I've always been wondering: Is there a SIM card configuration flag that allows telling the phone to never even attempt an attach using a given technology?
This would allow leaking identifiers (at the cost of greatly reducing roaming coverage, at the moment), attaching to spoofed networks (for 2G, which does not have mutual authentication) etc.
SIM cards don't connect to networks, the phone modem can just disable support for such protocols. That'd probably be illegal, though, in case you're trying to call emergency services and don't have 5G reception.
Some Android phones have a setting to at least disable 2G and you can easily configure them to a "preference" of only 5G. I believe iPhones have a 2G toggle as well if you enable lockdown mode.
It'll be years before you can reliably get rid of 4G without losing coverage, though.
I don't know about any such settings on mobile platforms such as watches, though. I also doubt cars have a setting for this (maybe if you use one of those Chinese Android-tablet-with-a-car-skin systems?).
SIM cards have hundreds of various configuration knobs influencing what a (compliant) baseband does, so I wouldn’t be surprised if there was one that does just that.
That said, some knobs are frustratingly missing, though – why is manually entering an APN a thing, but the default SMSC can be stored on the SIM?
That's true, of course, but SIMs can be reprogrammed by the carrier on a whim. Plus, there are handover features that command the modem to downgrade the connection from the network side, and who knows if the modem will listen to the SIM's config if the network commands it to do something.
I haven't needed to enter APNs in years, there are standards to provision those by SMS if they're missing and most of them are pre-configured in the phone's OS.
I think limiting this at the modem side will be more effective than reprogramming the SIM card, but the specifications are open enough that you could take a look at a SIM's contents by throwing it in a reader.
You could also look at the code and blobs dealing with eSIMs, as they provide the same features but often come packaged in the form of software.
Check your local laws before you start messing with SIM cards, though, altering certain identifiers can be a crime.
In terms of existing examples, there's a few equivalent (or at least similar) fields defined as SIM files - for example, the FPLMN (forbidden PLMN) list of networks your phone shouldn't attempt to attach to.
You're right that this needs limited at the modem - but the main user accessible method of configuring the modem is the phone UI. As this setting is one which needs network support, and is likely to disconnect a user who misconfigured this, a SIM file for permitted RAT (radio access technology) types would make sense, as SIM files are under the responsibility of the operator.
Where this would get complex is edge cases, like under roaming scenarios, where your home network can't predict what might be available, and your handset may need to permit downgrading to a technology not permitted on the home network.
The toggle in Android to disable 2G seems a start towards a user accessible setting for this, which selects what the modem is willing to join, but it's certainly far from a user friendly way to enable and disable particular technologies.
> Check your local laws before you start messing with SIM cards, though, altering certain identifiers can be a crime.
Generally the contents of specific important Elementary Files (EF) are protected by requiring you to have an ADM code to read/write.
> I haven't needed to enter APNs in years, there are standards to provision those by SMS if they're missing and most of them are pre-configured in the phone's OS.
You might need to enter an APN if you have a B2B contract with the operator, where they'll route all traffic from your device(s) through a VPN directly to you. Besides that and static addresses, I am not aware of any other prevalent use-case for changing an APN.
> SIM cards have hundreds of various configuration knobs influencing what a (compliant) baseband does, so I wouldn’t be surprised if there was one that does just that.
There is EF-UST (USIM Service Table) but it doesn't explicitly allow/deny radio access technologies.
The wording your usage here seems to suggest that the phones can be configured to not connect to 2G networks. This is false if you live in the USA. The phone will not connect to 2G networks regardless of any setting. There have not been any to connect to for a while now. The only thing out there that is 2G any longer is malicious actors.
It should come as no small surprise that phones in the US markets ship with a feature that is a de-facto backdoor.
Tangentially related, the latest major Android release supports updates from the modem with details about whenever your IMSI/IMEI/unencrypted SUCI are disclosed to the network (with support for some contextual information, e.g. which protocol message was it disclosed in), as well as insight into the in-use network cryptography configuration for different protocols.
if you pay the google tax for a pixel, you get a convenient 2G toggle.
if you don't have an extra $400-900 and buy a cheaper android, you get to dial ##4636## (hn screws asterisks, look it up) them go into phone info, select each sim radio and change the drop down (and hopefully you know all the standards by all names to make the right choice. hint 5G is NR there)
There's a convenient toggle on my Moto G Stylus 5G 2023, if not a convenient name. In the carrier settings right next to allow 5G. Can't easily disable 3G or LTE though. IIRC, LTE is also mutually authenticates, but if we're talking about passive catching and the ismi is sent in the clear as the article says, then that doesn't eliminate passive catching. I'm not sure about 3G, I thought it wasn't mutual auth either.
Definitely, mutual authentication and (not) using long-term identifiers in the initial attach request are largely orthogonal concerns.
I believe even 3G supports mutual authentication (at least if the SIM supports it, i.e. it’s not a very old GSM only one), but anonymized identifiers only appeared with 5G.
The 2G toggle can also be found in some other phones, but not every phone manufacturer has support for configuring their modems like that or has bothered to keep the setting in their settings app overhaul.
I know that setting, but I'm not entirely sure if that controls a preference or a mandatory cell config, and if it will prevent downgrades from the network side or not.
Some manufacturers and most custom ROMs also seem to offer that option without a dial code, but I haven't found any documentation about that feature yet to be sure it actually forces the modem configuration. I've found mentions online about this setting being changed without user interaction, so there seems to be a mechanism on some phones (carrier-branded ones maybe?) that alters this config.
every modem have to have that control. and you can access it on every model I've ever seen with the code i shared. i think it might be a requirement for some of the regulations they plaster stickers for.
having the ui it not is a balance between playing nice with over reaching law enforcement and enterprise clients.
This would allow leaking identifiers (at the cost of greatly reducing roaming coverage, at the moment), attaching to spoofed networks (for 2G, which does not have mutual authentication) etc.