from Hacker News

Zero Trust SIM

by aofeisheng on 9/26/22, 1:14 PM with 276 comments

  • by mikece on 9/26/22, 1:47 PM

    Great implementation of the wrong solution. The problem isn't that SIM security is weak but it's that we're using SIM/eSIM for identification and authorization in the first place. When we stop using SIM for authentication the need to guard against SIM Swap attacks goes away as well.

  • by badrabbit on 9/26/22, 2:13 PM

    Why is there no opposition to this shit? SIMs were physical for a reason. As a consumer what do you get out of it? You have to go through the carriers to switch between phones now! You can't just pick up a random unlocked phone and put a sim in it. No more burner phones. I have been in situations where I changed SIM between phones multiple times a day.

    But it sounds like it is too late for this. It's like people who oppose cash payments out of the convenience of card/app payments. This small chipping away of a small libery adds up.

    I hope eveyone knows that you can't as a layman register an email address or any meaningful service you depend on without a phone number (i.e.: a sim), that is what is being regulated here even more.

  • by zzz95 on 9/26/22, 10:31 PM

    How is this even Zero Trust. Admittedly, there is no precise definition for ZT, but Cloudflare's solution seems to run counter to the idea of perimeter-less ZT philosophy. Instead of assuming that phones can be insecure and developing appropriate crypto based mechanisms, Cloudflare is proposing to bring the phone inside a 'trusted' network. Remember, ZT does not rely on trusted network.

    Solutions like this will increase confusion and fragment the already 'interpretation led' as opposed to definition led ZT landscape.

  • by yellow_lead on 9/26/22, 4:23 PM

    > What if employers could offer their employees a deal: we'll cover your monthly data costs if you agree to let us direct your work-related traffic through a network that has Zero Trust protections built right in?

    No thanks..What is "work-related" and what isn't? I see huge privacy implications here. If my company wants to install this potential-spyware on my phone then they should just offer a separate phone. Personally, I don't mind carrying it if I'm "on-call" one week out of the month or whatever.

  • by wilde on 9/26/22, 4:57 PM

    > And all this is before you add in the further complication of Bring Your Own Device (BYOD) that more employees are using — you’re trying to deploy Zero Trust on a device that doesn’t belong to the company.

    Yeah, this is a pretty impressive technical solution to a problem created by the company. “We’re too cheap to buy equipment for our employees to use, so instead we need to spy on all of your personal data.”

  • by softfalcon on 9/26/22, 6:01 PM

    I'm seeing a lot of people advocating for either eSIM or standard SIM slot. I feel like the real question should be "why not both?"

    I know there are economics, control, tracking, or whatever at play. Regardless, I think the phone should have a SIM slot and it should ALSO have eSIM functionality.

    I can almost guarantee the reason they're pushing for eSIM is because it's cheaper to manufacture a phone without a milled out slot with water sealant lining, little switch to pop out the SIM deck, etc.

    Can we all not agree that the real "enemy" here is the corporations taking away your options? If we were really thinking about the consumer here, we'd be ensuring you had access to both technologies to ensure your phone is robust and capable of working on any network regardless of their SIM requirements.

    Maybe this is crazy talk though. Maybe eSIM is so amazing, old SIM doesn't even matter anymore, but I can't help but feel like I'm right here, because having both quite literally appeases everyone except rich corpo's trying to save a buck.

  • by greenie_beans on 9/26/22, 2:22 PM

    I can't help but think of Room 641A every time they announce a new project where they're like "we'll take care of it by directing your traffic through our network"

    https://en.wikipedia.org/wiki/Room_641A

    edit: whoops. let me be clear that i'm a big fan of cloudflare! that's just where my brain wanders sometimes

  • by jupp0r on 9/26/22, 3:23 PM

    "We have sophisticated logging set up as part of Cloudflare One, and this will extend to Cloudflare SIM. Today, Cloudflare One can be explicitly configured to log only the resources it blocks — the threats it’s protecting employees from — without logging every domain visited beyond that."

    So my employer can log all of my network traffic metadata, but I can take their word for it that they have some setting set that it only logs hits on their deny list that they are filtering my private internet usage with? CloudFlare needs to give more power to employees here to make sure that employers are completely unable to monitor any traffic that doesn't go to their networks. The abuse potential for this in its current form is gigantic.

  • by lxgr on 9/26/22, 3:45 PM

    What's the advantage of using this vs. installing a mandatory VPN via an MDM profile? For mobile data, the outcome seems to be identical, but it would also work for Wi-Fi.

  • by dathinab on 9/26/22, 10:26 PM

    > [..] logs only what it blogs

    putting aside that it's not clear weather it can be configured to do so or always does so and if the employee has any way to know if it is configured to log only blocked content or log everything its still a no-go

    the things is that content which is fully legal no-risk is feed all the time into block list and fishing protection to make it less accessible

    for example the CCC ticket selling side was frequently "somehow" in the minor protection DNS filter enabled by default by all UK ISPs...

    you can be pretty sure that union and employer right protection related sites will "somehow" end up in the filter and not only will that bar the employee from realizing their information need/rights, it will also show up in the log accessible to the employer

    then you probably can configure the "protection". How long will it take to be possible to enable blocking of adult-content or similar? This would lead to a potential indirectly exposing of employee sex related preferences to the employer, or religion, or ...

    Trying to pretend this system is not incredible invasive to employees privacy is hypocrisy and puts a pretty bad light on cloudflair. I mean they could say it's less invasive then many other existing methods, I guess that might be right, but that doesn't mean it's okay at all.

    In the end trying to marry BYOD with security is just nonsense. If the work tasks need a phone then provide a phone to the employee (which could use this system). If you only worry about 2FA use HSKs. Remove phones out of any security related procedure, that is anyway recommended for other reasons like SIM-hijacking. Then don't require or allow employees to install anything which could be used as a attack vector on their private phone, no slack, no teams no nothing. If there is an emergency you can call them and tell them to use their employer provided device, it's that simple.

  • by totetsu on 9/27/22, 3:56 AM

    > Mitigating common SIM attacks: an eSIM-first approach allows us to prevent SIM-swapping or cloning attacks, and by locking SIMs to individual employee devices, bring the same protections to physical SIMs.

    I thought a sim swap attack is carried out by asking the operator to reissue a sim card, and getting it done via a failure of identity verification or a collaborator working at the operator. What is to stop just requesting the re-issue of an eSIM to a new device in the same way?

  • by lizardactivist on 9/26/22, 3:20 PM

    You can say that again. Zero trust that Cloudflare, the largest man-in-the-middle of the Internet which began its life as a CIA honeypot, will not abuse this.

  • by nanankcornering on 9/26/22, 1:18 PM

    Please make this product available for non-enterprises too (at a cost, of course.) @jgrahamc @eastdakota

  • by mschuster91 on 9/26/22, 2:07 PM

    The only attack this is preventing is corrupt or confused mobile network customer service representatives issuing a valid SIM card to an attacker so that the attacker can intercept 2FA SMS messages, but any larger-ish company should already have a corporate phone plan with clearly established contact points to do any kind of change.

    So what I don't really get is, what is the actual advantage? And besides, Cloudflare will have to run as an MVNO if they're rolling their own SIM cards / eSIM keys, which almost always means lower quality of service in congested network areas - there is no requirement for equal treatment of MVNOs I'm aware of, and even here in the EU you can clearly see that providers discriminate even between premium post-paid contracts and pre-paid contracts. Switching from Telekom's own MVNO Congstar to Telekom proper was night and day.

  • by gigel82 on 9/26/22, 4:01 PM

    Oh, that's disappointing, I was hoping they're entering the MVNO space with a consumer offer. Instead, it's an offer for companies to further spy on their employees :(

  • by vl on 9/26/22, 5:44 PM

    I’m confused about what it is.

    It looks like it’s Cloudfare’s MVNO eSIM. What’s zero trust about it?

  • by rasz on 9/26/22, 4:46 PM

    That is a lot of text to say "trust us bro". First we gave cf decryption keys to most of https web traffic, now they want to own cellphones, for our privacy of course!

  • by bhc on 9/26/22, 5:38 PM

    >But in recent years, nearly every modern phone shipped today has an eSIM

    How many phones other than iPhone, Pixel, and (very recent) Galaxy S/Z have eSIM? There aren't that many cellular IoT boards that support swappable eSIM either (some boards say eSIM, but what they mean is that the IoT vendor's SIM is soldered onto the board - thus "embedded SIM"- not that you're allowed to load eSIM of your choice).

  • by easton on 9/26/22, 2:17 PM

    Is the idea with this that it'll be a data-only eSIM? I'm not seeing any mentions of phone service in the blog post (maybe it's just implied and I'm dumb). I think iOS and Android have support for multiple eSIMs where one is used for data service, so that would work, although I don't know if companies want to pay for everyone to have a data plan AND a SMS+phone plan.

  • by ignoramous on 9/26/22, 2:47 PM

    So, a matter of time before Cloudflare acquires https://gigs.com?

  • by jacooper on 9/26/22, 1:40 PM

    So its basically a Sim with a VPN Built in?

  • by radicaldreamer on 9/27/22, 12:17 AM

    Every one of these product launches makes me think Cloudflare is the CryptoAG of our time. There's an immense amount of centralization happening under this company under the guise of "security".

  • by formerly_proven on 9/26/22, 2:09 PM

    I honestly don't particularly get BYOD. The savings on the company side seem so marginal for a lot more uncertainty, more support issues and worse employee mental health etc.

  • by silentlinkuser on 9/26/22, 9:39 PM

    https://silent.link/ is the real 0 trust SIM:

    "Anonymous eSIM

    Get global mobile 4G/5G Internet access and burner phone numbers instantly and privately on any modern eSIM-compatible smartphone.

        Pay as you go international roaming in 200+ countries
    Worldwide coverage at low prices
    pay with bitcoin or lightning"

    I'm just a user. I use it at times. It works well and prices are ok.

  • by neilv on 9/26/22, 8:00 PM

    > By integrating Cloudflare's security capabilities at the SIM-level, teams can better secure their fleets of mobile devices, especially in a world where BYOD is the norm and no longer the exception.

    Please consider not doing BYOD for company business.

    Quick summary of IMHO, from some companies where I've defined or advised on infosec policy...

    From the employer side, BYOD is bad for security and liability. From the employee side, BYOD is bad for privacy&security.

    Regarding employee's personal info on BYOD (since it's less familiar concern than company protecting IP and operations)... Whether or not there's MDM, it's a big problem for employee and company, when security team needs to investigate an incident, or when legal proceedings mandate that forensics expert clone/search a device, and that bumps into personal info. (Personal info revealed can include private personal conversations, intimate photos/videos of employee and partners, job searching, medical information, non-public sex/gender/etc. identity, protected classes for discrimination, Web history, etc., to possibly the company or some outsiders.) Also a big problem if the company needs to wipe or lock a device to secure IP, and that would wipe personal data or lock employee out of it.

    No work on personal devices. No personal on work devices. Being strict about this from the start is to everyone's benefit (before complicating practices set in, the wrong services are bought/deployed, etc.).

    For employees who actually need to carry smartphones for business (e.g., executives, marketing, sales, other non-engineers), the company should issue devices with plans, to be used exclusively for business.

    For work calls for people who don't get issued company smartphones, use a service from the work laptop.

    For rare alerting eng/ops/etc. in the off-hours, when they don't have a company-issued smartphone, alerting can be to a personal device, but the alert should convey no info other than what is the urgency to get to the company laptop.

    Also possible side life balance benefit of strict work and personal separation on devices, especially with WFH/hybrid and carrying a laptop home: without work on personal devices, an employee can just physically put the work device(s) in a drawer/bag for the evening, and call work over for the day, or until they're ready to take it out. (No associating their personal devices with work, no interrupting with work off-hours while people recharging and with family, no trying to use unreliable software settings correctly to suppress work messages at some times and not others, etc.)

  • by c8g on 9/26/22, 3:38 PM

    Unfortunately, I guess, it won't available in the most part of the of the world at a competitive price to local operator.

  • by base0010 on 9/26/22, 10:14 PM

    I had hopes this product would be way less draconian. People miss the real reason you should push back on eSIM-only devices! It seems that most of HN hasn't done their DD on how eSIM provisioning dosen't work unless you're a billion dollar telco incumbant..... The eSIM-only precedent telco tech giants are pushing towards is part of the time honored tradition of locking consumers out of their own hardware. Indeed, this is another version of "the carrier owns the hardware you've purchased".

    TL;DR in order to provision an eSIM to live inside the eUICC (secure element inside phone); as per GSMA standards your eSIM HAS to have a key signed by a SOLE CA determined by the GSMA and the incumbent billion dollar telco industry cartel!!! With a SIM-card you have the freedom to connect to any network you want including those that aren't inside the realm of:

    "Only eUICC manufacturers, and SM-SR and SM-DP hosting organisations that have successfully been accredited by the GSMA SAS can apply for the necessary certificates from the GSMA Certificate Issuer to participate in the GSMA approved ecosystem."

    Please push back on this draconian nonsense as a whole people!!!

    eSIM Whitepaper: https://www.gsma.com/esim/wp-content/uploads/2018/06/eSIM-Wh...

  • by ranger_danger on 9/26/22, 4:40 PM

    How are they the first? MobileIron and others have been offering solutions for at least 2.5 years now.

  • by ck2 on 9/26/22, 3:46 PM

    random fun cloudflare related thing I learned last week, their "private dns" address is "one.one.one.one" which is even easier to remember than "dns.google" (there is also "dns.adguard.com" and "dns.quad9.net")

  • by 2Gkashmiri on 9/26/22, 2:26 PM

    wait till clouflare decides to ban a website from their network and you suddenly cannot access them unless YOU CHANGE YOUR SIM PROVIDER, that sounds fun

  • by puyoxyz on 9/27/22, 6:52 AM

    I am NOT using a sim from Cloudflare

  • by barathr on 9/26/22, 2:18 PM

    I think the term "zero trust" creates a bit of confusion, in this and other contexts -- not Cloudflare's fault, because the term has been used/abused quite a bit. I think it's a good idea to prevent SIM swapping attacks, and it looks like this will, like Efani does.

    TLDR: this will lock a corporate SIM to a device and then connect the device to the perimeterless corporate network.

  • by BrainVirus on 9/26/22, 2:59 PM

    They want to be in front of every website, behind every DNS request and now they want to control your cellphone traffic - while bleeding money by tens of millions of dollars a year and making promises they don't intent to keep. The trajectory of this company's life is obvious in advance.

  • by drummer on 9/26/22, 5:59 PM

    Seeing as how Cloudflare can cancel and censor you at will and has done to others recently, you'd have to be crazy to trust them with your phone and sim.

  • by tekchip on 9/26/22, 4:10 PM

    Wow, eSIMs hit first in this discussion? Not the glaring nightmare of security QR codes are. I thought about providing links but there's such a vast host of writeups about it I'll leave it for the reader to search and discover. Yikes.