Why YSK:
Because this scenario:
I know what some people are thinking:
My eSIM is tied to my phone, phones these days have encryption, so all I need to do is set a lockscreen password then a thief cannot access any of my data.
WRONG
At least in Android: You can just use some button combo (just look up “[Phone model] hard reset”) to get into the recovery menu and wipe all data, then reboot, and the eSIM is still there!
(Caveat to this: If you happen to have a Google account, it would force a FRP lock, and that would stop access, but most of fediverse does not like those type of online accounts, so: without a SIM PIN and without FRP locks, the eSIM is accessible to a thief)
Now the thief has your bank 2FA Codes!
TLDR: Set a pin on your SIM cards, even if it’s an eSIM (but especially if you use physical SIM cards)
(Curious: Does anyone actually use SIM PINs or do I just have a lot of paranoid regarding tech and potential hacks/exploits)
On android, the setting is in Settings>Security>More Security
Yes
The fact that it can only be attempted three times, after which a much longer PUK code you from your service provider must be used to restore funtionality to the SIM. It also has limited attempts, after which the SIM is locked forever.
Not sure how that works cryptographically, or how robust a physical SIM is against tampering.
The eSIM uses the TPM / SE chip and the physical SIM uses smartcards running Java applets. The SIM type smart cards generally make use of tamper resistant circuits and are set to not allow key extraction, similar to the TPM.
It’s not undefeatable, but both require really expensive hardware and you can only target devices you physically have in your hand so it’s not worth the investment. If you’re law enforcement you don’t even care about unlocking the SIM, you’re just going to the carrier directly instead. If you’re not using that equipment for stealing hardware wallets from rich cryptocurrency owners, you don’t have a chance of return of investment. Also it will fail a lot (destroy the chip)