Abstract
GSMA is developing and standardizing specifications for embedded SIM cards with remote provisioning, called eUICCs, which are expected to revolutionize the cellular network subscription model. We study GSMA’s “Remote Provisioning Architecture for Embedded UICC” specification, which focuses on M2M devices, and we analyze the security of remote provisioning. Our analysis reveals weaknesses in the specification that would result in eUICCs being vulnerable to attacks: we demonstrate how a network adversary can exhaust an eUICC’s memory, and we identify three classes of attacks by malicious insiders that prevent service. We disclosed our findings to GSMA; GSMA confirmed the validity of these attacks and acknowledged their potential to disrupt the cellular industry. We propose fixes, which GSMA is incorporating into its specification. Thus, we improve security of next generation telecommunication networks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Meyer, Quaglia and Smyth provide a detailed introduction to GSMA’s specification [17].
- 2.
Immutable characteristics of eUICCs, set at manufacture time, are signed by the manufacturer and stored, with other mutable information, into the EIS file. The EIS file is issued by the manufacturer to the first SM-SR responsible for the eUICC.
- 3.
The SM-SR should perform the check to prevent a similar attack by the SM-DP.
References
Anderson, R., Kuhn, M.: Low cost attacks on tamper resistant devices. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 125–136. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0028165
Berard, X., Gachon, D.: Method for remotely delivering a full subscription profile to a UICC over IP, November 2013. US Patent App. 13/991,846
Berbecaru, D., Lioy, A.: On the robustness of applications based on the SSL and TLS security protocols. In: Lopez, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 248–264. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73408-6_18
Blom, R., Norrman, K., Naslund, M., Rommer, S., Sahlin, B.: Security in the evolved packet system. Technical report, February 2010
ETSI: Smart Cards; Embedded UICC; Requirements Specification (V. 12.0.0). Technical Specification 103 383, September 2013
Girard, P., Proust, P.: Method for managing content on a secure element connected to an equipment, November 2013. US Patent App. 13/991,823
GlobalPlatform: Card Specification (V. 2.3). Technical Specification GPC\(\_\)SPE\(\_\)034, October 2015
Gow, D.: Telefónica hit by record €152m anti-trust fine, July 2007. goo.gl/Dvx6kk. Accessed 6 Dec 2016
GSMA: GSMA announces mobile industry initiative to create a global remote provisioning specification for consumer devices, March 2015
GSMA: Business Process for Remote SIM Provisioning in M2M (V.1.0). Technical Specification CLP.05, February 2015
GSMA: Remote Provisioning Architecture for Embedded UICC (V. 3.1). Technical Specification SGP.02, May 2016
GSMA: M2M IoT Trust Model (V. 1.0). Technical Specification SGP.15, November 2017
GSMA: Remote Provisioning Architecture for Embedded UICC (V. 3.2). Technical Specification SGP.02, June 2017
Jiang, S., Smith, S., Minami, K.: Securing web servers against insider attack. In: Annual Computer Security Applications Conference, pp. 265–276. IEEE (2001)
Langley, A.: Further improving digital certificate security, December 2013. goo.gl/kRHHD6. Accessed 16 Jan 2017
Merrien, L., Berard, X., Gachon, D.: Method for transmitting a SIM application of a first terminal to a second terminal, May 2014. US Patent App. 13/991,542
Meyer, M., Quaglia, E.A., Smyth, B.: Overview of GSMA remote provisioning specification (2017). https://bensmyth.com/publications/2017-eUICC-overview/
Microsoft: Fraudulent Digital Certificates Could Allow Spoofing, August 2011. goo.gl/bLbSQM. Accessed 16 Jan 2017
Park, J., Baek, K., Kang, C.: Secure profile provisioning architecture for embedded UICC. In: International Conference on Availability, Reliability and Security, pp. 297–303. IEEE (2013)
Schneier, B.: Cyberwar, June 2007. goo.gl/SJW3oU. Accessed 12 Oct 2016
Schultz, E.E.: A framework for understanding and predicting insider attacks. Comput. Secur. 21(6), 526–531 (2002)
Sierra Wireless: The eUICC opportunity: harness the power of IoT eSIMS. White paper (2017)
Smyth, B., Pironti, A.: Truncating TLS connections to violate beliefs in web applications. In: USENIX Workshop on Offensive Technologies. USENIX Association (2013). see also INRIA tech. rep. hal-01102013 (2015)
Thomas, D.: France hits orange with & €350m antitrust fine, December 2015. goo.gl/B8z1Xf. Accessed 6 Dec 2016
Vermeulen, J.: Why it is legal for FNB to SIM-lock its smartphones, September 2016. https://goo.gl/xbX5zn. Accessed 16 Jan 2017
Wood, A.D., Stankovic, J.A.: Denial of service in sensor networks. Computer 35(10), 54–62 (2002)
Xie, L., Zhu, S.: Message dropping attacks in overlay networks: attack detection and attacker identification. ACM Trans. Inf. Syst. Secur. 11(3), 15 (2008)
Acknowledgments
This work was largely conducted at Huawei’s Mathematical and Algorithmic Sciences Lab in France.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 International Financial Cryptography Association
About this paper
Cite this paper
Meyer, M., Quaglia, E.A., Smyth, B. (2018). Attacks Against GSMA’s M2M Remote Provisioning (Short Paper). In: Meiklejohn, S., Sako, K. (eds) Financial Cryptography and Data Security. FC 2018. Lecture Notes in Computer Science(), vol 10957. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-58387-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-662-58387-6_13
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-58386-9
Online ISBN: 978-3-662-58387-6
eBook Packages: Computer ScienceComputer Science (R0)