June 27, 2024

Why SIM Sovereignty Matters


Do you know where your eSIM was created? We believe the answer to this question is crucial, today more than ever.

SIMs perform a function that’s central to the cybersecurity of every cellular-connected mobile device on the planet. For that reason, carriers and network operators deploying SIMs should  know exactly where their authentication credentials are located, at every step of the process, whether it’s physical SIM cards or digital eSIMs. 

Generating and managing SIM authentication credentials — the unique sets of identifiers linked to a specific user account with a particular wireless carrier or network operator — requires deep technical expertise. For physical SIM cards, it also requires specialized equipment in a certified secure facility. 

Shifting from physical SIM cards to eSIMs

In the past, carriers had no option but to purchase SIM cards from the SIM vendors that owned or controlled the production facilities. Over time, to save money, SIM vendors moved these facilities to low-cost countries such as China, India, Mexico, and Brazil. Then, as prices fell and profits became squeezed, some outsourced production of SIM cards to third-party contract manufacturers, much in the same way smartphone makers outsourced their production.

Fast forward to recent times. Physical SIM cards are transitioning to eSIMs. And although eSIMs are digital versions of the physical cards, the handful of SIM vendors worldwide use essentially the same processes for eSIMs, including creating and transmitting credentials to and from facilities located in various countries.

Let’s put this in context. Today, nearly 100% of commercially deployed SIM credentials are created by SIM vendors outside of their country of deployment. In the United States, the journey starts with a field office servicing local accounts. Technical consultants capture customer requirements and transpose them into profiles, a type of technical template comprising directories, files, and their respective attributes.


But before a profile can become an eSIM, securely generated keys must be merged into the template one by one to create an eSIM (akin to a mail-merge used for generating form letters). This process, which typically happens outside of the U.S., remains a black box from the customers’ perspective. 


Crossing borders introduces problems

Inevitably, this largely manual process, happening across borders, can lead to practical problems. Some carriers have received eSIMs that should have gone to their subscribers in a different country. And errors during the process have resulted in subscribers seeing a different carrier’s brand on their phone than the one they’ve subscribed to.

In addition, both carriers and their host nations have various reasons to be concerned about crucial cybersecurity credentials being handled by entities outside their borders. For example:

  • International internet outages in eSIM production countries can disrupt the delivery timeline to customers.
  • Some countries, such as China, erect firewalls that could stop the flow of eSIMs—either deliberately or not.
  • What if a country where an eSIM facility is located suddenly demands that vendors not process eSIMs for particular customers or countries?
  • And while eSIM credentials are encrypted throughout their lifecycle, having those credentials under the physical control of a foreign nation can make carriers and nations nervous, wondering if the process is devoid of all cyber risk.

The opacity of the eSIM profile process explains why some countries, including Saudi Arabia, Turkey, and South Korea, have enacted legislation requiring that their credentials be created locally. This legislation provides assurance that their credentials are not being shared with the government of the producing country, a situation that could have national security implications.

RiPSIM offers a secure alternative

The solution? At RiPSIM, we believe it’s modernizing the entire SIM process from the ground up and keeping it within a carrier’s control—and a country’s borders—at all times.

We bring deep SIM technology expertise to our integrated, GSMA-SAS-certified RiPSIM platform, which automates eSIM creation, orchestration, and management and puts it into the hands of the carriers and private network operators themselves.

The benefits of RiPSIM’s approach include dramatically faster SIM access—from the months it might take current SIM vendors to the minutes it takes on the RiPSIM platform—and cost savings due to automation.

But one major benefit that needs more attention is control over eSIM credentials. Because there is no sharing of environments among different carriers, all elements of the process remain entirely under the carrier’s authority, in a highly scalable operation. With this control, carriers can enjoy not only unprecedented flexibility, but also full sovereignty over this vital piece of cybersecurity that is becoming increasingly important to carriers’ customers, especially those in government, military, and emergency services.

There’s no excuse, in this age of automation and digitization, that any company needing to provide secure authorization to a cellular network should have to worry about where its credentials might have been.

Creating eSIMs within the borders in which they’re used, or at least within an environment controlled by the carrier, will give greater confidence to all wireless network operators, from Tier 1 carriers to the smallest private networks, that deliver critical data to enterprises, governments, and families alike.

It’s well past time to pay greater attention to the integrity of the important SIM credentials. Carriers, and carriers’ host countries, need to be able to trust that their profiles, keys, and other credentials remain secure and always under their control. RiPSIM can help carriers do just that.