As a historical note, there was a quite famous implementation of SIM-based positioning in Germany: One GSM provider implemented a "home zone" feature entirely on the SIM, by populating it with a database of cells that qualify for "home use"; this was then used to bill the landline rate rather than the (at the time quite expensive) mobile rate for outgoing calls.

I thought SIM was just memory (RAM/ROM). What CPU architecture does it use?!

These defcon slides give a good overview of one

Atmel AT90SC25672RU, 8-bit AVR, 256KB ROM, 72 KB EEPROM, 6 KB RAM, Between 20 & 30 MHz


That's one example, but they are usually an 8-bit architecture with special tamper-resistance features, similar to what's found on payment cards.

So next question, is a credit card chip also a computer?

Yes, a very limited one but you can put a bunch of interesting things there, the EMV standard documents how other apps should be put there so that the customer can have a card that works both as a credit card in CC terminals and also have additional features that are accessible either in specialized terminals or custom CC terminals with explicit support enabled e.g. some loyalty card or discount scheme.

Here's a list (IMHO not exhaustive) of some apps put on EMV cards https://www.eftlab.com/knowledge-base/211-emv-aid-rid-pix/ - there are various identity card solutions both from governments and companies like Microsoft, there's https://en.wikipedia.org/wiki/OpenPGP_card , there's various solutions for store loyalty cards.

However, I don't consider this aspect as any risk to the user, since when using the standard payment card functionality your card payments already have no privacy or security whatsoever from the issuer of your card, from a technical perspective the issuer will (by design) see and manage (authorize, revoke, etc) all the transactions and the card + terminal is just one of the channels for sending cardholder-initiated transactions to them. It would be technically appropriate to treat it not as "your card" but "issuer's card" that the cardholder uses as a token to use when the merchant communicates with the issuer about the bill.

A good rule of thumb is that nothing is just memory wothout a processor. Including stuff that is sold as jyst memory (eg SD cards).

Yeah, most of this applies there too.

That‘s definitely still true for many existing cards, but newer ones are switching to ARM-M based architectures, as far as I know.

My SIM card has 30x more horsepower than my C64. Mind blown.

Thats a joke..

Also applies to other SmartCards, they sometimes even run Java applets


Would this mean that hypothetically, your SIM could send SMS messages even if your phone is in airplane mode?

I think that’s the lesson of this article — the SIM can instruct the phone’s radio to send and receive any sort of data (including SMS) without the rest of the phone ever knowing about it.

My understanding is that airplane mode does disable the radio entirely - so the SMS card trying to send messages wouldn't work unless the baseband (which, on iOS, is signed by apple and likely not an unknown binary blob to them) turned the radio on, let it connect to the network, sent the message, then turned off the radio, all without informing the OS.

You're assuming Apple doesn't have a way to bypass airplane mode when they receive a warrant.

Apple heavily resisted building a backdoor that would only be installed on a phone the FBI already had in their possession. Why would they build a way to bypass airplane mode if they receive a warrant?

They fought unlocking secure enclave. That has no bearing on active tracking. Apple is also under the eight ball with the threat of anti-trust regulation and are more incentivised than ever to make deals that turn down the heat on questionable business practices. They lost all credibility as a "security focused" company with their crazy on-device image scanning scheme.

I don't think the iPhone used in that case had a secure enclave. I think that iPhone was the iPhone 5C[1], which had an A6[2], while the secure enclave wasn't released until A7[3].

Wikipedia has the terms the FBI demanded, and to me they look like demands relating to software directly in iOS, not some other security chip[4].

>Apple is also under the eight ball with the threat of anti-trust regulation and are more incentivised than ever to make deals that turn down the heat on questionable business practices.

Questionable business practices impacting competition/monopoly, sure. But I don't see how a backdoor would make anyone think Apple has less of a monopoly.

>They lost all credibility as a "security focused" company with their crazy on-device image scanning scheme.

Apple publicly announced that in advance. That's different from a secret backdoor.

[1] https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_d...

[2] https://en.wikipedia.org/wiki/IPhone_5C

[3] https://apple.fandom.com/wiki/Secure_Enclave

[4] https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_d...

More so, how would they tell a phone with radios disabled to turn on a radio, besides physical access?

By telling the radio firmware to do so?

edit: the sim can tell the radio to turn on, when it wants to send a message.

It is a full blown computer, with direct access to the radio firmware, with no OS oversight.

The radio firmware can be updated remotely, too, and the OS only knows the modem is on, because the firmware tells it so.

The icon on your phone showing signal/on/off is displayed by the OS, after querying the firmware. The OS has no way to know if the radio is on or not.

Yes but from where is this command originating? Can't be remote because well... the radio is off.

It can be remote but shifted in time. E.g. send a remote command that essentially says "if in airplane mode, every 60 minutes turn radio on and check for new commands".

That would cause major issues in areas where phones are forbidden for national security or sensitive equipment reasons from having antennas active. I've never heard a report that a manufacturer has even considered that idea as it could potentially cost them major damages.

Of course, that's not something that a legitimate manufacturer would have in their standard firmware.

However, that is a possibility for specific malicious firmware uploaded to some "phone of interest" to prevent its user from protecting themselves by turning on airplane mode.

Depends a lot on how airplane mode is implemented on a given device, I'd say. To my knowledge, this is not specified by the relevant standards.

One way would be to shut down the SIM as soon as it's activated, which would include proactive commands of any kind (like those the SIM uses to request sending an SMS from the phone/baseband).

Another would be to keep the baseband and SIM active, but to still deactivate the radio – in this the SIM might still be able to issue proactive commands, but without any network attachment, they would just fail.

Of course an implementation could also choose to briefly reattach to the network whenever it receives such a proactive command.

Under normal conditions: no. But a hacked phone may fake going offline and still be connected.

The only way to turn off a phone for sure is to remove the battery.

> remove the battery

ha ha.

If you can access it.

Eat the SIM card.

It doesn't have a radio, so no.


Besides operators, individuals can also send OTA settings like APNs, proxies, etc. from a SIM card to SIM cards on another network. To the recipient, the message looks just like the settings you get from local MNOs when you first get connected when roaming in another country.


Can't wait to see what nefarious use cases that eSIMs can be used for then by our carrier then if your phone has one.

Maybe in the future, eSIMs will be the only SIM in your phone and it can't be removed, just reprogrammed by the carrier.

No thanks and no deal to eSIMs.

I’ve seen that template applied to every technology now considered bog standard (utterly mundane & normal).

And where has that got us? Surveillance states, the whole… *gestures at Facebook* thing, insurance companies having access to your medical records. The oceans are full of plastic!

What about eSims?

> A SIM card is a full blown computer with its own CPU and memory.

Yeah. They even run Java, that was the most surprising fact.

> Your carrier can upload and run arbitrary code without your consent or knowledge. They can do this at any time.

So what can this code do? Can my phone be compromised somehow?

>Your carrier can upload and run arbitrary code without your consent or knowledge. They can do this at any time.

Two words: Faraday bag.

You could also physically remove the SIM card, but there's a practical problem there; people with SIMs usually want to use them.

You'll never get the update then that it's confirming it installed. And you can't make phone calls. And you can't even use it unless you can get inside the cage. I guess it if comes with solitaire you could play that or something.

> And you can't even use it unless you can get inside the cage.

Bag not cage (though the bag is technically a Faraday cage you aren't actually entering it as it's only big enough to hold your phone). A small faraday bag is available for ~20 on Amazon.

>They can do this at any time.

You can decide when you get updates and when you want to allow yourself to be tracked by whatever corporations, governments, and other actors that seek to track your movements. It's a false paradigm to suggest (like most people on this thread are doing) that you have no choice but to allow yourself to be tracked 24/7 or to go without a communication device. Keep your phone in a small shielded bag, remove it when you want to make calls, check your messages and are willing to divulge your location - its not rocket science.

You can decide when you get update

Assuming the cage works perfectly (taking out the battery if possible seems a safer bet), the only thing you actually decide is when you get it out of the cage to use the device. However at that point the device can communicate and you cannot stop it from doing whatever it wants to. In other words: you decide you want to call, and if the thing decides it wants to update it might also do it at that point.

> Bag not cage

Great, get a big bag then.

As long as you use the phone they have the chance to access the sim card and be able to upload and run any code.

A SIM card generally holds somewhere along 32 to 128 kb, most of which empty and used to store user contacts.

That's a bit like saying "most of the space of a smartphone's persistent storage is empty and otherwise used to store photos and videos" when talking about smartphone operating systems and their security.

There is nothing technically stop the carrier putting more memory on the SIM card.

They are ordered from the manufacturer (idemia,thales/gemalto,oberture) with speficied memory size depending on what capabilities are needed.

The big iffy is that manufacturers were compromised (by the US afaik) in 2015 and all cards from then or earlier should be considered compromised.

Few carriers encrypted their OTA-keys before then. I know that some carriers did not send encrypted keys to manufacturers still in 2018.

It’s even a microcontroller that emulates the original SIM, so it can have whatever specs they want.

What do you mean by "original SIM"? As far as I know, SIM cards have always been specified in functional terms, so vendors were always free to implement them whatever hardware and software they choose, as long as the result complies to ISO-7816 and the relevant ETSI/3GPP specifications.

Today, it's mostly Java Card implementations, meaning that the ISA and smartphone OS/runtime is abstracted away in any case.

This is true. AFAIK SIMs are based on an ISO 7816 smartcard with some additional features, and the former are definitely in that size range.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact