Do you use the SIM PIN in M2M?


#1

Is the SIM PIN an effective, practical way to protect the SIM :question:

Or are the “logistics” of managing PINs more trouble that they’re worth :question:

(I’m generally of the latter opinion).


#2

We remove PIN from SIM in our devices. But there were problems with people removing the SIM from the device and spending money from it.


#3

Yes, that would be a (the?) reason to consider using the PIN.

My question is: are the issues involved in managing SIM PINs worth it relative to the possible losses from “mis-use” of the SIM?

I guess the issue only really arises if you use “consumer” SIMs - dedicated M2M (data-only) SIMs could be managed directly?


#4

Do I take it that means that you find the hassle of managing PINs “costs” more than the likely losses?


#5

Well, yes. It was easier from the begining. Device was able to work with every SIM (with PIN removed) without extra actions. And I don’t know if the problem of SIM misuse was actually regarded :slight_smile:


#6

I would probably go for an entry-level protection based on a consistent rule (other than “no PIN”) for ease of management,

eg. use the same PIN for all units. Not going to stop anybody in the factory but would probably stop casual misuse

or use the last four digits of the IMEI (assuming you can get that without the PIN) so your code can always look up the PIN, which kindof node-locks your SIM. Not foolproof but enough to discourage 99%.


#7

I don’t think that would be worthwhile because, once one is “cracked” they are all “cracked” - then you might as well have saved yourself the hassle of SIMs in the first place.

It’s amazing how quickly these things, once discovered, make their way onto the internet…


#8

well, if they want to find out, they always will.
as long as your device has no physical protection against someone accessing the sim communication lines, they can always just read-out the pin you’re using?

although the in-sim technology might be a solution against sim-use?
since there would be no sim to remove anymore.


#9

We use a SIM pin based on an encrypted version the SIM serial number. This way, we just include the encryption algorithm in all our products, and don’t have to worry about remembering the pin codes of every SIM. Obviously if the encryption algorithm got out, the security would be compromised, but this is a much smaller risk.


#10

Does that mean that you have to program the SIMs with their PIN before inserting into your product?

Or, does the product detect a SIM with no PIN, and then apply the computed PIN?

A problem with the latter approach is that it would make the common “try the SIM in a phone” and “try a phone SIM in the unit” tests impossible…


#11

Yeah, we have a semi-automated jig that programs the PINs into each SIM. The end units are programmed to work with SIMs with and without PINs. We are really just trying to stop people stealing activated SIMs and racking up giant bills with expensive calls before we can cancel them. It is a bit of a mission, but we don’t know of any other alternatives to protect our SIMs.