Sim swap/clone attacks result in hundreds of millions of dollars in loss for cryptocurrency holders and other alike. https://cointelegraph.com/news/sim-swap-hackers-target-crypto-investors-cell-services-not-available.
Government and other authorities use sim data and access to needless violate citizen privacy and corporations use the onboard location and local profiles to track users endlessly.
Phones are not a reliable HSM and maybe an implementation of this and additional security measures can help close that gap and eliminate the need for a second, third device for KMS.
What it does
We built two different applications of this and are experimenting with possibilities.
On one side of the spectrum, we are using the new secret network to generate a unique identifier that allows a user to connect to a third party VoIP number and combines the secondary phone number in combination with the IMEI number to create a unique identifier that now provides a secure messaging inbox that cannot be replicated or cloned on another device without validating the IMEI on a device level. This can act as a great alias/sudo phone number management system and an unconventional endpoint to deliver 2FA messages.
On the other side, we create a mechanism to issue, provision and embed the SIM data of a user on to an NFT. This can now use newer more secure cryptographic methods such as range proofs/NIZKP to establish handshake and network connectivity. Additionally, since the SIM is an NFT, the MNO or any other party with bad intent cannot clone/swap sim cards to compromise a user.
How we built it
For mode 1, we used the new guidelines for the secret network NFT to issue a unique NFT and provision the necessary data from a client application. Additionally, we are integrating with twilio to provision a secondary phone number and create the unique identifier.
For mode 2, we tried to break into the core services on android, the hardware abstraction layer and various other components in order to try and copy profiles from an android phone. We also created an e-sim issuer that takes the necessary data on to the payload of the NFT and issues an unique SIM.
Challenges we ran into
AOSP rom is going to be time taking
Accomplishments that we're proud of
Out of the box usecase, more than one approach to solve the same problem and the potential evolution of this into an web3 ready mobile operating system.
What we learned
Cosmos ecosystem will be the best bet for us to build a web3 mobile OS that is fork of android as there are several applications and services we can take advantage of right away and if we are to provision a mobile SDK for DaPPs, cosmos has the best toolsets.
What's next for EUICCD - NFT
- Acquiring an SMDP server in order to issue real profiles
- Establishing new and more advanced handshake techniques.
- Creating HSM alternatives and KMS.
- Decentralizing biometric authentication.