Re: Bah
This seems to be along the lines of: "black hat convinces telco to port an account from an IoT SIM to their own SIM". This means the IMSI will change, but the MSISDN (phone number) remains the same.
All the IoT user needs to do is have in their servers an IMSI authentication routine that is completely decoupled from the Telco authentication scheme - i.e. maintain your own list of IMSIs and check against that (assuming the black hat can't spoof it anyway, in which case you're screwed no matter what you do)
