Secure eSIM Technology with flexibility and convenience

The recent evolution of the SIM card is testimony to this development. As with the SIM size and functionality itself, business models will gradually evolve to adapt to new approaches and market expectations. With the continuous trend towards connectivity between devices, the industry is working towards a standards-based solution that is performant, cost-efficient and interoperable between different suppliers. Both, device manufacturers and mobile network operators will continue to play a key role in how the SIM develops, the pace of evolution and the associated business models. Infineon is in an excellent position to serve this evolving market, thanks to its leadership in performance, quality and its extensive experience in embedded security projects. Infineon has been supplying approximately 10 billion security chips for plug-in SIM cards since the late 1990s and has shipped more than 200 million embedded SIM chips for emerging applications such as M2M communication or emergency Call for cars.

The evolution of the SIM card
It is now 26 years since GSM cellular networks were first deployed. In 1991, Giesecke and Devrient supplied the first commercial SIM card to a Finnish Network operator. The primary role of the SIM card was to provide anidentity token; ie. the SIM card contains a unique reference number that identifies the SIM card and therefore the subscription that accompanies that SIM card. Secondly, it was designed as a means of secured authentication in order to check that the identity is valid. Other benefits of a SIM card were portability and the separation between the device and the subscription. The very first SIM card was ISO payments card format (1FF), but in 1996 this was followed by the mini-SIM (2FF), which had the same contact arrangement as 1FF. The micro-SIM (3FF ) was developed by ETSI and launched in 2003. The nano-SIM (4FF) was standardised in early 2012. 

The impact of wearables, M2M and IoT
The market segment for wearable devices highlights the need for a further evolution of the SIM card. New consumer segments are being addressed by smaller devices in all kinds of shapes and sizes. With form factors and functionality of this segment evolving, the flexibility and connectivity needed, can only be provided by a fully embedded SIM card. This has been the case, for example, in the smart watch, where space is limited. Usually, smart watches or fitness trackers only work in combination as companion devices with a mobile phone. If fitted with an own LTE modem (together with the eSIM), the device can send and receive calls, text messages and pictures independently, thus enabling new revenue streams for MNOs.

The immense market growth of the Internet of Things (IoT) and Machine 2 Machine (M2M) communications also has an immediate impact on the evolution of SIM technology. The ongoing reduction in size of both modules and devices, for example sensors and meters, as well as use case scenarios requiring devices to suit more rugged environments, creates a need for an embedded form factor. The GSMA expects up to 10.5 billion mobile connected devices by 2020 leading to a huge market opportunity for eSIMs, predominantly in the machine-to-machine (M2M) and mobile consumer devices sectors.      

M2M devices present unique challenges to the role of the traditional SIM card. Frequently, the devices are dispersed across a multitude of unmanned locations as well as exposed to external influences such as weather (e.g. remote sensors / vending machines), and temperature and vibration (e.g. automobiles). 

An embedded SIM is suitable for the use in closed devices such as industrial meters or a sealed component in a fleet management system. The embedded SIM takes the standard SIM contacts and makes them available on a surface mounted package, a solderable MFF2 form factor, according to the ETSI specification

With an embedded SIM, the physical hardware element is always present and adds an indispensable layer of security. In order to achieve this, the SIM has its own non-volatile memory. So secret credentials and identities as well as cryptographic algorithms are stored within one tamper resistant secure element. A SIM, whether it is removable or embedded in the device, is still a combination of cryptographic, tamper resistant hardware along with software that enables cellular connectivity and, amongst other functionality, stores the operator profile(s) required to use the mobile network. 

The eSIM is a standardised chip open to all mobile network operators. Technically, the term eSIM refers only to the virtual functionality of RSP (remote SIM provisioning), which means that the SIM module does not need to be removed from the device when the user’s preferences change. The consumer does not need to replace or change physical SIMs. Both network and operator profiles can be switched seamlessly without the user noticing. The GSMA has released a global eSIM specification, which enables any consumer device to store more than one operator profile. On the basis of the eSIM standard, the consumer can select an operator of choice and simply download the chose SIM profile to the device. The eSIM functionality gives the consumer a lot of flexibility and allows for cost reduction when switching operator.

Other approaches, like an integrated SIM, are "shelled" within an application processor; the discrete component is replaced completely. Such an integrated SIM usually needs to connect to an external memory, an architecture that is inherently more vulnerable to attacks. These concepts impose unpredictable security threats.  

The huge potential of the eSIM handset
"The (GSMA consumer eSIM) initiative does not aim to replace all SIM cards in the field, but is instead designed to help users connect multiple devices through the same subscription and will help mobile device manufacturers develop a new range of smaller, lighter mobile-connected devices that are better suited for wearable technology applications," GSMA, February 2016

Losing plug-in SIM connectors means that a substantial amount of extra space inside a mobile device is freed up, allowing handset manufacturers to reduce device girth by replacing it with a diminutive embedded equivalent. With space at an absolute premium in modern smartphones, the eSIM will enable manufacturers to offer even slimmer phones.

With such an eSIM handset, the consumer can easily choose the carrier, access a multitude of offerings from different carriers and switch profiles easily. In terms of convenience, subscription should be faster for the owner of an eSIM handset and possibly done completely online, making paper-based agreements are thing of the past. The handset manufacturers profit from a simpler supply chain, manufacturing one device configuration that can potentially connect to any network all over the world; they can lose the SIM slot and simplify their designs. Mobile network operators no longer have to handle the physical distribution of the SIM.

With all the obvious benefits of the eSIM, concerns about the slow adaption remain. The challenge with eSIM concept seems not to lie with the technology, but with the infrastructure as well as the cooperation of all the various parties, including network operators and manufacturers. This is where the GSMA’s standardisation efforts are coming to fruition: enabling a user to “pull” a new operator profile by means of a voucher after entering a contract, was first adopted by Samsung's Gear S2 Classic 3G after the GSMA released the eSIM specification in February 2016.

The eSIM specification has since been backed by Apple, Samsung, Microsoft, Huawei, Sony, and LG, along with chip makers, SIM suppliers, and mobile network operators. A year on, it looks like the specification is starting to gain some real traction following the Apple Watch 3 launch:

"The Apple Watch 3 is just the tipping point for eSIM. Its true potential will only be unlocked – and noticed by the larger, smartphone-wielding public –when we see the first eSIM handset, as it’s likely to be slimmer than anything we’ve seen before."

Source:  Andrew Williams, Trusted Reviews, September 2017

Security and standards are indispensable
Despite the changes in technology and size, the fundamental elements of connectivity, identity and authentication are still core to the role of the SIM card today. Within the handset, an embedded SIM uses the standardised interfaces, which enables the embedded component to be designed-in like the removable SIM in thousands of models of handsets on the market. For the OEM, this translates into a near seamless migration from SIM to eSIM, as both are based on the same development environments.

The concept of a separate security assured, combined hardware and software element being used has remained. Operators are very concerned about the security of their credentials and the potential reduction in security that could arise through the use of an SIM integrated into the Baseband or Application processor. It is well known that Operating Systems are more likely to be subject to attacks than hardware and therefore could leave the operator profile open to the threat. 

Any SIM approach not based on a certified hardware and software secure element could be subject to continued various attacks and, if compromised, would result in a serious loss of customer confidence in the security of operator systems. (Source: GSMA)

The big success factor of SIM cards has always been the full interoperability and network carriers’ ability to rely on one standard and one backbone system.

The eSIM is based on a tried-and-true product that is just reduced in size and that will allow consumers to switch network carriers digitally instead of physically. It enables the industry to stay with the same set-up and security relevant aspects stay with the experts in the field, such as Infineon Technologies. Security expertise is more than just designing and building a certain piece of hardware, it is essentially about staying ahead of security and threat evolution, developing leading edge countermeasures reflected in ever-evolving technical requirements. Network carriers can rely on trusted players in a trusted value chain with trusted processes. Every phone manufacturer has access to these embedded SIMs and there is no need to purchase a specific reference baseband as all interfaces and interactions between SIM and phone remain fully standardised.

It is an altogether different outcome, however, when looking at an integrated SIM: The SIM integrated in the baseband chip can achieve a similar functionality and may even achieve a hardware Common Criteria certification, however it is a whole new process, and the process where the SIM is integrated into the processor is no standardised design that will be equal in all application / baseband processors. So an integrated solution ties both device manufacturers and Mobile Network Operators into proprietary solutions.  In terms of interoperability and security, this development is a step backwards

Infineon: Expertise, excellency and partnership
Infineon has been supplying approximately 10 billion security chips for plug-in SIM cards since the late 1990s as well as high quality security controllers for embedded SIMs since 2008. In its role as a GSMA associate member, it will drive further development of next-generation embedded SIM standards.

Infineon is in an excellent position to serve the growing eSIM market thanks to its leadership in performance, quality and embedded security projects. Infineon shipped more than 200 million eSIM chips for emerging applications such as M2M communication or emergency Call for cars (eCall).

Besides industrial and automotive applications, eSIMs are also increasingly used for connecting consumer devices to mobile networks. Infineon offers miniaturised versions for smart phones or wearables such as the Samsung Gear S2 smart watch. Infineon provides the world’s smallest eSIM, which measures only 1.25x1.2x0.4mm – 200 times smaller than a classic MiniSIM.

Infineon’s comprehensive product offering for consumer as well as automotive and industrial applications includes high end controller families SLE 97 (consumer grade), SLM 97 (industrial grade) and SLI 97 (incar grade for automotive). Both fully support the GSMA eSIM standard’s hardware requirements as well as the special requirements of the automotive industry, Infineon’s smallest eSIM packages make a perfect match for miniaturised wearables.

However, in order to play a leading role, a supplier of embedded security products has to be a trustworthy and trusted partner with a clean track record of securely receiving, treating, storing and loading credentials such as digital certificates or secret keys in a reliable way for large scale projects. Infineon has honed its expertise in this field for over twenty years and has been instrumental in the shaping of standards that helped enabling the widespread adoption of embedded hardware-based security.