We are probably all aware of what a SIM is. Those fiddley thin pieces of
plastic we or the phone salesperson inserts into our new cellular phone when
we make a change. Over the years, SIMs have become smaller and smaller, yet
they still contain the same crucial information that identifies our cellular
device to the service provider and the network operator. Without a valid SIM,
we’re not able to connect to any network. While we’ve all had
challenges inserting a new SIM or waiting for the updated configuration
details to propagate through the cellular network, spare a thought for the
installers of the rapidly increasing numbers of IoT devices that use mobile
connectivity. For them, the idea of having to insert hundreds or even
thousands of SIMs for an IoT sensor deployment and the added complications of
dealing with cross border, regional or world-wide implementations creates not
only a significant operational challenge but also a major on-going management
Thankfully, the cellular industry has been working towards a practical
solution; the eSIM. An eSIM is just like any other surface-mounted component.
It is soldered on to the device’s PCB and is capable of being remotely
programmed with the access profiles of multiple cellular networks.
Suddenly, the logistical and management challenges associated with using
traditional SIMs have disappeared. An eSIM provides the opportunity for any
device to be quickly and easily reconfigured to operate on another
operator’s cellular network. Although the eSIM has solved the
inconveniences associated with a physically changeable SIM, it requires the
mobile industry to agree on how eSIMs are accessed and managed across the
network. Naturally, any device connected to a network poses a security risk,
something that network operators wanted reassurance on before widely
provisioning eSIM support.
This reassurance came from the GSMA. The eSIM Consumer specification was
developed by the GSMA and gained certification in 2015. It documents not only
the essential features of an eSIM but more importantly, the recommended
approach to security and software implementation when built into a
device’s embedded universal integrated circuit card (eUICC). The
specification stipulates that all security-based functions shall be certified
against the GSMA Embedded UICC for Consumer Devices Protection Profile
– PP0100. Despite initial caution from the operator community, the
existence of the GSMA eUICC Consumer Protection Profile, viewed as a
‘gold standard’ of security protection and the Common Criteria
certification approach, have now facilitated broad operator implementation of
eSIM and eUICC capabilities.
The Common Criteria evaluation involves independent design analysis conducted
by approved evaluation laboratories overseen by a government scheme. For
example, it provides the same level of assurance required for ePassports
against Common Criteria EAL5+. The evaluation includes the ability to resist
state of the art attack methods such as side-channel analysis, laser fault
injections and differential fault analysis.
An example of an eUICC is
NXP’s SN110U. This single-die PP0100 CC certified IC features an embedded secure element,
a near field communications function and an eSIM.