29 November 2023
Reading Time: 3 mins
29 November 2023
Reading Time: 3 mins
Soft SIM, also known as virtual SIM or software SIM, is an entirely software-based method of storing and displaying subscriber identity information to modems.
The GSMA defines Soft SIM as a ‘collection of software applications and data that perform all the functionality of a SIM card but does not reside in any kind of secure data storage. Instead, it would be stored in the memory and processor of the communications device itself (i.e., there would be no SIM hardware layer).’
A Soft SIM loads, stores, and executes as pure software piece over the air directly into the cellular device memory and microcontroller.
This information is stored in the device memory, so it is more vulnerable to hacking, which if successful could lead to the theft of personal information and damage a telecom’s brand trust. At the present time, Soft SIMs are not a standardised solutions in the industry or approved format by the GSMA.
The GSMA has not approved the industry standardisation of Soft SIM and that makes it a risk for organisations looking to develop and deploy IoT.
Because it has not been approved by a known regulatory body, it is not subject to regulation or held to industry standards. Furthermore, without regulatory body assurance, the technology may present interoperability challenges due to different implementation approaches. Soft SIM is an emerging early-stage technology but without being defined by regulations and standards, it will fail to reach mass adoption like the eSIM and iSIM.
With this in mind, organisations should be cautious before investing in this technology and weigh up whether it is right for their IoT business case or if other regulatory approved technologies can offer comparable performance benefits.
Since a Soft SIM is an algorithm running on the microcontroller, using a file set to provide the identity and the unique security keys for that identity, it will always be possible to change the data through a firmware update using either local reprogramming or downloading a new firmware image over the air.
With Soft SIMs, the identity and security keys are provided by a file set run on the microcontroller, so the data can always be changed with firmware updates, either by local reprogramming or by downloading a new firmware image over-the-air.
This can present problems. Remote SIM provisioning (RSP) is a protocol outlined by the GSMA for downloading SIM profiles. As Soft SIM is not regulated, remote SIM provisioning standards are not upheld, and security risks are heightened. Process data files should be unique and used once because it contains the credentials that the device uses to authenticate the MNO. With soft SIM, the way the information is logged, shared and used comes under jeopardy when the GSM protocol is not adhered to.
Oftentimes the most valuable aspect of IoT is the data it collects. Soft SIM puts that data at risk.
The GSMA put that plainly in their Understanding SIM Evolution paper: “Any SIM approach not based on a certified hardware and software secure element would be subject to continual attack by the hacking community and, if compromised, would result in a serious loss of customer confidence in the security of operator systems. There is greater security when there are two elements providing security, hardware, and software, both providing protection.”
Both operators and enterprises should beware of the threats inherent with soft SIM technology. Tier 1 operators are acutely aware of this risk and rarely enable their operators this way for that reason.
To identify the subscriber, soft SIM can be supplied as a file with the unique security and identity information enclosed. For users, this may be more convenient and promote easier device configuration.
The use of Soft SIM allows manufacturers to simplify supply chain processes as they can replace the need to physically handle and distribute SIM cards with a programming step during production.
For any connected device to deliver on its promise, it must have access to a secure, reliable connection. Are you looking to produce and deploy IoT devices but not sure which connectivity solution you need?
Our article, “Cellular IoT Connectivity: What Business Leaders Need to Know” provides valuable insights for achieving success in cellular IoT. It covers topics such as selecting the optimal network, maximising coverage and uptime, and addressing connectivity design considerations for your device.
Ian has a passion for developing technology-based solutions that deliver real improvements to businesses, the environment and quality of life.
Previously he co-founded CompXs to deliver the world’s first ZigBee design. Prior to CompXs, Ian held senior software leadership roles at Philips and has since spearheaded the ground-breaking innovation of our global AnyNet Secure cellular solution.
Build the IoT estate that meets your needs now – and ten years from now. It’s why global leaders trust Eseye.