10 May 2023: Risks Created by eSIMs

The little plastic circuit cards that people can take out of one device and place inside another have become synonymous with the mobile networking revolution but their time is drawing to an end as newer and more expensive devices exploit embedded SIMs, or eSIMs, which cannot be removed and which can be rewritten. Evangelists for eSIMS promise they will deliver numerous benefits, and their widespread use is already guaranteed as automobile manufacturers will rely upon eSIMs for the connected cars they are planning to build in ever-larger numbers. But no new technology is without downsides. One telco recently had to cope with a wave of worried customers who mistakenly believed they were the victims of SIM swap fraud after they pre-ordered new Samsung phones and somebody decided to switch their service to the eSIM in the new phones before the phones had been delivered to the customers! Other risks relating to eSIMs are the subject of conversation with John Davies of BluGem, a telecoms testing business that does a lot of work ensuring migrations to new network technologies always go as smoothly as planned.

Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.

Transcript (auto-generated)

Hi, I'm Eric Priezkalns and this is the Communications Risk Show, the live streaming conversation show produced by CommsRisk in association with the Risk and Assurance Group, RAG. Every Wednesday we talk to experts about the risks faced by
communications providers and their customers. Today, we'll be joined by John Davies, Managing Director and one of the founders of BluGem, specialists in the testing of comms networks and network devices. We'll be talking to John about mitigating the new risks posed by Embedded SIMS, eSIMS for short, as they begin to replace those little bits of plastic we've all grown so used to. Today's show is sponsored by BluGem and they're also the sponsors of this season of the Communications Risk Show.
If you'd like to subscribe, you can also join in the conversation. To put a question to John or to any member of our team, simply type it into the messaging box immediately beneath the streaming window on our website at tv.commsrisk.com. Messages on the website are anonymous, so write your name into the message if you want me to read it out.
If you'd like to see the show live on LinkedIn, feel free to leave a comment over there too, because a member of our team will forward them to me as we go along. I'll try to read out as many of your questions and observations as time permits.
Now let's introduce my co-presenters, Ed Finegold and Lee Scargall. Ed joins us from Chicago. He's an author, analyst and strategic advisor to tech and telecoms businesses.
He joins us from Bahrain. He's been both a consultant and an executive for a wide variety of comms providers around the world, including the Middle East, Europe, Caribbean and Asia.
Good day to you both, Lee, Ed. It's good to have you on the show again. Let's get straight into an issue that I know a lot of our audience are going to be feeling strongly about.
Let's put it that way. Malaysian telcos last week began automatically blocking SMS messages that include the URL of any website.
This is an example of what's often called a zero trust approach to securing networks.
The block went live on May the 2nd with four Malaysian telcos implementing it simultaneously. Maxis, Cellcom, Digi and YouMobile.
Ed, beginning with you, a lot of fuss is made about the ramping up of malicious robo-techs and attempts to gather personal data using smishing, the combination of an SMS message luring a victim to a phishing website.
Now, Malaysia here is clearly taking radical action that others are hesitating to consider.
Would you like, Ed, to see more countries taking action like this to protect the public?
Or is it more important to give individuals and businesses the freedom to send any SMS message they like without impediment?
I want to say a little bit of neither, just in the sense that I'm going to push back again on your on your lovely loaded question, which is that I don't think it's a matter of letting we shouldn't be letting companies do whatever they want with SMS.
And I think in a few episodes in a row, I've been pretty vocal about, you know, the problems that we see around SMS, the security issues with it.
One of our guests also get to educate me a bit about how it's not just SMS itself, but how it's implemented.
There could be ways to improve security.
So I think all those issues automatically come to the fore here.
But when you talk about what the actual blocking move was, first of all, the the caveat that you're talking about, texts with links, I think is really important.
It sort of creates a different category. It's still pretty draconian. It's still pretty black and white.
But it's saying we're going to block SMSes that have links in them, which is really kind of this aggressive way to getting at the heart, you know, the real heart of the problem.
And I think what I want to encourage people to think about, though, in looking at some research I was actually doing just the other day for a client.
If we think about the real problem, like what are we trying to stop? Right. With these smishing attacks, the stealing of identity data, which leads to all these other things we know about, like account takeovers and also things just like investment schemes.
You know, these impersonation scams that lead to this rise in investment schemes.
So here is an eye popping number. Right. I'm reading Bloomberg. Pretty good article. Investment schemes in the U.S. $1.8 billion in 2021 grew to $3.8 billion in 2022.
So this massive jump in these impersonation and imposter schemes, you know, just convincing people investments.
And it's not investments like, hey, I got a bridge in Brooklyn for you or have a timeshare for you.
They're doing a fantastic job of impersonating real brands. And I'm going to write down.
I wrote down some of the names, for example, that Bloomberg cited a study from Resecurity, a firm called Resecurity, and they talked about successful impersonations of Barclays,
Lloyds Bank, BlackRock, some other names you'd recognize on their Verizon, Shell, Ferrari, Tata. Right. So they're getting really, really good at those kinds of impersonations.
And so my point here is that, you know, SMS ends up playing, you know, a lot of different roles in the problem.
It's not just that one vector, which is a bad vector, but it plays a lot of different roles in baiting people and pressuring people and stealing information from them, in providing weak one time passcode security, all those kinds of things.
And so I think, again, I'm going to say if we'd rely on it a bit less. And so I'll give the caveat or maybe implement it better.
I want to know more about that. But if we'd rely on it less, I think we wouldn't have to then fall back to these draconian measures where you're just going to say,
OK, we're just going to block it. And then you end up having this debate where everybody's tilting with windmills, you know, about like, oh, but you're you're cutting off the fuzzy wuzzies. Right.
And you end up in debates like that. And that's the issue. So, you know, at this point, we have a problem.
So you have to stem the tide. Yeah, I think, again, I'll go back to the thing about the links, stopping text with links.
I do think that there's some logic behind that, but it only becomes logical because the rest of the problems get allowed to fester.
Let me shut up and let Lee answer the question. Absolutely. I want to hear Lee. What's your take on it?
So we actually discussed this with a regulator a few months back because things were getting pretty bad. Right.
So and we had to do something. We actually came up with there was five possible approaches to tackle it.
Right. And we've actually used a combination of these. So the first thing we've done is to implement a 7726 spam reporting service.
Now, just a bit of advice.
If you're going to implement one of these, then you need to be careful because you're going to start receiving lots of SMS messages which have URLs in which could be malicious.
Right. So you need to make sure you're not examining these messages on a machine which is sat on the corporate network because you might inadvertently download some kind of beacon,
which then starts talking to some command and control server and then they're in. Right.
And I'm certain like hackers, they're going to they're going to wise up to this and they're going to start forwarding these messages, malicious messages into these operators to see if they can get inside a telco.
Now, one of the other things we discussed was actually having a trusted sender registry.
So that means like all sender IDs, they have to be registered. So essentially everything is blocked. You have a whitelist and a blacklist and you have to you have to apply to get on to the whitelist.
This is similar actually to MEFS approach, which you might be familiar with.
The third approach we discussed was in Apple and Google.
Now, if you receive one of these messages, they actually have a report junk. And if you click on that link, it goes back to Apple and Google.
But you can also get that sent back to the operator. Again, that's very similar to the 772 approach.
The fourth option we looked at was actually content filtering.
So we look, we scan each message, we're looking for keywords in there, and then what we'll do is we'll block those messages if we believe them to be fraudulent.
And then the last the last option we discussed was basically stripping out URLs in the messages.
So we allow the message to pass through, but you just strip out that URL.
We also had quite a big awareness campaign to the customers that was through social media.
But in the end, we managed to get it under control. So we didn't actually implement that. Now, will Malaysia, will they be the only country that does this?
I don't think so. I think if it gets really bad, then I think regulators and operators will have to consider this.
I have to say, I mean, you've given two very sensible answers, guys.
It's a strange start to the show in that regard that we've been so sensible with our analysis here.
Me, I'm going to be less sensible in the sense that I think about, you know, as you use the word draconian, we already live in draconian society.
You can't ride your motorbike without putting a helmet on because you'll get into trouble for that.
There's so many prohibitions. You can't smoke a cigarette without that being trouble.
Yet we accept so many prohibitions now in modern society where the idea is designed to protect ourselves from harm.
There are many really good legitimate reasons to be sending URLs and SMS messages.
And the number one point I would make in terms of the need to send a URL and SMS message.
SMS is a mode of communication that works even if you don't have an Internet connection.
So why do you need the ubiquity of SMS if you're going to send something that's looking up a website?
If you've got an Internet connection on whichever device you're sending that message to, send it through a form of communication that's appropriate.
You don't need to have this risk that any old phone number can be spammed with a URL.
There's no reason. There's no need to mix these two up.
You could have keep SMS for just plain old text messages, which is, of course, how it was originally envisaged.
When SMS was popular, it was before it would become the norm to have web browsers on your phone.
So what we've got is like an old technology that's being maintained because we need the choice to communicate.
But I actually think we've already got plenty of other channels if you want to communicate this information.
That's my tuppence. And you're not going to get any chance to argue back because we haven't got any more time for that section.
So there we go. So yes, I win that debate by default. Fantastic.
If you don't agree with me, though, if you're watching, you don't agree with me, by all means, send your comments and I can see.
I guess that some people will be agreeing with the very sensible answers.
Eric was saved by the bill.
The beauty of having the last word on the subject.
Now, we'll be talking to the boss of our sponsors, BluGem, later in the show.
But here's a brief message about them. Now, each week we've been talking about BluGem's excellent services and their profound expertise when it comes to automated testing of networks and network devices.
What about the people who make BluGem such a successful business?
You know that BluGem have a dedicated team of test experts and that they must have a deep interest in technology, testing and data analysis.
But who are they? Who is in their team?
Now, BluGem, they're based in the southwest UK in an area called North Devon, where they have access to some of the best beaches in Britain and beautiful Exmoor scenery.
After some serious testing work, BluGem like to have fun team building events such as their Viking Games, Airsoft, Go Karting.
I'm told they're a very competitive bunch. They have not one, but two annual BluGem Olympic Games, a Summer and Winter Olympic extravaganza.
These involve multiple fun games such as Crazy Golf, Bingo, Darts, Sandboarding and the classic Shove a Phone game, which is a bit like Shove Hapenid, but you can probably work out the difference for yourself.
The Summer Olympics are often played out on the beach whilst the Winter Olympics come just before Christmas and they're based in the office.
With multiple games planned, they'd have to work with an automated point scoring system because for BluGem accuracy is always an important goal.
The overall win, of course, of the Olympics gets a coveted trophy and their names engraved as the annual Olympic champion.
Now, this fun team spirit of BluGem also leads them to lend a helping hand or foot to charities and sporting activities in the community.
They recently sponsored the Birthday Bowl of the local veterans charity.
They were corporate sponsors of the Bands to the Ball 10K run, which raised money for Care for Kids in North Devon,
a programme that provides support to families with sick children and funds new facilities for the children's ward at the local hospital.
And they sponsored the North Devon Tarka Storm rugby league club.
Although somebody spent much of his youth tackling rugby league players and having his face shoved into the mud,
I can confirm there's no better outlet for energetic men and women, so good on BluGem for supporting the local R8 home.
The fun stuff and the community building components, they complement the motivation of BluGem's dedicated team.
They have a depth of industry knowledge, with many of their staff having worked at BluGem between five and 15 years already.
This really helps with BluGem's managed service delivery, as there's a lot of experience and trust within the team.
In the end room, there's the CEO, John Davies, who we'll meet with later.
And there's also Chris Vanstone, their software development manager.
Mark Pollock, their operations development manager.
Mark Pereira, their technical accounts manager.
And Damian Pudifer, operations manager.
These are just some of the people you'd get to meet if you were working with BluGem.
Their key drive is to be dynamic and flexible, and they achieve this by using their trusted and experienced team.
And also their agile software test solution, which enables them to support bespoke test requirements and deliver solutions to support the latest network products.
You'll find out more from BluGem's site at blugem.com.
And you'll be learning more later in the show when we talk to John Davies.
So back to the topical chat, guys.
I would now like to ask your opinions and maybe I'll get the last word on this one, too.
We'll see. And this thing about. And I'd love to also, you know, audience, please don't be shy.
I would love to hear your comments, too. So please keep sending through.
Here's one that I think, again, we'll get we'll get.
I'd be interested to hear what you have to say. I think we could have some variety of opinions on this one, too.
India is considering the use of artificial intelligence to block calls and texts.
So the regulator had brought together the all of the Indian telcos to review the potential use of artificial intelligence to selectively block spam calls and messages.
Artificial intelligence blocking lots of mixed feelings about this leap.
Would you trust artificial intelligence to correctly determine which calls and messages should be automatically blocked?
Well, hats off to the Indians for trying something new here. Will it work?
Well, we discussed on last week's show with armed AI.
It's only a school machine learning. It's only as good as a training sequence and data sets they receive.
So so long as the training sets are good, I don't see why not.
Right. So we use malware. Sorry, we use machine learning to detect malware.
So, again, so why not? But to be fair, some of our SMS aggregators, they're already using machine learning to identify spam messages, and then they're actually filtering them out.
And that's actually with a very high degree of accuracy as well. So, you know, we receive actually very few complaints these days from our customers.
Well, there's a comment here from anonymous comment here from one of you is saying that commenting following on our previous point as well about SMS filtering here, the SMS filtering does occur a lot worldwide.
And, you know, I'm hearing the impression here that people are generally saying that it's working very well.
Ed, countries like the USA, there can be a lot of obfuscation in terms of the technologies being used to determine what traffic is allowed and what is not being allowed.
So although there's generally a positive upbeat message, there may not be a lot of scrutiny, shall we say, of how these algorithms work.
Should we be using all the tools and trusting the telcos and other businesses to implement them?
Or is there a need to perhaps have more scrutiny sometimes about which colors are being blocked?
It's a really interesting question you're asking. Should we trust AI? That's sort of the, maybe I'm parsing that too much, but I mean, that's one of the core questions here, right? Should we trust AI?
And I just go back to Lee's answer, right? That's just not like a sweeping thing that you can state.
I had to go back to Lee's answer, which is it really depends on how it's implemented and how well it's trained, right?
And that's a specific, and you can't go, I think, on this from the specific to the general, but people want to. They want to hold AI up as this answer, as this golden calf that's going to solve the problem.
That's not how it works, which goes, again, back to what Lee was saying, which is how is it trained?
So that's what tends to concern me about this is more the, not just in this case, but in a lot of different cases where when we rush to want to throw AI at something and say,
hey, because should we use all the tools at our disposal like you're asking here?
I think ultimately the answer is yes, but I think it needs to be understood that that doesn't happen tomorrow.
It takes time to develop these things. And like the example Lee was giving was a really good example of one case where someone has applied AI effectively to do something,
which then says, hey, maybe then we have a best case or a best practice we can put on the table, but I don't think we have a lot of them yet, right?
I think it's pretty early in the game. And so that's what tends to concern me about putting that much faith in this technology to solve this whole range of problems when it's still really new and immature,
but still learning how to use it. And again, you have to have the understanding that there aren't a lot of really proven proper ways to solve this set of problems with this technology.
And then there's obviously the separate discussion of what are all the unintended consequences of giving anyone authority that much power over communications.
And it's a divisive topic too, and we can illustrate that with a couple of anonymous comments that I've just received here back to back.
One comment saying anything they think is junk and block it, that's fine by him.
And another comment saying, I trust nothing. I would always perform a double check by a real human being.
So there will be differences of opinion within society too. Some people will just want the problem to be solved by somebody else, take it away and don't bother them.
Other people will be deeply suspicious about the fact that we are talking about holes not being connected, messages not being sent through.
It's interesting that when I say something like, let's block all SMS messages with URLs in, there will be some pushback from the industry saying, well, you can't do that.
But then if you're going to have an artificial intelligent technology deciding which SMS message is going to be blocked, clearly you have a similar risk.
Similar risk that a legitimate message or a message that is considered reasonable by a human being doesn't get connected.
So for me, I think this is going to run and run. And I'm less keen on India doing this than you Ali, I have to say.
I worry that you can have a situation where government backs themselves into a corner. They've implemented it. They don't want to lose space.
Actual harm is being done, but it gets played down, talked down and we don't examine the harm that's being done because we're rushing it out as quickly as possible.
You're not worried about that Lee?
Would you prefer that or stay shaken?
Neither. It's not a neither or. It's not a neither or.
I mean, I would prefer because I think it's interesting that you posed a question like that because these things get posed as this technology or that technology.
I would prefer much tougher sanctions on telecoms businesses that don't implement proper know your customer controls.
Because if there was like a very heavy fine or very heavy other economic sanction, maybe the maybe you'll lose your license to do things if you allow bad actors into the ecosystem.
I think you'll find a lot of work can be done in weeding out the bad actors before you detect the call or the message that they say.
I think a lot of work can be done there, but we're not focusing on that because that's not work that can be easily turned into a technology that gets sold around the world.
That's the responsibility of telcos vetting their customers and only allowing decent customers to engage in sending traffic.
So that's why I reject your false dichotomy there Lee.
But the problem with that Eric is a lot of these calls originate from overseas.
Right. So it only takes one country not to not to have good KYC.
Then, you know, there's nothing there's nothing you can do about it.
Yeah, but then again, I go back to then we can use simple broad brushstroke rules.
I don't need sophisticated technology to be questioning why we're getting a hundred thousand SMS messages from India.
They've got URLs in it.
Even if you didn't want to implement a universal block on SMS messages with URLs, why would you need so many being crossing across borders?
You don't need to have them crossing across boards and simple rules and principles like that, which are announced to business in advance.
You won't be allowed to do this.
Well, the only people who will be left doing it will be the bad actors.
A legitimate business can find another way to communicate with people.
But we have a big disconnect in SMS right with that point, Eric, which is that we've talked about this before,
where you have, you know, official recommendations around security from organizations like NIST saying don't use SMS like this.
But then lots of businesses use SMS anyway, and then we know the problems that causes.
And then we end up sitting on the show and having discussions about who should fix this and who should regulate this and which of the laws be right.
And the one thing that actually makes sense to me in this discussion in theory is that you would have an A.I.
monitoring things that had some kind of rules built into it that were based on some kind of common sense regulation.
Right. That said, yeah, this is what you can use SMS for and this is what you can't.
And the benefit of having a technology here, unlike smoking, like you said before,
I can't push a button and stop everybody from smoking, but I can push a button and stop all the SMSes with URLs from them for traveling.
Right. So it's kind of a different it's just a completely different mode of control.
Right. That you have for enforcement of the regulation. The question is, who's going to make those rules?
Who's going to decide about those rules? How are those rules going to be influenced?
And then how do you train the A.I.? And so it ends up going back to where Lee started.
And that's why I'm reluctant about A.I., because if A.I. is being used and nobody can review the rules,
nobody's in the position to oversee it, scrutinize it, question it, challenge it, because you simply won't have anybody with the technical competence and capability to do it.
Whereas if you keep the rules simple, then you have a chance to say, do we like or do we dislike these rules?
Is there majority support or is there kind of disapproval of adopting these rules?
It's at least it's clean and then your enforcement is clean. Whereas with A.I., supposing somebody wants to protest.
A bad decision was made by the A.I. Who are they protesting to? What are they protesting? Was it a bad decision?
We're just going to go round and round in circles with A.I., I fear.
We'll leave it at that, because we've got so much we could talk about on that particular topic and we need to keep moving forward.
So let me take this opportunity for another one of our weekly features.
The Symmetry Prism fact of the week, an interesting fact supplied by the team at Symmetry Solutions and their Prism Fraud Intelligence Service.
Now, did you know that telcos who consult Symmetry after they've suffered an international revenue share fraud attack will often realize it could have been prevented if they had matched some of the initial calls in that attack to numbers in the Prism IRSF database?
After one real life attack, the Prism team advised that 14 of the first 20 calls in the IRSF attack yielded perfect matches to numbers in the Prism database.
A separate attack on a different telco yielded similar results.
15 out of the first 20 calls in the IRSF attack were exact matches to numbers lagged as risky in the Prism database.
And the amounts lost in each of those attacks were significantly more than the cost of an annual subscription to the Prism IRSF database.
So if you're not already subscribing to the leading source of intelligence for international revenue share fraud, then get in touch with the Symmetry team at symmetrysolutions.co.uk.
Okay, it's difficult to get everything into one hour in the show because we really pack it in and they're big weighty topics and it's amazing that nobody else discusses them, but we'll try and pack in a third big weighty topic before we do the big weighty topic of eSIMS, which is also a big weighty topic.
This subject, and again, this is going to divide opinion, has been a huge fall in warrantless FBI searches of communications data in the USA.
So the Federal Bureau of Investigation in 2021, they performed 2,964,643 warrantless searches of electronic communications.
But in 2022, it was down to just 119,383.
That's a 95% drop from 2021 to 2022.
Now to give some context, privacy rights Americans are supposedly protected by law, but the FBI can make warrantless searches of common status.
They don't need to get a court or they don't need to speak to a judge.
Warrantless searches relating to Americans, if there's believed to be communication between that American and a foreign target for surveillance. This is a power given to the FBI under the Section 702 of the Foreign Intelligence Security Act, FISA.
A law which came into effect placed limits on surveillance that was occurring at the peak of the war on terror, and which has to be renewed periodically.
Now some members of Congress are pushing back against the most recent request for it to be renewed. This is coming up imminently, and it's possible the FBI thinks that there's a need to exert more internal control over how they use this power, or else jeopardize losing support from Congress.
So with that in mind, producer James, he's got lined up a short clip of a House Intelligence Committee hearing on March 9 when Republican Representative Darren LaHood was speaking to FBI Director Christopher Wray.
It's well worth watching because the extraordinary revelation at the end. Producer James, roll the tape.
Quote, an intelligence analyst with the FBI conducted multiple queries using only the name of a U.S. Congressman. The 707 report describes the specific facts that led the analyst to conduct these queries.
These queries retrieved un-minimized FISA acquired information, including Section 702 acquired products that were opened. FBI advised that no minimized FISA acquired information was disseminated or used in any way.
This was reviewed, obviously, by the National Security Division of the U.S. Department of Justice and ODNI, and based on what they reviewed, they found these queries to be wholly inappropriate, not compliant, and a violation because they were overly broad as constructed.
I think that the report's characterization of this FBI analyst's action as a mere misunderstanding of querying procedures is indicative of the culture that the FBI has come to expect and even tolerate.
It is also indicative of the FBI's continued failure to appreciate how the misuse of this authority is seen on Capitol Hill.
And I want to make clear the FBI's inappropriate querying of a duly elected member of Congress is egregious and a violation not only that degrades the trust in FISA, but is viewed as a threat to the separation of powers.
I have had the opportunity to review the classified summary of this violation, and it is my opinion that the member of Congress that was wrongfully queried multiple times solely by his name was, in fact, me.
So extraordinary. You've got a Republican elected congressman, the kind of person who you might assume would be supportive of the war on terror, previously served as state and federal prosecutor, previously worked for the U.S. Department of Justice,
in fact, specifically worked as a prosecutor of terrorist offenses. And here he is, he's upset because he's being spied upon by the FBI, his communications spied upon without a warrant because of how the FBI is interpreting a law that was passed so they could tackle terrorism.
So my question, I'll start with you, Ed, on this one.
What's your impression as to the reasons why the FBI are using this power a lot less in 2022 rather than 2021? Is there political pressure building up here because of a sense that they may have misused these powers previously?
Yeah, I mean, so this whole thing makes me incredibly angry, I have to admit, and I'll tell our audience that my responses on this one are necessarily going to come from an emotional place because really the attacks on the U.S. intelligence community
in the last, let's say, five, six years, especially through the previous administration, were absolutely abhorrent and dangerous for the United States.
And so now to come around and hear a congressman, there's a few things here that jump out at me. First of all, the way that he characterizes, oh, even a U.S. congressman, you ain't special.
You serve the public. In fact, if you're doing the public's business, every single word you say should be available to be recorded and shared.
You're doing the public's business. So this whole idea that congressmen should have some kind of special level of privacy or security versus any other citizen is, first of all, throw that out the window.
I cannot stand that aristocratic point of view, for starters. Okay, that disgusts me, especially coming from people that have gone out of their way to dismantle the U.S. intelligence community.
And so the issue that I have with all of that, and the fact that, like you're saying, you have this radical drop in these FISA warrants and that you want to say somehow that's a good thing.
I don't think that makes Americans more safe. I think it makes us less safe. Now, you want to have a conversation about having proper reforms around the FISA process and having oversight on that that's appropriate?
Absolutely. I mean, that's just common sense, but we're in an extremes discussion here. We're not in a common sense discussion here. We're talking about an extremes discussion, talking to somebody with a very specific agenda that honestly, Eric, when we were talking a few weeks ago about the
January 6th event in Capitol Hill in the U.S. and you were making fun of the guy with the pointy hat, the hat with the pointy horns on it, this guy put him with him.
Honestly, I think he's coming in from the same kind of point of view. I have something to hide and I'm going to get on the political side of all this news we've heard about the Pentagon Papers and everything else legitimately, but then it feeds into the same paranoia
of like, oh, we need to recapture America from the deep state. That's what we're trying to do here. We're on the side of right and it's an agenda. So I won't keep going off about it, but it really rubs me the wrong way, obviously.
Hey, your passion. I don't agree with you. I mean, the way I read that is this is a congressman saying, because I'm in a unique position, because I'm on the House Intelligence Committee, I can find out this is happening to me.
Contrast that with the seemingly hundreds of thousands, if not millions of people, because this is not these are not small numbers of times, nearly 3 million times in 2021.
So we're talking about a very large number of people who have had their communications looked at by the FBI, seemingly because of the suspicion that they're engaged in illegal activities.
And really, when these rules were put in place, it wasn't just illegal activities. It was the most serious legal activities. It was the terrorist activities. This is the threat to the state.
I think if I was a congressman, I'd be saying to myself, why would the FBI conclude that I am a threat to the state?
What possible thought process did they go through that led them to believe this is legitimate and justified?
So that's how I take it. Let's bring you in here. Maybe you've got a different point of view to me.
So what's interesting about these numbers is that they actually jump up to almost 3 million in 2021.
And the interesting thing here is that actually coincides with the peak of the Covid pandemic.
Now, in the UK, there was a similar incident.
So in the UK, there was actually a government department which was set up and it's actually known as the 77th Brigade.
And that's actually overseen by the DCMS, which is the Department for Culture, Media and Sport.
Now, that was set up to monitor foreign misinformation about Covid.
But then what it became, it started to spy on British nationals who were just critical of the UK government's policies and handling of the pandemic on social media.
So they weren't Covid deniers. They were just critical of the government.
And then you had the likes of MP David Davis, journalist Peter Hitchens.
These were monitored in a very similar way with searches and queries being run on them, reports being written, which were then sent back to the UK government.
So to me, it seems there's many abuses being committed here by law enforcement agencies on both sides of the pond.
Do you think it's a universal problem that if you give these kinds of powers to law enforcement bodies,
it's inevitable that there will be an extent to which these powers, because they've got them, because they've got the resources to use them,
they will be scope creep, they will be mission creep and they'll just keep on surveilling more and more and more until they run out of resources.
Do you think that's inevitable, Lee?
Well, if you look at the figures in the US, it's actually gone down, right?
So maybe they've tightened up on that process.
And I think similar things happened in the UK where you've had these members of the 77th Brigade,
they've actually come out now as whistleblowers to say, look, there's the law, OK?
And sometimes the law was breached in terms of doing some of these searches.
Well, I know it's come down. I know it's gotten better. We've got whistleblowers, but it's a terrible situation you're in that you have to allow the surveillance to take place.
You have to have the abuses to take place. So then you have the reaction to it.
It doesn't instil confidence because it means that whenever there is an inverted commas, a crisis situation,
they'll always be the excuse, oh, well, now we're justified, now we're entitled to do it and it will be abused.
That's what I think. I mean, that's the wider point I take from this, not to be about the US or the UK or any specific regime.
They'll always be the pressure to abuse rights, which is why I much prefer that communications be encrypted end to end.
I much prefer to be in a situation where there's no possibility of surveillance to occur because there's no potential, there's no way in which it can occur.
I think these law enforcement agencies, Eric, I think they have to have the power to do this.
Right. Because there's some bad people out there, some really bad actors. But really, if you're critical of the government's handling of the pandemic.
Right. Does that give you the power to do these searches? I don't think it does.
Ed, as an American, can I ask you a difficult question? Would you recommend that foreigners avoid putting their communications through the USA
so there's no chance of their communications being tapped by American authorities?
Not as a blanket statement. I mean, do you want to do legitimate business with people in the United States and communicate about things?
But you know what I mean, a lot of traffic just goes through the USA that isn't terminating the USA.
I'm talking about the fact the way the Internet works, the way things are being routed.
I mean, there was an incident not that long back where a lot of traffic that originated and terminated in the US,
a lot of Internet traffic that originated and terminated in the US got routed through China.
And I think you'd have a really good reason to be upset and worried about why would traffic get routed through China?
I mean, but now I think you're talking about the real issue, which is not knowing where your traffic's going.
And that's a problem. And I mean, there's legal precedent on that being a problem.
And companies having charges filed against them, having to settle, having fines,
all that sort of thing is their data ended up in a place that it shouldn't and they weren't really sure about it.
And we've seen that happen. So I mean, I think in general.
But so going back to your question, I mean, generally speaking, if I have to give you a black and white answer,
no, I don't think that people should be concerned about that and to stop that.
I think if you're someone who's really, really concerned about who's listening, you're really concerned about like having your privacy protected,
like there's things you probably don't want to do in the US that you might want to do somewhere else.
Things like that, right? So that's a whole separate discussion. Yeah, I agree.
But again, we're talking about a lot of black and white blanket statement things today.
Now I'm going to stand up for the US on this one.
We have to cover this. We have to be superficial. We don't have time to do it in detail. At least we're talking about these things.
You go to other associations, you never hear about it.
But be smart with your data. Be smart with your identity. Be smart with your business practices.
That's why I'm moving to the woods, mate, and destroying all my mobile devices when this season's over.
I'm going to be living in the Faraday cage for the rest of my life because I don't want to have anybody spying on me.
All right. We need to move on, unfortunately. We're already behind schedule. Apologies if I don't have time to read out more comments.
Before we bring on our guests for today's show, here's another installment of The World in Your Phone with Geoffrey Ross
of co-authentication, fraud prevention, and geolocation specialists wandering.
Each week, Geoffrey takes us on an international journey where we explore a different nation
whilst reflecting on the common problems we face as we attempt to communicate with each other.
This week, Geoffrey's destination is El Salvador. Roll VT, producer James.
Hey, everyone. From One Route, I'm Geoffrey Ross, and this is The World in Your Phone.
Let's talk about El Salvador. El Salvador is the smallest country in Central America.
This mountainous country is bordered by the Pacific Ocean, Guatemala, and Honduras.
But did you know that in 2020, its government passed the National Digital Agenda,
which is to improve connectivity and digital infrastructure in El Salvador?
Along with continued expansion of 4G services across the country,
there are plans for the commercial launch of 5G network services in 2024.
With all this growth, it should come as no surprise that in El Salvador, mobile lines are over 11.3 million,
which exceeds El Salvador's population of 6.5 million people.
The mobile network coverage is over 93% of its territory,
and the mobile penetration is remarkably high, so much that it is higher than the average for Latin America and the Caribbean.
But did you also know that El Salvador is known as the land of volcanoes,
with over 100 volcanoes and 20 of them still potentially active?
If you like surfing, El Salvador is your place. Some of the biggest swells and longest waves in the Pacific can be found there.
And finally, for all of us that love and adore coffee, El Salvador, fourth largest producer of coffee in the world.
Be sure to tune in to One Route and subscribe to our YouTube page where you can catch up with all of our episodes of the One Route Roundup,
where we spotlight individuals and companies making a positive impact in the telecom industry.
One more fun fact. In 2021, El Salvador's president surprised the world with an announcement that the country would adopt cryptocurrency as legal tender,
becoming the first nation to do so. It will be fascinating to see where this goes with all this digital growth.
Eric, back to you and more of the great communications risk show.
Thanks, Jeffrey. It's important to see the world from different perspectives, and Jeffrey's service certainly helps with understanding the diversity of people around the world.
I understand El Salvador's volcanoes are one of the reasons they adopted Bitcoin. I hope to harvest the geothermal energy for cryptocurrency.
Man, we cover everything in this show. It's incredible how many bases we touched upon during the show.
But now let's focus on eSIMs and let's introduce today's guest. John Davies is managing director of BluGem.
As you've already heard, BluGem are specialist providers of test services for telecoms businesses and suppliers of network equipment.
That means BluGem are always conscious of the risks introduced by every change in network technology,
including the enormous changes taking place as more and more devices become networked with embedded SIMs or eSIMs,
replacing those plastic removable SIMs we got used to popping into the back of our phones.
Hello, John. Thank you so much for joining us today. I know you haven't been feeling so well last night.
You've pumped yourself full of medication so you can continue to join us. At least your voice is still strong.
It's a pleasure to have you on the show. I hope you're feeling better now.
And I hope you're looking forward to these difficult questions we're going to get from the audience, too.
Thanks, Eric. Yeah. Suffering from man flu yesterday. A bit of a bug. But as you say, I've got enough medication in me to keep going.
I might need a swig of water now and then, but I'll be OK.
The risks never end, John. We never have any moment to rest and we need to pack it in as well into the show.
So, BluGem, you're experts at dealing with the transitions that take place when new technologies are adopted,
when network businesses and comms providers are changing their business model.
Give us an overview here in terms of what comms providers need to do to gain confidence that the switch to embedded SIMs will go without a hitch.
What new issues should they in particular be looking out for?
Yeah, thanks, Eric. Really testing at early stages of eSIM because there's lots of pilot releases of products, including eSIM.
So they're often tested in the test labs, which is an isolated environment which allows you that isolate control without it being rolled out in a live environment.
So we prefer to test within the test labs first to do the core functionality.
Then it's rolled out late stage to live, i.e. free any live subscribers being migrated onto it.
In terms of tests for eSIM, we started our first eSIM customer test three years ago.
We were all quite excited. We were getting an ever-ending stream of eSIM customers.
Truth is, we've had a lot of interest and we've had a couple, but it's not taking off quite as much as we had expected.
But that's kind of what we're discussing today.
Let me jump in there. Is there a particular reason why eSIMs have not picked up in the way they expected?
Are there maybe obstacles that are getting in the way of adoption of eSIMs?
Yeah, it is pretty slow.
I think you've got the wearables that's been improving it a bit faster and you've got the new iPhone, which is now only using eSIMs, got rid of its physical SIM.
So there has been a lot more interest since iPhones have done that in the US.
I assume Europe will follow that.
But there's a lot of issues in terms of you've got to be able to have the budget and input to put in the remote SIM provisioning architecture in the telco so they can remotely provision the SIM.
There's a GSMA specification guidance on how to do that.
That's obviously quite costly to network operators.
And the low eSIM devices in that you've got to buy higher end contracts, higher spec phones with eSIM.
That obviously puts people off.
And if you're switching between multiple SIM profiles and they're costing you 30, 40 pounds per contract, that's a lot of contracts you're potentially signing up for and gets quite expensive.
So yeah, the growth, I think it could be down to potentially network operators, customer churn when they're switching networks or any customer at any time can switch their profile to another operator that's bound to impact their customer revenues.
But the switch of that is the other network operators should be doing the same.
But I could see that would be a bit of a blocker for telcos.
You have been able to swap out easily at minimum contracts, no more PAC codes like you have in the UK.
You don't have that long process and painful process of switching operators, although it's not as bad.
But yeah, there's a few of my ideas of that's why it's taken a bit slow.
In general commercialization, if you just look online for eSIM products and testing around what operators are out there offering it and what the benefits are of it when you look at the latest handsets, you don't really see much about it.
You don't really see what the benefits are from the telco.
So I don't think a lot of people really understand eSIM and the benefits it brings to them.
What should telcos be focusing on then? Because you've mentioned, say, the iPhone there, for example.
And I'm thinking here that there was an incident a month or so back where T-Mobile customers were sent out new phones, phones with eSIMs, or rather they weren't sent out phones with eSIMs.
They had ordered phones with eSIMs in them. They hadn't received them.
But the service had been switched over to the new phone because the way in which provisioning works is provisioning the particular area that the telcos need to be focused on in terms of testing that everything works correctly.
Or are there multiple other components where they need to be focusing their attention in terms of mistakes that can happen, damaging impact because it was very upsetting for those customers.
They were losing their phone service from the existing phone and they thought they were subject to fraud because they'd heard about SIM swap frauds and they had no other explanation for why suddenly their phone was no longer connected.
So where should they be focused? Is it provisioning or are there other components of the telcos business where they should be concentrating or looking at the risks of things going wrong, especially as they're getting used to doing these new, following these new processes?
Yeah, I think so. eSIM, the architecture and subscription manager, I think that needs to be first to be able to make it smooth so when they go abroad you interact with other operators.
eSIM is easy to switch to other platforms.
I think that's really unfortunate. That's more of a communications go to market issue within the sales department, telco, sending out the phones without informing the end users that it's eSIM, not a physical SIM.
So that would have been pretty damaging to them. And I think a lot of it is the education because eSIM is more secure. I know we're going to get onto that, but a lot of people kind of don't know the benefits of eSIM instead of having this physical SIM in your device.
It works fine. People are just used to it. They're comfortable with it and not having a SIM put in your device, I think that makes people uncomfortable because they're not aware of the benefits of it.
So tell us about the benefits then, because I must admit I'm not particularly aware of the benefits, especially from say a security angle or protecting the consumer angle.
Yes, I think real benefits of eSIM, obviously it's the ease of switching profiles, so you no longer have to wait for a physical SIM to be posted to your house, and at any time that could have fraudulent activity, somebody intercepting it whilst it's at your house or getting there.
So you'll get a QR code or an app ID to authenticate the eSIM device via QR code or however it may look.
You then have access to your SIM straight away, and from there you can switch profiles as you need to. So you could switch from operator A to operator B to operator C.
Why would you do that? Well, lots of reasons. It could be network signal. I live in a fairly rural area.
My network providers don't cover this area too well. It might be I drive up north somewhere and see my favourite Guns N' Roses concert.
I find my signals getting even worse, so I just switch my profile, get a better signal. If you're looking at rates when you're roaming abroad, you might see that one of your local operators, your home networks, has got a better roaming rate for Europe.
So you might want to switch them before you fly. Conversely, if you land in your roaming country, you might want to take up a local operator SIM.
And instead of going the old days, which I did this quite recently in Spain, I went to the phone shop to get a SIM and I can tell you with three kids, it was quite painful trying to sign up for a SIM when I didn't know Spanish.
And I was doing some testing, funnily enough, but it was painful. But instead, you should be able to go to a different country, roam there, log on to a local domestic operator and get those local home rates.
And then, of course, when you make calls back home, you can switch back to your home network profile and call back home. So there's a lot of benefits to it.
Lee, you have some opinions here upon businesses, telcos, perhaps not embracing the advantages of multiple profiles for customers.
Yeah, we discussed prior to the show that in particular, I spoke about the UK in particular, and the last time I checked is, you know, we have all this, you know, it's great to use eSIMs, right, because it benefits the customer.
But I've noticed in the UK that eSIMs are not available to prepaid customers. So the idea when eSIMs were originally envisaged is that when you were roaming, you could then switch to another provider.
But to me, it seems in particular in the UK, and the last time I looked, is that you can get an eSIM, but it's only as a post-pay subscriber when you've actually signed up for 12 months.
So the benefits of having an eSIM as a roamer, they just seem to be blocked by the UK operators.
So they're not seeing the commercial advantage. Is the focus, should the focus be more on machine to machine for eSIM then? And is this an area where perhaps the expansion hasn't been as rapid as we'd expect?
So, yeah, I mean, if you look at IoT, for example, you know, IoT, any report, you know, take any report you want, right, it varies in 2020, sorry, 2030.
I think the lowest estimate I've seen of IoT devices is 30 billion. I've seen figures up to 140 billion connected devices. Now, obviously, not all of these are going to be with eSIMs, okay, but I think there's quite a big opportunity of growth out there.
I think this is where the security aspect comes in as well, because if you can hack these devices, then you can do anything, whether you can do DDoS attacks, point them towards various, you know, to do denial of service type services.
So, yeah, I mean, security is a big issue around eSIMs.
Ed, can I bring you in here? I'm curious to have your insights as an industry analyst here. Do you sense some tension here between the device manufacturers just wanting yet another really small, even smaller chip that they can put into the devices?
So, an example of an iPhone, you can pack even more capability functionality space, but perhaps it's not being fully embraced by the network providers who perhaps don't see so much benefit.
There's definitely a tension there, and I've been in conversations with major device manufacturers who've said flat out that they would love to not have the activation of services tethered to carriers to get their phones up and running or their tablets up and running.
I mean, I've been in that conversation, so that tension, that sort of, you know, resentful relationship, has been there for a while.
I'll tell you what I would find, though, interesting on the eSIM side. We talk a lot about the concept of eSIM being that you can switch, you know, profiles and switch carriers, you know, for these sort of practical roaming issues, especially that people less than the US have,
and more so people that travel internationally and travel over Europe have.
What about the other way around, though? I mean, the thing that I think is interesting, if you come at it from the phone manufacturer's point of view is, well, it's like someone who collects cars. Today, I want to drive my, you know, my yellow Porsche, and tomorrow I'm going to drive the red Ferrari.
Well, I want the same thing with the phone. Like, I'm going to use my Samsung flip phone today and my own phone tomorrow, but I want my profile to come with me from phone to phone and not move a physical SIM to phone from phone, which is bounce them from phone to phone.
I have that kind of experience. And to me, from a CX perspective, that would make eSIM a lot more consumer friendly.
The last thing I'll say is this. We were talking about activation and provisioning. And to me, when you get into the IoT stuff, that's where the big missing piece is here.
And I've been clamoring about this for a few years, that it's amazing to me that, you know, you look at something like Amazon S3, right? It's a storage interface that created Dropbox, right?
All Dropbox is like multi-billion dollar valuation that it achieved was a wrap around S3. We don't have that around activation.
Right? Not in the same way. Like you don't have an activation API in the same way. There's platforms out there. There's a whole market for MVNOs and for MVNEs in the IT world.
I know people have been working on that, but there isn't sort of just like one standard way to say, hey, yes, this is a platform approach to activating these eSIMs.
And that's how we go about IoT. And I think that's a sticking point because a lot of times the provisioning process is still a lot of form.
That is a great point. That's a great point. Comment in here from Gideon and Gogo.
Currently, customers have to update their profiles before leaving their home country. This is in regard to eSIM. More insights to this.
John, perhaps you can comment on this. This sounds as though Gideon's experience is in conflict with how eSIM should be used in practice.
That seems quite unusual to have to update your profile before you leave the country. It's almost a bit of a blocker by the telco to almost steer you away from changing to another network.
I haven't seen that myself. It is odd. I sort of question the operator why they're doing it. I guess they could say it's for security.
But that doesn't really make sense because the whole point of eSIM is that you can go anywhere and change your profile as you want.
I don't know if there's something to do with their remote SIM provisioning system that requires you to kind of log off the home network first.
Something odd like that. Maybe it's not done to the GSMA specification. There's perhaps a lower-end spec version of the remote SIM provisioning.
I understand that there's a parameter that can be set that determines which of the multiple profiles is the one that has to be used and prevents the user changing from that profile.
Is that something that anybody's asked you to test in practice? And what's your thoughts on that in terms of, again, the intention in having that in there if the goal was to permit the user to switch easily between profiles?
This is, by definition, a parameter that's been clued in the spec that prevents the user switching profile.
So is anybody asking for that to be tested in practice? And how do you feel about it?
No one's asked us to test. You mean the home network, sorry, before you leave to go roaming.
No one's asked us to test and a lot more testing is around switching of profiles and what happens when you switch profiles whilst you're in a call.
What would happen if you sent an SMS or a voice call and you switch profiles?
And in general, switching between your home network and your secondary network, which might be a MVNO, but it's MNO.
They might want to test that as the secondary profile, operate B, operate C and to test as many profiles as possible to fill all the profiles.
And they remotely delete some profiles by requesting that to the telco.
So we go through those stages, but a lot of it's sort of based on use on that usage cases of loading profiles.
Are there risks in terms of profiles potentially being corrupted in some way?
Yeah, I know there is some issues that have been out there, but I think in general, though, eSIM is safer.
You know, you've got the whole issue of a physical SIM in there, which could be stolen.
And as I mentioned before, I guess they are vulnerable to hacks, but a lot of that.
I know some of it is down to the phone manufacturer and then you've got the mobile operator, but some of it is down to the end user as well.
If you've got biometrics on your phone and you're careful with social media.
That's a big ask here, but a lot of these people get the information from trawling over social media to find out your names, addresses, e-mails.
They can try and hack into profiles that way. Or, of course, they perhaps go to a reseller who may have lower end security checks.
Not saying they do, but the telco may have quite stringent security checks.
If you're changing a profile, one that's set to a new device, you could have all the information you needed.
And I know there's been known cases where they've been able to go to a reseller and get a profile enabled that way,
because the security checks were quite light and all they needed was some basic information to do that.
So it is more secure, but it can be hacked. I know there's various examples of it.
But yeah, in general, it is better.
I'm just thinking malicious actors, though. I'm thinking here you're doing testing, profiles get downloaded, new profiles get added to the device.
At some point, the device will run out of memory. There's going to be a limit to how many profiles can be sustained by an eSIM.
And also, I'm not clear as to the possibility could accidents occur, could mistakes occur, as in their profile is downloaded, but simply not work as intended.
Does that come up in your testing at all?
We have done performance testing on eSIM. Yes, you download as many profiles as you can and keep switching to see how it performs.
Memory, we haven't tested that. We haven't been requested. Often customers do sort of the key functionality.
But you could, for example, ask the operator to spoof some possible memory or some extra profiles, anything they can spoof to get it into that state.
And we could test it that way. We do try to break eSIM phones, but in general, we found them pretty reliable.
So we're not we're not hackers. So, yeah, we don't often find them.
It's more of we would, for example, go through the user cases of the QR code and the authentication side of when you authenticate an eSIM.
So we'd go through various test cases of ringing up, going online, buying a device as a consumer, getting eSIM and recording the information that's required to make sure it's secure.
And the same with, because Ed mentioned, when you switch phone devices, this is a bit of an issue for us.
You've got to get a whole new QR code because it's a new device. Now, when we do roaming tests, it means we've got all these different devices dotted around the world.
It's great when we've got an eSIM in the UK, but now we want to switch to another device.
We've got to go through the so it's not a rigmarole.
We've got to go through getting that device provisioned remotely because that's how we do our testing to eSIM for every time we switch to a new phone.
So that that is a bit of a pain, actually, when you switch devices.
I think something I'm finding mysterious here to help me to understand this, John, is when it comes to, say, safety.
Let's move away from the mobile phone example to the fact that eSIMs will be in lots of devices like connected cars and all sorts of IoT devices.
When we talk about safety, I'm no longer entirely clear on who will be responsible for the safety of the user
when we're talking about eSIMs, because you have an eSIM, it's embedded in the device.
It's been put, you know, that's been put there by the manufacturer. Nobody can alter the actual physical eSIM.
You have the data, which is the profile that gets downloaded over the air interface to the device, can be updated on a basis.
And then you have, as a result, this kind of interaction between the data on the device, the network it's talking to and what the device itself does.
Is it always going to be a case by case basis in terms of who's responsible if the device malfunctions and therefore somebody's put at risk some sort of machinery?
We're talking about IoT devices here that can be heavy machinery.
For example, obviously, a connected car is a vehicle, a heavy piece of machinery that travels at speed.
Is it clear at the moment who's got the responsibility for the safety aspects of testing around profiles?
I don't think it is clear.
To me, it is the manufacturers, the operators and user, but I think if they follow the guidance of the machine to machine GSMA process,
there is testing in there in terms of product security requirements where protection profile has been developed with eSIM and implementing it in SIM provision architecture.
There's functional compliance as well to ensure the correct operation.
Then there's security integrate chip protection as well, where design perform critical security functions such as protecting the integrity of the data.
So assuming they've gone through that process and they are following the GSMA compliance,
which I know from David's last episode on IoT, which is quite interesting.
I think it's something like 27 percent were signing up to the study he was doing.
I think he was kind of implying there wasn't a lot of IoT manufacturers signing up to security issues.
That is a worry, but there is a standard and they should be compliant to it.
I don't know how it's enforced for device manufacturers, but you would assume that they built a device with those standards in it.
The security should be in there. And there's a security assurance scheme as well, which is like a common approach to security.
That's the objectives of the GSMA to protect the profile. So that should be followed as well.
So you should certainly be the handset manufacturers. I don't really hear a lot around that.
I hear a lot more around the operators. Obviously, we work more with operators, but if we're testing eSIM, we always recommend customers.
OK, we've got various test cases. We want to test the profiles, load test, function test, boundary test, roaming, domestic, etc.
But we also want to test different devices as well, because we don't know what standards eSIM is followed across all devices.
So let's test across a number of different phone manufacturers like Samsung, Motorola, etc. Nokia.
Now, BluGem, obviously you cover a lot more than just testing eSIMs in BluGem.
You deal with every kind of network, you deal with every kind of service that's provided for them.
I try to understand here as well, in terms of eSIMs and their adoption and use, is it going to be influenced by things like the rollout of 5G networks?
Or is eSIM working at a different level that it's not going to have any real relationship to things like 5G?
And does that therefore lead to more complication in terms of testing?
Or as I say, is eSIM such a thing on its own that it's not influenced by other factors such as the kind of network the device is connected to?
I think it works better with 5G SIMs.
We do have the next level of eSIM, which is iSIM that's coming out.
That's not going to be out until, and that's basically an integrated chip that is embedded within the GSMA core processor.
So it's going to be more secure, faster, all the usual things, apparently, because you won't be having this additional eSIM soldered chip on there.
So the iSIM chip is meant to be, again, more successful and meant to be better in terms of going forwards with 5G and having faster processors.
They're going to need less space in their devices.
But I don't really see eSIM being that related to 5G. It's a strange thing.
Everybody gets 5G. It's faster.
But eSIM, there's still that commercial knowledge that I don't think a lot of people get because a lot of telcos don't seem to push it.
And I think we discussed the reasons, but in theory, eSIM does work better with 5G.
But I don't see anybody going to 5G because of eSIM.
They just go to 5G on a physical SIM.
A lot of people are going to take dual SIMs anyway.
So they've got a physical SIM for two numbers and an eSIM.
They probably never use that eSIM profile.
Thank you for those insights.
I'm really keen now just stepping back from eSIM and just testing in general.
If somebody was to come to you and say from your expertise, performing tests of devices, performing tests of networks,
what are the hottest topics in testing as in what are the areas where any kind of business should be more conscious about the potential for risk and failure?
What are the ones that are standing out for you and your customers at the moment in terms of areas where it's really the most important to do testing these days?
Yeah, I think it's testing before it goes to market.
So often we're involved at a late stage, sort of pre-release, which is great.
But then they're on very tight budgets and time constraints to release it to the customer.
And we kind of do our testing, but it's released anyway.
Then the fixes go in, then we retrospectively fix them, which isn't the best way to do it for the consumers.
And sometimes it affects budgets and pricing in terms of revenues.
So we would say to get us involved at the IT stage, either in the test labs or just when it's getting integrated into their systems pre-live so we can do the core functionality tests and the basic stuff of just executing calls.
And obviously you do your basic voice SMS and data, but from there you look at more boundary tests in terms of premium rates.
What happens if I roam and then call a premium rate?
What happens if I roam in six different countries and do various voice calls to local numbers?
You know, there's so many different boundary test cases that we find issues with and a lot of them are around roaming.
Domestic's fairly solid for the reason that it's all you can eat data and all you can eat voice.
So there's not too much other than testing sort of exhaustive bundles.
But yeah, I'd say really it's around 5G.
We're doing quite a lot of testing for customers.
And that's the standalone and non-standalone.
But 5G is just like eSIM to me.
They've both been around a long time.
People have sort of used 5G, but actually this 5G standalone, true 5G network is becoming more available to customers, especially in the UK.
So we do a lot of testing, say with Volte or 5G.
Does it work at home? Does it work when you roam?
And often when you roam, your roaming partner doesn't support it.
And that's the thing with eSIM as well.
Often they've done some testing domestically, but as soon as we start to roam abroad, we start to find a lot of issues.
So you're saying that's a big hotspot in terms of finding problems that are only detected.
Really, when there's already some commercial damage, there's already some harm because potentially roaming revenues are being lost.
5G in particular.
So is it worse for 5G standalone or is it just the testing is more difficult with its 5G standalone?
I'd say the testing is just a bit more difficult just because of the frequencies 5G operates on.
We've been quite recently on the road driving up and down to find a particular mask, which we know where the mask is.
You know, Telco's given it to us. We know we're going to test, but we're kind of parked outside doing the testing.
It obviously would all get switched on by doing pre-testing, but it can be quite hard to find 5G signals.
We've had it in France where we told the location to go test.
In France, a very central location, we knew where the 5G mask is.
You put it into a building. We don't get signals.
We ended up using one of our crowd testers on his feet and he's doing testing that way to test 5G.
So I think 5G has got a bit of a way to go, but it is being launched and there is a lot more testing and it is incredibly fast.
And you've got 5G slicing now, which I think is working very well.
It's kind of dividing the different channels into slices and they're carving up the pipes. You can dedicate it.
So, for example, if there's something key going on, you might be streaming a live TV thing like a coronation.
They could dedicate a slice of 5G SA to that and that will be absolutely prioritized over the other traffic.
So, yeah, 5G is one of the upcoming testing things.
The other thing, of course, is when 5G happens, a lot of time you see a symbol on your phone.
As it traverses and connects to the other end, it drops to 4G halfway through because it starts at 5G, it drops to 4G.
So that's 5G NSA.
So network operators are keen to find out is it true 5G end to end or does it drop down to 4G plus halfway down?
My word, I would not swap my job for yours any day of the week.
It's no wonder you're catching the flu if you're driving up and down looking for these masks on top of running your own business,
on top of having a new baby in the house, on top of doing all this great work for the local charities you support, John.
I'd love to continue the conversation. We've overrun the time, but I really appreciate the insights you've shared today.
Thank you so much for joining us on today's show, John.
Thanks, Eric. Thanks, team. Appreciate it.
Thanks a lot, John.
Well, I'm afraid that's it for today's show. Ed, Lee and I will return next Wednesday when our guest will be world famous white hat telecoms hacker Carsten Knoll.
Carsten will explain the work he's been doing to identify vulnerabilities created by telcos when running their operations in the cloud.
We'll also comment on how those vulnerabilities pose even wider risks to society because other critical businesses will also be relying more on the cloud.
We'll be live on Wednesday, 17th May at 4 p.m. UK, 6 p.m. Saudi Arabia, 10 a.m. U.S. Central.
Why not save the show to your diary by clicking the link on the Communications Registry web page or just subscribe to our broadcast schedule, as I tell you, every week.
And then you'll have every weekly show uploaded to your diary automatically.
Thanks again to today's guest, John Davies, managing director of BluGem. BluGem will be the sponsor of today's show.
Thanks also to my co-presenters, Edd Finegold and Lee Scargall for their never ending, entertaining and brilliant insights.
I wish we had more time for them all. I'm sorry, guys, if I don't give you enough time, we're trying to pack it in.
It's hard to do. And our producers do an amazing show, making sure everything's slick and without a hitch.
Well done to our producers, James Greenley and Matthew Carter.
You've been watching episode nine of the Communications Risk Show and I've been your host, Eric Priezkalns. Visit our website at tv.commsrisk.com for recordings of every show from this and previous seasons.
Read our main websites at commsrisk.com, stay abreast with the latest news and opinion about risks in the comms industry.
And be sure to check out the great free resources from risk professionals, provided by the Risk and Assurance Group, RAG, at riskandassurancegroup.org.
Thanks for watching today's show and we'll see you next Wednesday.