If they can make SIMs more secure in the meantime, that's a win, and a very important one.
Improve the things you have control over rather than just bemoaning the things you don't.
True and even highly sensitive Govt. services authentication for citizens in some large countries depends upon SMS based 2FA, Although the CF article is focused on corporate infrastructure security and I doubt if any of the 'Fortune 1000' companies mentioned actually still use SMS 2FA; CF is trying to block the phishing URL from being resolved and SIM-swap.
Meanwhile as a concerned individual, Since SMS 2FA is not dying soon I would wish at least some mechanism is brought forth to prevent the underpaid, overworked personnel at the carrier from being able to access that 2FA SMS and aiding in SIM-swapping.
I believe that's exactly the point the grandparent comment was addressing when they said "we stop using SIM for authentication". The "we" wasn't necessarily referring users, but to services and providers currently using SIM 2FA in their products.
And there are always also many services where you can rent non VoIP numbers for a single SMS for pennies.
If paying $0.05 is a form of security we could just charge for registrations as well.
I have an AT&T number ProRes to Google Voice which works perfectly. But another native Google Voice number does not.
The SIM authenticates you to the mobile network which is free to tamper with your traffic. Considering the "security" of the equipment in there, as well as the incentives of the people working there and the general level of skill and development practices in there, I wouldn't trust it at all.
The only way this would be secure is if the SIM/eSIM is able to embed an actual client certificate which the mobile device can then use to initiate a VPN connection to Cloudflare, but this would also require the eSIM to not be able to be tampered with by the issuing carrier, otherwise they could potentially push an update to extract the keys or have it sign malicious requests in the background.
It's more about employees visiting phishing sites on their phone. Or their phone getting hacked exposing mail correspondence, or 2FA getting hacked etc.
In the way it's presented it's still the wrong solution IMHO.
If security matters and the work requires a phone do not allow BYOD. Provide a phone. For such a phone this might be an okay solution, not for a private phone. If a phone isn't strictly required remove phones completely and strictly out of the loop. This is beneficial both for security in more ways then this sim service provides and for the mental health of your employee. Make it clear that even if they are called because of an work emergency they are contractual bound not to process it on the phone but instead switch to a employer provided device no mater who calls and which situation it is. PS: Also fire any manager or even the CTO who tries to pressure employees into not keeping the rule, make it an automatic firing through a contract clause.
1. Phones are an important attack vector to consider
2. We should be using strong 2FA ala FIDO2
Given that phones can act as FIDO2, I think that only strengthens (1).
Even if a phone isn't used for 2FA, it still is likely to have access to company resources - Slack, Email, non 2fa text messages, etc.
The attacks on SIM cards are not on the SIM itself, but by the carrier binding your identity to a different card. A function they must perform at least sometimes! If you lost your yubikey, I'm sure you want your replacement to be able to activate your cell phone.
That's just nonsense. You need to explain what you mean by that, because otherwise you sound like someone who doesn't know what they are talking about. If you mean SIM swap attack, then that's basically 'social engineering' with a help of identity theft targeting providers and has nothing to do with SIM cards themselves.
But it sounds like it is too late for this. It's like people who oppose cash payments out of the convenience of card/app payments. This small chipping away of a small libery adds up.
I hope eveyone knows that you can't as a layman register an email address or any meaningful service you depend on without a phone number (i.e.: a sim), that is what is being regulated here even more.
You can travel to a different country, find your data is crap because reasons -- either they're not roaming well (hello edge on a cheap out of country provider), or you've travelled to Switzerland and data now costs 7.13eur/mb. (yeah, a car/Gb)
So you pay for an ESIM from an MNVO, get a qr code, install, and you're good to go in 5 minutes from any network connection. Nothing physical required. And your normal number is still there for incoming calls/texts, because all the ESIM phones I've seen have at least two slots (or one + physical sim)
Of course, you've got to have an unlocked phone. But you wanted that anyway.
The problem of course is that Fi is U.S. based which brings a few extra headaches with it for people who want the service but are based overseas, or for expats living abroad for a long period of time.
Note: I also have some Voip apps on my phone giving me a few different phone numbers to the same phone without the SIM/eSIM mess. But these days I'm finding I'm more or less just making voice calls over apps anyways meaning I'm using voice service less and less.
Last time I was abroad, I set up an eSIM while I was waiting at baggage claim, so I had service on my multihour train connection.
I just arrived here in Panama and got a local sim for $5/week from a grocery store. The esim options were 2x this price and required installing special apps.
I bought the esim at the airport, while waiting for my bags.
Physical SIMs require no network access at all: as a matter of fact, acquiring a SIM may be a prerequisite of getting a network connection in a foreign country.
When you're traveling and don't want to plan weeks ahead, your options with physical SIMs typically were either
1) special roaming-oriented SIM cards from your local country (which were still a massive hassle and had to be ordered days in advance to allow for delivery),
2) getting a SIM in the destination country (hassle and might not always be possible)
3) very expensive offerings from your own provider, if they even had something better than the aforementioned car-per-GB rates.
Now, you can get an eSIM from an MVNO that's from a third country, before travel or from the airport/hotel WiFi, usually also bypassing any bureaucratic bullshit that the destination country imposes on getting a local SIM.
And these "travel eSIMs" are often cheaper than local offerings even for use in your home country.
T-mobile includes 5GB / month of full speed international roaming in virtually any country in the world. (15 GB for $50 after it).
Getting a new local e-sim does not scale when you visit multiple countries or area in a jurisdiction which requires ton of documentation (including a local address or contact they can verify). Even then, it’s complicated.
For example, just this year I learnt that a local Indian e-sim (pre-paid) will not work in state of Kashmir in India or parts of Xinjiang in China.
1. This problem can exist with real SIMs too. Back many years ago Verizon used to lock your SIM to a specific IMEI and you had to call them to change it (they might have even charged a fee for changing it, I don't remember for sure?)
2. Nothing prevents a phone company from offering an anonymized eSIM.
Anonymous phone numbers are drying up, but not because of eSIMs.
And just because nothing prevents a phone company from offering them, doesn’t mean they will. Having the ability to just move a SIM card is very pro-consumer in a way I don’t think esims will ever be (unless the EU regulates it).
1. eSIM standard supports transferring of eSIM profile from one phone to another. physical SIMs can be tied to specific IMEIs (and it use to be VERY common) 2. You can use eSIMS on unlocked phones. 3. Burner phones can still exist! Nothing prevents a phone company or MVNO from offering eSIMs the same way they did SIMs before (obviously local law might force you to provide ID, but this has been the case with SIMs as well in various countries)
Source? The only implementation I know of is on iOS, which allows you to transfer esims between phones that are on the same icloud account. For every other phone the solution was to get a new QR code from the provider.
With eSIM I can just push a new configuration.
If it's easy for you, it's easier for whomever has backdoor access.
I am not sure whether carriers here offer prepaid eSIMs though.
In the Netherlands, for example, you can obtain a new SIM card or port number to another NL carrier. KPN uses the PUK code to verify ownership, which I think is great and has the least amount of hassle if you have written down the PUK code that was printed on the SIM package when you first bought it. The downside is that you cannot change the PUK codes.
If you travel a lot, you just buy a prepaid sim card in whatever country you're in, and put it in a phone, then leave the country, take the sim out and use another sim in that country. Some new phones (notably the new iphone, us version) don't even have a sim card slot anymore.
Because eSIMs had not been invented yet? You say it like it was a conscious decision…
> You can't just pick up a random unlocked phone and put a sim in it
True, but you will be able pick a random unlocked eSIM-capable phone and transfer your eSIM to it via bluetooth. I believe Apple already announced this feature coming to iPhone, all other vendors will follow. No need to contact SP anymore.
> I have been in situations where I changed SIM between phones multiple times a day.
Can I ask what the use case is? I believe this will continue to be possible with the “transfer eSIM over bluetooth” method I mentioned above.
>It's like people who oppose cash payments out of the convenience of card/app payments.
totally agree on this, laziness or the continued pursuit of convenience is the end of privacy, maybe even democracy.
>you can't as a layman register an email address or any meaningful service you depend on without a phone number
mailbox.org, posteo.de… there’s lot of email service not requiring a SIM. They even allow you to pay cash via postal service =)
Well it wasn't that long ago, 95% of HN comments were all for Digital Payment, Apple Pay, and Cashless Society. Things only changed around ~2019.
I think it is not just HN, the society itself has devolved and going into the toilet. Or it could just be that I have changed, but that's easily litmus tested by just reading old threads which I still agree with (pre-2019).
Regarding physical stuff, just the other day people love the idea of QR codes in restaurants with no opposition to the totalitarian digital state we're slowly building. Same goes with security cameras, cashless payments, parking apps, esim, covid QR codes, etc.
QR codes are extensively used in China for tracking people everywhere.
You can open a gmail account from a residential IP adress and get the phone number field as optional.
In typical Apple asshole fashion, in China you can buy an iPhone which takes two sims, in US - zero. Talk about carrier lock-in and Apple helping it.
I just finished telling a woman how she should be careful on dating apps and always use an anonymous sim card, never give out her real number, or real contacts, to strangers.
But my country is making this impossible now too, and the reason is drug dealers using them for burner phones of course.
Was it easy? Hell no, but its still possible. (Its just for search console and technical stuff, never using it for my personal data)
And the Phone number trend is so annoying, and its made to force you to hand something rare and difficult to change.
Want to order something from any carrier or an online shop without a phone number? Good luck
The spread of standardised time and clocks had a significant negative impact on individual liberty, and people would even sabotage clocks. They failed of course, as will the opposition against the cashless society, because cash is so much worse in most aspects.
If it's something you care a lot about, rather than going the way of the Luddites and opposing eSIM and electronic payments I would suggest focusing on using technology to find new solutions to the privacy/liberty problems.
Well, yeah, cards are radically more convenient. And this eSIM also looks like it solves real problems. People want to solve real problems. Until "my eSIM provider won't let me register for email" (or something? I'm guessing that that's what you're saying is a problem) or "I have no physical SIM to swap into another device, and for some reason I care about that" are bigger problems no one is going to optimize for that.
Solutions like this will increase confusion and fragment the already 'interpretation led' as opposed to definition led ZT landscape.
ZT / BeyondCorp benefits from multiple layers of security, not the hard exterior and crunchy interior approach of VPNs, and this solution from cloudflare is aligned with that.
No thanks..What is "work-related" and what isn't? I see huge privacy implications here. If my company wants to install this potential-spyware on my phone then they should just offer a separate phone. Personally, I don't mind carrying it if I'm "on-call" one week out of the month or whatever.
Otherwise, I agree: give me a work phone if you want to snoop on it, otherwise please just text or call me on my personal.
My current company pays partly for my phone (like half?) and don't expect anything in return, they just wanted to make sure if I used it to make calls for work I was paid for that (I never do anyways).
My personal preference is expensing a phone bill. That way I maintain billing control and just save some money. Or a company phone, but I've yet to have that offered to me.
Yeah, this is a pretty impressive technical solution to a problem created by the company. “We’re too cheap to buy equipment for our employees to use, so instead we need to spy on all of your personal data.”
I know there are economics, control, tracking, or whatever at play. Regardless, I think the phone should have a SIM slot and it should ALSO have eSIM functionality.
I can almost guarantee the reason they're pushing for eSIM is because it's cheaper to manufacture a phone without a milled out slot with water sealant lining, little switch to pop out the SIM deck, etc.
Can we all not agree that the real "enemy" here is the corporations taking away your options? If we were really thinking about the consumer here, we'd be ensuring you had access to both technologies to ensure your phone is robust and capable of working on any network regardless of their SIM requirements.
Maybe this is crazy talk though. Maybe eSIM is so amazing, old SIM doesn't even matter anymore, but I can't help but feel like I'm right here, because having both quite literally appeases everyone except rich corpo's trying to save a buck.
That's precisely it, it's just that Apple et al. don't need to explain their reasoning to sell phones. They never have an official reason for removing the headphone jack, but their COGS is definitely lower.
https://en.wikipedia.org/wiki/Room_641A
edit: whoops. let me be clear that i'm a big fan of cloudflare! that's just where my brain wanders sometimes
I'm not. They're one of the biggest vectors for the centralization of the entire internet. You're right to be critical of every single thing they do.
So my employer can log all of my network traffic metadata, but I can take their word for it that they have some setting set that it only logs hits on their deny list that they are filtering my private internet usage with? CloudFlare needs to give more power to employees here to make sure that employers are completely unable to monitor any traffic that doesn't go to their networks. The abuse potential for this in its current form is gigantic.
Phone service is cheap. Get your own.
See also: Email.
To top it of even just logging blocked content can be a major invasion of privacy as things like union sites and similar are sneaked onto block lists all the time.
The advantages of this that I see is better/easier management, you deal with a nice web interface/API and (if needed) competent customer support people rather than monkeys.
putting aside that it's not clear weather it can be configured to do so or always does so and if the employee has any way to know if it is configured to log only blocked content or log everything its still a no-go
the things is that content which is fully legal no-risk is feed all the time into block list and fishing protection to make it less accessible
for example the CCC ticket selling side was frequently "somehow" in the minor protection DNS filter enabled by default by all UK ISPs...
you can be pretty sure that union and employer right protection related sites will "somehow" end up in the filter and not only will that bar the employee from realizing their information need/rights, it will also show up in the log accessible to the employer
then you probably can configure the "protection". How long will it take to be possible to enable blocking of adult-content or similar? This would lead to a potential indirectly exposing of employee sex related preferences to the employer, or religion, or ...
Trying to pretend this system is not incredible invasive to employees privacy is hypocrisy and puts a pretty bad light on cloudflair. I mean they could say it's less invasive then many other existing methods, I guess that might be right, but that doesn't mean it's okay at all.
In the end trying to marry BYOD with security is just nonsense. If the work tasks need a phone then provide a phone to the employee (which could use this system). If you only worry about 2FA use HSKs. Remove phones out of any security related procedure, that is anyway recommended for other reasons like SIM-hijacking. Then don't require or allow employees to install anything which could be used as a attack vector on their private phone, no slack, no teams no nothing. If there is an emergency you can call them and tell them to use their employer provided device, it's that simple.
I thought a sim swap attack is carried out by asking the operator to reissue a sim card, and getting it done via a failure of identity verification or a collaborator working at the operator. What is to stop just requesting the re-issue of an eSIM to a new device in the same way?
And of course, it will be dismissed with a "you're just paranoid" pat on the back until, inevitably, and predictably, they weaponize it (with the back-patters being nowhere to be found).
Also, I'd like to be able to use your DNS and NextDNS's one -- I love your security, but (particularly on mobile where I pay per byte for data!) I love that NextDNS blocks tons of ads and trackers. So much less data downloaded. So much faster internet. So much nicer too.
Thanks for doing CloudFlare! I use it for my websites, would be cool to know it's (deeply) protecting my phone too.
Intellectuals understand what happened with the censorship incident on both sides of the argument, but both agree that trust is one of those things that builds over time and difficult to achieve. IMO a company such as Cloudflare needs to build trust through extreme sense of stability and guarantee. Rule book needs to be super explicit with zero ambiguity written with a precision pencil, not a spray can.
So what I don't really get is, what is the actual advantage? And besides, Cloudflare will have to run as an MVNO if they're rolling their own SIM cards / eSIM keys, which almost always means lower quality of service in congested network areas - there is no requirement for equal treatment of MVNOs I'm aware of, and even here in the EU you can clearly see that providers discriminate even between premium post-paid contracts and pre-paid contracts. Switching from Telekom's own MVNO Congstar to Telekom proper was night and day.
For private phone contracts, we should kick the arses of our politicians and the regulatory agencies to finally do their job.
It looks like it’s Cloudfare’s MVNO eSIM. What’s zero trust about it?
> Mitigating common SIM attacks: an eSIM-first approach allows us to prevent SIM-swapping or cloning attacks, and by locking SIMs to individual employee devices, bring the same protections to physical SIMs.
> Enabling secure, identity-based private connectivity to cloud services, on-premise infrastructure and even other devices (think: fleets of IoT devices) via Magic WAN. Each SIM can be strongly tied to a specific employee, and treated as an identity signal in conjunction with other device posture signals already supported by WARP.
How many phones other than iPhone, Pixel, and (very recent) Galaxy S/Z have eSIM? There aren't that many cellular IoT boards that support swappable eSIM either (some boards say eSIM, but what they mean is that the IoT vendor's SIM is soldered onto the board - thus "embedded SIM"- not that you're allowed to load eSIM of your choice).
VPN in the sense that it's private and secure, no - the carrier has full access to the traffic.
(that's not a dig at Cloudflare, it is a shortcoming of the mobile protocols - the network has to have access to the traffic by design)
So if you're mingling your personal data along with any sort of company data, or data that belongs to an organization that's outside your family unit, and said data is physically inseparable, then prepare to lose big in the future. You'll kiss all your backups goodbye, no matter where they're stored or how you've encrypted them.
Of course this may also apply if you've got a company-provided device (COPE) or one running MDM, and it's stolen or lost. When you report back to the company that their data's in the wind, they're going to remote-wipe and remote-brick that device, so again, kiss your personal data bye-bye.
Best practice going forward is to purchase separate devices (especially mass storage) for each individual purpose and meticulously separate out company data from personal stuff.
It never pays to mingle business with pleasure, or business with personal, and I think this liability issue is something that's a well-kept secret by companies who wish to encourage workers to BYOD and downplay the repercussions, although rare, that could put those workers into a world of hurt.
This also permits leaving the work device at work where it belongs.
- Can keep the device for work in a secure place, never have to look for it
- Can call my personal phone when I have look for that :)
- Separate address books
- Do whatever I like with my personal phone, no worries about it affecting business
- Easy to "turn off" work
All I want is to know when and where my next meeting is, without going back to my desk.
If I accept a company phone, I have to let everyone in the company have the number, and they might start calling me.
And it'll probably be some shitty $50 Android phone - a company phone isn't some huge perk or status symbol, like it might have been in 1995.
It'd be tempting to just type the password in on my personal phone.
"Anonymous eSIM
Get global mobile 4G/5G Internet access and burner phone numbers instantly and privately on any modern eSIM-compatible smartphone.
Pay as you go international roaming in 200+ countries
Worldwide coverage at low prices
I'm just a user. I use it at times. It works well and prices are ok.
Please consider not doing BYOD for company business.
Quick summary of IMHO, from some companies where I've defined or advised on infosec policy...
From the employer side, BYOD is bad for security and liability. From the employee side, BYOD is bad for privacy&security.
Regarding employee's personal info on BYOD (since it's less familiar concern than company protecting IP and operations)... Whether or not there's MDM, it's a big problem for employee and company, when security team needs to investigate an incident, or when legal proceedings mandate that forensics expert clone/search a device, and that bumps into personal info. (Personal info revealed can include private personal conversations, intimate photos/videos of employee and partners, job searching, medical information, non-public sex/gender/etc. identity, protected classes for discrimination, Web history, etc., to possibly the company or some outsiders.) Also a big problem if the company needs to wipe or lock a device to secure IP, and that would wipe personal data or lock employee out of it.
No work on personal devices. No personal on work devices. Being strict about this from the start is to everyone's benefit (before complicating practices set in, the wrong services are bought/deployed, etc.).
For employees who actually need to carry smartphones for business (e.g., executives, marketing, sales, other non-engineers), the company should issue devices with plans, to be used exclusively for business.
For work calls for people who don't get issued company smartphones, use a service from the work laptop.
For rare alerting eng/ops/etc. in the off-hours, when they don't have a company-issued smartphone, alerting can be to a personal device, but the alert should convey no info other than what is the urgency to get to the company laptop.
Also possible side life balance benefit of strict work and personal separation on devices, especially with WFH/hybrid and carrying a laptop home: without work on personal devices, an employee can just physically put the work device(s) in a drawer/bag for the evening, and call work over for the day, or until they're ready to take it out. (No associating their personal devices with work, no interrupting with work off-hours while people recharging and with family, no trying to use unreliable software settings correctly to suppress work messages at some times and not others, etc.)
TL;DR in order to provision an eSIM to live inside the eUICC (secure element inside phone); as per GSMA standards your eSIM HAS to have a key signed by a SOLE CA determined by the GSMA and the incumbent billion dollar telco industry cartel!!! With a SIM-card you have the freedom to connect to any network you want including those that aren't inside the realm of:
"Only eUICC manufacturers, and SM-SR and SM-DP hosting organisations that have successfully been accredited by the GSMA SAS can apply for the necessary certificates from the GSMA Certificate Issuer to participate in the GSMA approved ecosystem."
Please push back on this draconian nonsense as a whole people!!!
eSIM Whitepaper: https://www.gsma.com/esim/wp-content/uploads/2018/06/eSIM-Wh...
Furthermore "reject TLS certificates" implies rejecting a useful security mechanism as a whole...eSIM provides no further security mechanism to a [p]SIM as far as LTE/5G security goes... ie. MILENAGE etc. The only added security of an eSIM is that it adds security to big telcos subscriber revenue and makes them sticky as providers. It's a big telco cartel and if you ain't in it you're dependent on them at the very least.
TLDR: this will lock a corporate SIM to a device and then connect the device to the perimeterless corporate network.
With the huge caveat that the carrier can still see all the traffic and reissue the "trusted" eSIM to a different device and take over this data connection.