While we are all familiar with the classic plastic SIM cards and their functionality, many are less aware of the emergence of eSIM. In recent times, however, with the industry deploying more and more eSIM models, including Apple launching an eSIM-only device, the term eSIM has started to enter the public consciousness. However with the SIM now being embedded permanently into a user's device, and users having to download a new eSIM profile each time they switch providers, many have questioned how secure is the connectivity of the device between networks and other devices.
In particular many are worried that the step away from physical SIM will lead to an increase in confidential data being intercepted and devices being hacked. However, as Patrick explained, this will not be the case.
Before considering the security of eSIM it is important to understand the conditions that psychical SIMs are manufactured under today. Many are developed in factories that are not certified and as a result, do not follow all the necessary security requirements. This is particularly prevalent in the low-end markets, such as those that develop cheap prepaid SIM cards. With eSIM however, the situation is very different.
All the various actors within the eSIM ecosystem have to be certified by the Global System for Mobile Communications Association (GSMA). If one of these actors fails to be certified, it can’t interact with the rest of the eSIM ecosystem, meaning an eSIM profile download will not happen. Working this way, guarantees security for all the actors within the ecosystem, as no uncertified interactions can go through their systems or an end user.
To gain certification by the GSMA, there are a certain number of criteria that organisations much meet and be continually assessed on, including;
Security – Are they investing in and deploying the latest cryptography such as Elliptic Curve and is it deployed at multiple levels to encrypt actions on the network?
Overall Strategy – looking at the overall planning and company policies.
Organisational – the values of the company and actors in positions at all levels to ensure these resources are skilled, screened and trained.
Lifecycle of Sensitive Assets – from creation, use and destruction. Ensures every step in a process dealing with sensitive data is carefully considered and managed.
People – looking at the lifecycle of employees from onboarding, ongoing training and exit strategies. Ensuring people leaving the company have accounts closed and can no longer access sensitive systems or records.
Physical Security – Making sure the online systems that are stored in databases are physically secure.
Key Management – Who can access security systems and how is this managed and regularly audited?
Computer Systems and Network – Is the specific architecture in place to ensure security fail-safes, like firewalls, are properly installed and active?
Companies working within eSIM must pass these standards to work within the eSIM ecosystem, even when they pass they are audited regularly.
Many have argued that the deployment of eSIM makes IoT more secure. The GSMA and the mobile industry have however developed IOT SAFE, an IoT SIM Applet for Secure End-2-End Communication. This enables IoT device manufacturers and IoT service providers to leverage the SIM as a robust, scalable and standardised hardware Root of Trust to protect IoT data communications.
IoT SAFE provides a common mechanism to secure IoT data communications using a highly trusted SIM, rather than using proprietary and potentially less trusted hardware secure elements implemented elsewhere within the device.
This software which is running on the SIM, allows a secure connection to be established between devices and servers. It also allows secure authentication between servers and devices using Digital Certificates. While there are many methods to activate and secure a new eSIM connection many of these are not suitable for IoT devices for example scanning a QR code. The advent of SGP.31/32 is however expected to accelerate the adoption of eSIM within IoT, due to its ability to leverage GSMA SM-DP+ architecture.
Although the eSIM ecosystem may seem complex the security of it is vital to ensure all elements can co-operate together to provide the best and most secure customer experience.
To find out more about eSIM security, speak to a member of the Oasis team.