e-SIMs could unlock door to fresh security risks, claims KPN


Remote SIM provisioning has been seen as an easy and cost-effective means of unlocking the Internet of Things for telcos, but a new KPN report says the technology could also open the door to fresh security risks.

The Dutch operator has just released its European Cyber Security Perspectives 2017 report, a weighty look at global threats that is supported by the likes of PWC, Kapersky Labs and the GSMA.

It is the latter's remote SIM provisioning standard that has caused concern at KPN.

Daan Planqué, from KPN's Cyber Security Academy, says it is a move away from the traditional SIM model, where a phone has an encrypted connection with the mobile network. Both the SIM and operator know a unique key that protects users from the likes of spoofing or fraudulent use.

If this key is compromised, then a new SIM card can be swapped into a phone, giving a user access to a new key and a new encrypted connection built from scratch.

He says because the new generation of eUICC SIMs, or e-SIMs, will be soldered onto a phone's motherboard or integrated into its processor, it raises the question of how will a phone know what the operator wants it connect to?

[Read more: eSIMs to approach one billion shipments by 2021, report claims]

Enter the GSMA's remote SIM provisioning standard, which is aimed at solving this problem.

Under this standard, the unique key will now be served on a remote server called Subscription Management Data Protection (SM-DP+).

When a device requests a profile, the SM-DP+ will ask an operator for approval and, if granted, a complete subscription profile will be sent to the SIM. 

A separate root certificate authority will be responsible for confirming all parts of the "chain of trust", as Planqué puts it, are legitimate.

Planqué says the issue is with the SM-DP+, which is online and open to threats, namely the hacking of unique keys and ultimately all traffic between a device and a base station being decrypted.

He adds: "This would allow a criminal to clone a SIM card and call expensive phone numbers for financial gain or prevent you from connecting to the mobile network."

He says further safeguards need to be put in place to secure the root certificate authority. If compromised, it breaks the "circle of trust" and ability to verify the network from the remote SIM.

"The only solution then is to replace the processor or motherboard of the device," he adds, something that would be compounded by the volume of IoT devices connected by the e-SIM.

He stresses the ongoing nature of the standards being developed means he hopes the ultimate version of the e-SIM will be more secure.

He adds: "In the end, it comes down to the importance of taking security into account right from the start when designing a new system or standard. This goes, not only for the systems of vital importance to modern society, but also the smallest and least significant devices there are."

Elsewhere in the KPN report, Vito Rallo and Bram van Tiel from PWC warn the IoT’s success hinges on trust. They write: "Trust is more than security. It is a concept influenced by many properties in the IoT value system, tightly linked to security and inevitably related to privacy."

In order to succeed, they recommend IoT service providers and device manufacturers build trust deeply into their products. They add: "Humans must extend the trust circle to machines; that sounds scary, but again there’s nothing new as we do it every day when driving our cars or submitting bank transactions on-line."

Even though it's a telco-led report, it's not just operators that should be worried. As Hans De Vries, Head of the Dutch National Cyber Security Centre, notes: "Incidents in other countries show us cyberattacks can cause great impact, for example when they are used to bring down power grids or when personal IoT devices are used to perform DDoS attacks on websites. Cyber threats are coming of age, affecting individuals, organisation and society."