This talk at Chaos Communications Camp 2023 is probably everything you want to know about eSIM technology, in just under an hour. And it’s surprisingly complicated. If you’ve never dug into SIMs before, you should check out our intro to eSIMs first to get your feet wet, but once you’re done, come back and watch [LaForge]’s talk.
In short, the “e” stands for “embedded”, and the eSIM is a self-contained computer that virtualises everything that goes on inside your plain-old SIM card and more. All of the secrets that used to be in a SIM card are stored as data on an eSIM. This flexibility means that there are three different types of eSIM, for machine-to-machine, consumer, and IoT purposes. Because the secret data inside the eSIM is in the end just data, it needs to be cryptographically signed, and the relevant difference between the three flavors boils down to three different chains of trust.
Whichever eSIM you use, it has to be signed by the GSM Alliance at the end of the day, and that takes up the bulk of the talk time in the end, and in the excellent Q&A period at the end where the hackers who’ve obviously been listening hard start trying to poke holes in the authentication chain. If you’re into device security, or telephony, or both, this talk will open your eyes to a whole new, tremendously complex, playground.