More Close

Cellular IoT networks explained

From SIM to Cloud, get a clear understanding of cellular IoT connectivity.
How Iot Cellular Networks Work HEADER 1200 X 627

This article will help you make a more informed decision when considering cellular connectivity for your IoT project.


I co-founded Onomondo to make a lasting impact on how IoT connectivity works. To achieve this, we’ve built a new IoT connectivity architecture from scratch. But to see the value of doing things differently, it’s essential to understand the norm.


I’ve tried to make it easy for anyone reading this to get a good understanding of how cellular IoT networks work. Once you know the basics, we dive into some common cellular connectivity problems, followed by real solutions.


First up, let’s quickly look at why cellular is a good option for IoT connectivity.



Why is cellular good for IoT?


In short, cellular is popular in IoT for two simple reasons: it’s global and standardised.


Cellular IoT is a natural choice for many use cases as it utilises long-established global networks. Cellular networks reach most corners of the globe, and IoT has piggy-backed on that existing infrastructure.


The demand for cellular ubiquity has driven the development of global standards and means that everyone is aligned. Even though standards like 2G, 3G, 4G, 5G, NB-IoT, LTE-M, etc. may seem like a complex myriad of acronyms, international organisational bodies like the 3rd Generation Partnership Project (3GPP) keep everything in check.


Other connectivity technologies either miss the advantages of global standardisation and/or are not deployed globally with the capability of interconnecting (e.g., SigFox, LoRa, Bluetooth, WiFi).


When to use cellular connectivity for IoT


What constitutes a prime use case for cellular in IoT is continually changing as cellular networks evolve.


For example, latency and high power-usage are historically good reasons people might avoid cellular connectivity. But newer, low-latency technology, new connectivity methods, and modern cellular devices have changed the game.


Examples of cellular IoT use cases:


  • Telematics and connected-driving.
  • Real-time asset tracking.
  • Automated meter reading.
  • Pre-emptive maintenance.
  • Predictive analytics.
  • Remote asset monitoring.
  • Wearable devices.
  • Smart waste management.


Now let’s look at the first piece of the cellular IoT network puzzle, the SIM.


Devices and IoT SIMs


In general, IoT devices capable of cellular connectivity contain a modem, antenna, microcontroller (MCU), SIM, and some sort of sensor.


There are many device vendors for you to choose from, and their devices come in various shapes and sizes with something for every use case.


A generic IoT device


Here are some crucial points to consider when choosing a globally deployable IoT device:


  • Frequency band support - Is it capable of connecting to 2G, 3G, LTE-M or NB-IoT? A useful resource for answering such questions is
  • The size, shape and weight of the device – Adding devices to cars is relatively easy, but monitoring something which requires small sensors is less flexible.
  • Power consumption - Does the IoT device have a ready source of power or does it need to last for a long time on its own?


The importance of SIMs for cellular networks


When choosing cellular connectivity for your device, you’ll need a Subscriber Identification Module (aka SIM). It’s the SIM that gives your device access to a cellular network.


There is a range of SIM cards available, which the industry calls form factors. In short, there are five form factors:


  • Full-Size (FF1).
  • Mini-SIM (FF2).
  • Micro-SIM (FF3).
  • Nano-SIM (FF4).
  • Embedded SIM (MFF2, previously referred to as VQFN-8).


It’s important to note here that radio modules in post-2018 devices can utilise software SIMs (aka soft SIMs). This evolution requires no SIM hardware; the SIM functionality is purely virtual. You can read more on soft SIMs and how they fit into the SIM landscape in this article from GSMA: Understanding SIM evolution (PDF).


IoT SIM card pricing


You may have noticed that IoT SIMs are not priced the same as everyday SIMs. The consumer SIMs you see advertised are cheaper per MB/GB than IoT/M2M SIM cards. This is mainly because Mobile Network Operators (aka MNOs, mobile network carriers, wireless carriers), such as Vodafone, Telenor and T-Mobile, know that consumers don’t get anywhere near their data limits on average and adjust their pricing model accordingly.


For example, the average user in the OECD today consumes about 5.8 GB per month per subscription. So even if a couple of people reach their 100GB per month allowance, the operator still makes a profit on average. B2B IoT users have a clear picture of how much data they use and prefer pricing based on actual data usage.



“B2B IoT users have a clear picture of how much data they use and prefer pricing based on actual data usage.”



Another reason for the pricing difference has something to do with how the network core is setup. In short, cellular IoT use cases typically involve many SIM cards with relatively low amounts of data transmission per SIM. This affects pricing models because there is a fee per SIM, which regular consumers don’t notice but is a significant part of the SIM cost for cellular IoT users. Don’t worry; we go deeper into this topic and how to avoid this SIM fee later on.


Common problems with IoT SIMs: Custom code


Many IoT SIM providers put proprietary code on their SIM cards. For example, some SIMs have Multi-IMSI applets, a custom code that helps the SIM jump between operators depending on where the device is located.


One issue with custom code is that it isn’t GSMA compliant. And in the case of applets, they’re not allowed on soft SIMs. This means the SIMs may not work on some devices.


Another issue is that custom code locks businesses into using the one SIM operator in most cases. If you want to change operators, you’ll need to revisit the device after deployment to switch the SIM. But revisiting devices isn’t financially viable, practical, or possible for most use cases.


Another consequence of custom code is that it makes it more expensive to bake-in cellular connectivity during device manufacture. If you’re shipping devices globally, you’ll often find you want a different SIM for each region. This means stopping production, switching SIMs and then restarting production. Having different regional SIMs also means devices are locked into specific regions, and avoidable forecasting becomes an integral part of execution.


💡Tip: Avoid custom code


As a default, we don’t add any custom code to SIMs and make it possible to update Onomondo SIMs over the air (OTA) when needed.


Not adding custom code also means we stay 100% GSMA compliant so every device (that is also compliant) can use Onomondo SIMs.


Common problems with IoT SIMs: Switching operators


It’s 2021 and switching SIM cards when changing operators is still a thing.


It’s common for device ROI to be ruined if you need to access an IoT device to switch a SIM. Now imagine having to change SIMs in thousands of devices around the world. This will not only affect your IoT business case – but your business as a whole.


Fortunately, all SIM form factors can have the operator updated over the air (OTA) without needing to be reissued according to standards from 3GPP. You can read the original 2003 overview here: Over-The-Air (OTA) technology – 3GPP TSG SA WG3 Security (PDF).


You can switch operators by transferring the SIM’s International Mobile Subscriber Identity (IMSI), subscriber authentication key (Ki key) and Derived operator code (OPC key).


IMSI is easy to transfer; however, the Ki and OPC keys are typically held by operators. Meaning although it’s technically possible to switch operators OTA, businesses are not able to do this.


An increasingly popular method of dealing with global IoT roaming is eUICC (Embedded Universal Integrated Circuit Card), also commonly known as eSIM. eUICC makes it possible to host multiple operator profiles on a device. However, the problem of vendor lock-in still exists for eUICC. For example, managing eUICC profiles requires an eUICC platform which is hardcoded on to SIMs during production, something that's not possible to switch. You can read a longer explanation about eSIM/eUICC lock-ins here: What are eSIMs?


💡Tip: Make sure you have freedom to leave


We recommend that all businesses negotiate with carriers to keep the IMSI, Ki and OPC keys as their property. It’s entirely possible, but almost no-one is doing it. Freedom to leave is essential for us, and we believe it will be a standard in the future. Otherwise, IoT will continue to struggle to take off.



“Freedom to leave is essential for us, and we believe it will be a standard in the future. Otherwise, IoT will continue to struggle to take off”




Onomondo generates the IMSI, Ki and OPC keys internally. With them, our customers can switch to any GSMA certified entity without friction (like revisiting thousands of devices to change SIMs!).


Common problems with IoT SIMs: PLMN lists


When you get a SIM card from MNOs or MVNOs, the SIM will often have a Public Land Mobile Network (PLMN) list on it. This list is a way to hardcode a prioritised list of networks you would like to use on the SIM.


Typically, the PLMN list is based on commercial agreements. For example, an MNO will have contracts in various countries for your SIM to connect to specific networks whenever you roam outside of their network.


A negative consequence of a PLMN list is that your device could prioritise networks with weak signals over networks with strong signals.


If there is no PLMN list, 3GPP states that the radio module should attach to a strong enough network (also called -85 dBm, it’s a signal strength that is strong enough to deliver a consistent, stable data connection).


💡Tip: Avoid PLMN lists on the SIM


Unlike any other operator (we know of so far…), Onomondo doesn’t add a PLMN list to SIM cards. We allow the radio module to choose a strong enough network according to 3GPP standards by default.


We use OTA updates to add PLMN lists for emergencies where users or devices need them. Otherwise, we operate with network whitelists which tell the device which networks it’s allowed to connect to without the prioritised order that a PLMN list has (more on whitelists later). All of this is available via APIs and the Onomondo platform.


The network


A cellular network, also called a mobile network, is a collection of base stations which link back to the core network.


A simple radio access network


The device transmits to a base station (aka cell tower). Base stations are the antennas you can typically see around the city on rooftops.


Groups of base stations are called radio access networks (RANs). As a part of the telecommunication network, the RAN sits between the device and the core network.


You could say RANs link users or devices to their operator, and the operator’s core network is the gateway to external networks, such as the cloud (think Azure IoT Hub, AWS IoT Core, IBM Watson IoT and Google Cloud IoT Core), and is also how operators connect to one another.




So, who is running this cellular network show?


Mobile Network Operators (MNOs) own the RAN infrastructure. Verizon, AT&T, Telefonica, Vodafone, China Mobile, and Telenor are examples of MNOs.


Apart from their retail business, MNOs also lease access to their infrastructure to Mobile Virtual Network Operators (MVNOs). This arrangement isn’t just for some extra revenue; it’s also required by law in most countries (e.g. Competition policy in telecommunications: The case of Denmark (PDF)). Many MVNOs are merely resellers of SIM cards who use roaming agreements and don’t have any technical access to RANs.


To differentiate, sometimes you’ll hear an operator call themselves a “full MVNO”, which means they run the entire network technology stack. A few MVNOs, like Onomondo, rent access to the base stations themselves (this is very rare). And the way Onomondo accesses base stations is the same way an MNO attaches to their base stations (which is standardised by GSMA).


The other “full MVNOs” that we know of generally only do this with one MNO partner, e.g., Deutsche Telekom. This integration gives them full access to data on the integration and devices on their network, but not for other RANs in the world not operated by e.g. Deutsche Telekom.


The network core


Now let’s drill a little bit into the network core (alert: heavy use of acronyms ahead).


A simple network core


To keep it simple, you could say the main parts of the cellular network core are the HLR/HSS and the GGSN/PGW.

Every mobile network has a server that stores SIM information, such as location and authentication keys. The Home Location Register (HLR) or Home Subscriber Server (HSS) is the database of all the SIM cards an operator has.


The gateway GPRS support node (GGSN) and Packet data network GateWay (PGW) is where all the data a device tries to transmit goes through.


The core interfaces with other operators and the cloud, for example. You can also control what’s happening in the core with APIs or apps (e.g., connectivity platforms) and proactively access information via Webhooks.


What is roaming?


When using your SIM outside of its home network, some of the data handling responsibility is handed over to the network you’re visiting. This is called the visited network or foreign network. In short, you’re roaming when you go outside of your home network.


As a basic example, if you take a UK SIM card to the US, you can’t see BBC online anymore because a local network has given you a local IP.


It’s fine to roam on an iPad or a phone; you can get an SMS, make a call, and access the internet. But with IoT, there are some limitations which can make a big difference in global deployments.


Let’s take a look into that now.


Common problems with cellular IoT networks: Roaming


When roaming, your home network doesn’t know what you are doing in real-time.


The separation of responsibilities between your home and visited network is a problem for IoT – businesses often suffer from network debugging delays (days or weeks) because of a “not my customer” attitude.


Another issue is the lack of financial control and forecasting, as roaming typically means you get zero real-time insights as billing and reports come on the back of usage.


💡Tip: Your device doesn’t need to roam


Unlike any other MVNO, Onomondo has built integrations with every single MNO in our 700+ network.


IoT device, RAN and core network


We don’t have one RAN that’s “home”, which is typical for other operators. We’ve integrated all RANs with the Onomondo Core. If you use an Onomondo SIM in the US with T-Mobile base stations, or in China with China Unicom base stations, or in Denmark with TDC base stations, everything is handled the same way. We call this network agnostic.


Having one network means, among other things, that you don’t have to worry about forecasting regional usage for devices and that you can have insights and access to monitor all devices – globally and in real-time. We talk about this some more in the debugging discussion.


Common problems with cellular IoT networks: SIM subscription fees


Remember the HLR/HSS from the core? Well, there’s a problem with these systems … they are expensive!


MNOs and MVNOs pay companies like Oracle to set up databases on their HLR/HSS systems and are charged a fee for each row of data stored. And if you offer roaming and need access to another operator’s database, it can cost millions of Euros for access plus a fee for each SIM.


A consequence of how databases are set up in the telco industry is that SIM cards have a monthly fee per active SIM card.


This fee doesn’t matter much for consumers as it’s only a tiny fraction of their overall subscription. But for IoT where businesses have thousands or millions of SIM cards, the subscription fee that you incur even when not using the SIM impacts any business case significantly! If you make 100,000 devices for multiple markets, you will spend a lot of time and money forecasting when to activate them and how to minimise these subscription fees.


💡Tip: Don’t pay for activated SIMs, only for active SIMs


With Onomondo, if a SIM is not in use, it incurs no costs.


How do we do this? We’ve rebuilt the complete network logic from scratch and don’t have the same data storage expenses that MNOs and MVNOs face. And as we don’t have any costs for activating SIMs in the database, we don’t need to charge our customers.



“We’ve rebuilt the complete network logic and don’t have the same data storage expenses that MNOs and MVNOs face.”




You can now receive activated SIM cards for production (so your device can join a network), send your device out to the market (where it might sit on a shelf for a while), not have to worry about when to activate the SIMs, and only incur fees when data is transmitted.


Common problems with cellular IoT networks: Updating SIMs and debugging


It’s essential to consider how you can access your device for updates and debugging with any form of IoT. Devices will be in use for a long time, up to 20 years in the case of smart meters according to this GSMA analysis. Generally speaking, what is true today for technology will be different in 1, 2 or 5 years.


This need to be future-proofed isn’t only true for the device, but for the SIM in your device as well. Here are some things to consider regarding future-proofing devices.


Updating PLMN lists etc.


Much the same as with a PLMN list, Onomondo's network whitelist system tells your device to connect to TDC in Denmark, Orange in France, and AT&T in the US, and only those operators in those places. However,  a network whitelist does not have the order of preference which a PLMN list has, so that your device connects to the first strong enough network and registration times are shortened.


A forbidden network list (FPLMN), on the other hand, tells your device that it can’t connect to AT&T in the US, but anything else it finds is fine (you can find out how to clear FPLMN lists with AT commands in our help section).


An issue here is that it can be a hassle to update these lists. You'll need to contact your carrier to make updates, which involves creating a ticket and waiting for them to process changes (something known to take weeks at times).



Suppose you suddenly can’t see your device or something is wrong with data transmission. In this case, you’ll want to get in touch with your connectivity partner to figure out what’s happening.


But when you’re roaming, you’re not on your operator’s core network, and they don’t have access to all of the information you might need. Therefore, there can be costly delays in getting this information, and we are talking days or weeks here.


💡Tip: Keep control of the core


We’ve shifted a lot of the SIM functionalities to the core and, as touched on earlier, we’ve set up the Onomondo core for over 700+ operators globally. We then give all of the information we have to our users so you can, for example, OTA network whitelist and PLMN list updates, check connection logs, and access live data packet monitoring to debug connectivity in real-time.


Onomondo Traffic Monitor shows real-time insights into everything that happens from SIM to the cloud.


It saves precious development and debugging time when you can see everything in real-time, globally, from what’s going on when a device tries to attach (signalling, authentication, etc.) to what’s happening once it has attached.


What now?


Congratulations, you’ve made it to the end of this article. Hopefully, you have a better understanding of how cellular networks work and have gained some valuable tips on managing your IoT cellular connectivity.


IoT projects can fail because of a poor connectivity choice. To save future headaches, make sure you prioritise connectivity early on and remember what works in a PoC might break when scaling globally.