a women holding a mobile phone

eSIM security concerns and how to solve them with Hardware Security Modules

Connectivity and mobility are paramount in today’s world, as more devices than ever are connected to the Internet and require a SIM card to connect to the service of a Mobile Network Operator (MNO). Therefore, ensuring security of eSIM and SIM cards has become a key issue in protecting data and communications.

SIM cards, short for Subscriber Identity Modules, are essential components that allow end devices access to Mobile Network Operator services. Traditionally, they are a separate entity and inserted into a device. With embedded SIM, the SIM is directly integrated into the device during the manufacturing process. 

eSIM = embedded Subscriber Identity Module

This integration enables remote provisioning and management of subscriber profiles, eliminating the need for separate physical SIM cards. With this innovation, users can now remotely provision and manage their cellular connections, enhancing flexibility and convenience. 
Already one step further in the SIM evolution is the iSIM, an integrated SIM.

iSIM = integrated Subscriber Identity Module

In this case, the SIM card is directly implemented in the System on a Chip (SoC) - the microchip that contains all relevant electronic components for a smart device. In this article we will focus on security on eSIM technology, however, some of the security challenges also apply to iSIMs and should therefore be taken into account.

eSIM technology: Benefits

The scope of eSIMs is expanding alongside the proliferation of IoT devices. As the Internet of Things continues its exponential growth, eSIMs will play a key role since the technology holds the following benefits:

  • Frees up space in the device for other hardware components
  • Increased resistance of the devices due to the absence of open slots
  • Lower costs
  • Longer battery life (smaller SIM modules allow more space for batteries)
  • Can not be damaged from the outside
  • Less logistical challenges
  • Less electronic waste

eSIM technology: Use cases 

Considering the benefits listed above, it should be clear that the use cases for eSIM extend beyond smartphone applications. In particular, eSIMs are being placed in wearable devices such as smartwatches, IoT devices, smart cars, laptops, and smart manufacturing equipment. The technology is being used in various industries, ranging from automotive to smart cities with IoT devices that monitor traffic flow, electricity consumption, waste collection, and connected healthcare environments

The market for eSIMs is not just booming; it's exploding. In 2023, the eSIM market was valued at a staggering 4.7 billion U.S. dollars, with forecasts predicting a growth to 16.3 billion U.S. dollars by 2027.

eSIM security issues: cloning, privacy concerns and other challenges in eSIM Management

While the advantages of eSIM technology are now clear, it's crucial to recognize the security concerns in eSIM management – with ensuring the privacy of sensitive subscriber data as the overarching goal. One of the most pressing concerns is software attacks. These attacks come in various forms with the most common being:

eSIM swapping / cloning attacks

Attackers manipulate the MNO by requesting a replacement of a SIM card to an open account. then they can access SMS and other services the original SIM should receive and exploit that for access that requires Multi-Factor Authentication.

Memory exhaustion

Contacting the eSIM profile and spamming it with useless, but large profiles. The goal is that the device will at some point be unable to contact the service provider and will be disconnected from the mobile networks.

Undersizing memory attacks

A SIM card contains flexible fields such as the “remainingMemory” field. With a specific injection attack, this field can be set to zero. Now this tricks the eSIM to assume there is no memory left, thus preventing any new profiles to be added to the eSIM.

Inflated profile attacks

Adding too many profiles to an eSIM so the memory’s capacity is reached. With no space left, it will be impossible to add new profiles and change the network provider.

Locking profile attacks

Locking the eSIM to one specific communications provider with a specific parameter in the profile. The result is that the device will be unable to switch networks and thus become useless.

Cybercriminals leverage these eSIM security issues to cause service unavailability or gain unauthorized access to sensitive information, posing a significant threat to subscribers, organizations, users, and mobile network operators.

Overcoming eSIM security concerns with cryptography

Think of an eSIM as a passport – a tool for verifying the identity of the holder. As with a physical passport, certain security mechanisms must be in place to verify the authenticity of the card and the connection to its holder.

Simply put, a secure authentication method must be implemented that addresses the following questions:

  • How does the recipient know that the sender is trustworthy?
  • How can the manufacturer and the device know that the data has not been tampered with during transmission?
  • How can the MNO ensure and verify the identity of the subscriber?

This is ensured with cryptography. Already in the production process a cryptographic key is injected into the eSIM card. Key injection is the starting point for securely injecting encryption keys to safeguard the cardholder’s data. It is also used to securely manage an IoT device over the course of its product lifetime. To ensure that device identities are not compromised, keys need to be generated by an HSM.

Now with a key being injected, there are two cryptographic methods to ensure secure authentication and information exchange in eSIM environments. 

A Pre-Shared Key architecture is based on symmetric encryption, based on the fact that only the involved parties are in possession of the key and can therefore establish a secure connection based on their commonly known secret. A public key infrastructure relies on asymmetric encryption methods. A key pair is produced that consists of a public and a private key pair that are cryptographically linked. Since these keys are linked, they can be used to verify each other's identity: The private key can be used to create signatures that can be verified with a public key.

For a detailed explanation, we recommend the whitepaper “The what and how of Remote SIM Provisioning” by the GSMA.

These cryptographic methods are used for various eSIM security use cases such as:

  • Reliable authentication of subscribers
  • Secure over the air firmware updates
  • Subscriber data and credential protection
  • Secure remote SIM provisioning

Now that all of this is based on cryptography and the exchange of cryptographic key validation, the question may arise: “Where do the cryptographic keys come from?”

Hardware Security Modules – the safe place for cryptographic keys used in eSIM management

A Hardware Security Module (HSM) is a physical device that generates, stores and manages cryptographic keys based on supported algorithms. You can consider it as the safe home for all cryptographic applications. 

When choosing an HSM for eSIM use cases it is valuable to consider the requirements of the GSMA. The GSMA is a global organization for the mobile communications ecosystem, with more than 750 mobile operators as members. Together they define certain security compliance requirements and standards for all kinds of use cases in the mobile world.

The compliance requirements for Hardware Security Modules and their hosting environments focus on security assurance, functionality, and interoperability. Specifically, the GSMA accredits hosting sites with its SAS-SM certification, which stands for Security Accreditation Scheme for Subscription Management. It gives mobile operators the assurance that the hosting sites fulfill appropriate security mandates and are regularly audited.

GSMA SAS certification is mandatory to bring an eSIM solution to market.

To meet the needs of the growing market, many providers are turning to cloud deployments. The GSMA specifies certain security requirements for this type of environment, including the mandatory use of Hardware Security Modules. Specifically, the “[...] storage and cryptographic computation for keys and certificate generation [...] shall rely on hardware security modules (HSM) that are FIPS 140-2 level 3 certified.” 

In the second part of this blog post, we will take a closer look at how to successfully adopt cloud technologies for eSIM management.

Source: enisa, Embedded Sim Ecosystem, Security Risks and Measures, 2023

About the author

Lena Backes is an IT Marketing expert with more than 10 years of experience working in the B2B sector. In her professional career, she has gained extensive knowledge in various areas, including cybersecurity, network management, enterprise streaming, and software asset management. In her current role she is responsible for product positioning of Utimaco’s cybersecurity products and solutions, with a particular focus on data protection, blockchain technology, and post quantum cryptography.

To find more blog posts related with below topics, click on one of the keywords:

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      Your collection of download requests is empty. Visit our Downloads section and select from resources such as data sheets, white papers, webinar recordings and much more.