October 2016: Disrupting Convention and Breaking New Ground in Identity with eSIM

Executive Summary

Removable SIM cards have been a “work-horse” for the mobile industry since the inception of 2G-GSM and has provided mobile network operators (MNO) with a convenient means to authenticate, orchestrate and control mobile subscriber services and network connectivity. The removable SIM has served the mobile phone industry well, however supply chain and service complexities for connected computing and IoT devices have challenged removable SIM based solutions. These complexities have culminated in the development of embedded SIM solutions that can be programmed to support one or more MNO. The GSM Association (GSMA) spearheaded the embedded SIM (eSIM) standards both in terms of the operator profiles and remote monitoring procedures that are used. These standards were finalized in the first quarter of 2016, with a focus towards IoT devices, and with a spirit that emphasizes operators’ continued control over the SIM profiles that are used. The general functions associated with the GSMA’s eSIM standards are illustrated in Exhibit 1.

While the eSIM standards have a focus towards IoT devices, we believe that solutions will ultimately become the de facto SIM standard for all mobile connected devices. SIM technology vendors like Giesecke and Deviant (G&D) and Gemalto are well prepared for this transition, having made strategic investments in secure transaction management platforms to offset the commoditization of traditional SIM card technology. Other players like Oasis Smart SIM and Spirent have developed solutions specifically targeted towards eSIM implementations for IoT.

MNOs, particularly those with large prepaid subscriber bases, will be disrupted by eSIM technology, because eSIMs ease the challenges for mobile subscribers to switch networks. The eSIM standards themselves do not create the disruption, rather it is the ability of other ecosystem players such as device and communication module manufacturers and large enterprise customers to enable the fluid transfer of subscriptions amongst both MNOs and mobile virtual network operators (MVNO).

Some MNOs such as AT&T and SK Telecom recognize that as the variety of connected devices proliferate, there are opportunities to take a broader role in identity management and the manner in which identity is integrated with services and applications. When targeting these opportunities we expect that progressive MNOs will combine eSIM with other multi-faceted capabilities to provide trusted identity management solutions that securely segment physical, digital and virtual identity functions. Identity brokering and harvesting is an area that companies like Facebook and Google have cleverly targeted. As this has occurred we believe that the mobile industry has under-estimated the value of identity and have done a poor job in protecting the “real-world” physical identity of connected devices and their users from the applications and services to which they are integrated. This is a topic that will be investigated in more detail in an upcoming Tolaga report in the context of current and emerging technologies and techniques, such as those proposed with Block-Chain.

Exhibit 1: Schematic of eSIM (eUICC) Remote Provisioning Architecture
Source: Tolaga Research 2016


The humble Subscriber Identity Module (SIM) is a genius invention of the mobile industry by providing a physical means to separate connectivity services from the mobile devices that are used. The SIM is a secure hardware element that uses public key infrastructure (PKI) for devices to securely connect to mobile networks. The technology was invented in 1992 by Giesecke and Deviant (G&D) and is provided by a variety other companies including Gemalto, Eastcompeace, WatchData and Datang Microelectronics. SIM technology has been inherent to the GSM standards from the outset and subsequently enhanced with 3G-UMTS and 4G-LTE technologies, with improved form-factors, and to address vulnerabilities with GSM authentication.

Although the removable SIM stems from modest beginnings, it is of strategic importance for mobile network operators (MNO) because it allows them to manage subscriber connectivity, lock devices in cases where they are subsidized, and enables an effective means for managing and monetizing subscriber roaming. However removable SIMs create challenges for many other ecosystem players, such as mobile device and connectivity module manufacturers, whose global supply chains are disrupted by the need to provide local SIM cards for specific operators and with proprietary profile formats depending on the SIM vendor. This requirement has proven particularly troublesome for Internet-of-Things (IoT) devices that require soldered rather than removal SIMs, to address security requirements and form-factor constraints.

In 2014, Apple responded to the challenges with conventional SIMs by launching its own SIM for the iPad Air 2 and iPad Mini 3 tablet devices in the United States and United Kingdom. When using the Apple SIM, device owners can select from a list of available network operators to provide mobile network connectivity. Interestingly, Apple filed for a patent three years earlier in 2011, entitled “Multi MVNO and service provider platform and management”. This patent contemplates the creation of a MVNO platform. With this platform, MNOs can provide bids for the right to provide connectivity services to the MVNO provider’s end users.

Growing demand for IoT connectivity, (which has already led to some MNOs to enable global SIMs) and the market adoption of Apple’s SIM have helped catalyze embedded SIM (eSIM or eUICC) technologies and standards. The eSIM standardization was spearheaded by the GSM Association (GSMA), who focused primarily towards the demands for IoT connectivity modules. The technical demands for eSIM are not particularly arduous. However for eSIM to succeed, it was necessary for the GSMA to gain adequate support from MNOs, whose business models are disrupted with varying degrees by the eSIM initiative. The GSMA was successful in gaining sufficient industry support and developed standards to remotely provision eSIMs with standard operator profiles.

Getting a Little Geeky with eSIM

The solutions used to secure eSIM architectures are crucial. This was clearly illustrated in 2013, when Edward Snowden leaked documents that described mobile phone hacking techniques where the private keys used for SIM authentication were compromised. Once the SIM keys were obtained, it is alleged that the Government agencies used malware and other attack vectors to monitor the calling and messaging activities to and from the devices. Even in the absence of covert spying activity, once control over the SIM is attained, numerous other attack vectors are enabled, including the potential for identity theft, impersonation and device cloning. Additionally, in the case of IoT, compromised SIMs create the potential for man-in-the-middle (MITM) attacks to pollute data and disrupt networks and their associated operational functions. To address these vulnerabilities, eSIM solutions must be designed with the up-most attention towards security. In addition, there is a growing need for multi-factor authentication and authorization techniques that leverage other “sources of truth”, particularly as services become increasingly complicated and vulnerable.

The GSMA’s eSIM standardization efforts were motivated primarily by the challenges in delivering IoT solutions. This is particularly the case for hard-wired SIM technology in IoT connectivity modules that have global supply chains. It is also the case for highly mobile applications, such as connected cars and wearable devices. Standardization was needed to remotely provision eSIMs (also known as eUICC), with universally consistent operator profiles that supersede the proprietary profiles used for conventional SIM technology. While the eSIM standards targeted connected IoT devices, they also apply to smart-phones and other devices, so long as the necessary contractual agreements are established between eUICC and device manufacturers and the MNOs.

At the time of manufacturer, eUICCs are configured with a Bootstrap Profile, which is subsequently replaced with an Operational Profile to activate the device on a mobile network. One or more Operational Profile(s) might be stored on the eUICC. Furthermore, Profiles can be subsequently updated depending on the established contractual relationships between the end-users, device manufacturers and MNOs.

A schematic structure for the eSIM remote provisioning architecture that was standardized by the GSMA is illustrated in Exhibit 1, and includes the following components:

  • Subscription Manager for Data Preparation (SM-DP): which enables the secure preparation of the Operational and Bootstrap Profiles to be securely provisioned on the eSIM. The SM-DP also manages the installation of Profiles on eSIMs.
  • Subscription Manager for Secure Routing (SM-SR): which provides the secure transport of Platform and Profile management commands in order to load, enable, disable and delete Profiles on a eUICC.

Three entities that are needed to support remote eSIM provisioning are depicted in Exhibit 1, namely Operators (e.g. MNOs and MVNOs), eUICC Manufacturers and a Certificate Issuer. The “Operator” depicted in Exhibit 1 essentially falls into two categories, namely those that own the Bootstrap Profile that is provisioned at the time of manufacture, and those that own and provide the Operational Profile that is used to provide network services. The GSMA fulfills the role of Certificate Issuer role.

Not shown in Exhibit 1 are third party system integrators and device manufacturers, such as Apple, and Samsung in the case of smart-phones and Sierra Wireless, Telit and uBox, in the case of device module manufacturers. In some cases, ecosystem players might fulfill multiple roles, such as in the case where MNOs manage the eSIM provisioning process. Other players like Oasis Smart SIM and Spirent have developed end-to-end solutions aimed at delivering eSIM solutions for the IoT market.

The architecture created by the GSMA enables a subscription management framework for different operator profiles to be downloaded to eUICCs irrespective of whether the operators have the same or different SM-DP and SM-SR infrastructure. In addition the Profile in the SM-DP of one operator can be downloaded through the SM-SR of another. This contrasts conventional SIM solutions where individual SIM vendors have their own proprietary operator profiles.

When developing the eSIM standards, the GSMA emphasized the role of eSIM specifically for the IoT market. The standards have a natural bias towards MNO business models, with an apparent aim for MNOs to maintain control over the device connectivity alternatives for their subscribers. Even with this bias we believe that the eSIM will dilute the market control of MNOs. However, the relative power of the various ecosystem players will vary greatly amongst markets and depend on a variety of factors, such as the penetration of prepaid versus post-paid services, brand strength, the global footprint of device manufacturers, and the percentage of IoT connected devices. The eSIM will ease supply chain challenges for device manufacturers and increase the variety of connectivity alternatives offered to mobile subscribers. It will also empower mobile subscribers and possibly for other third party brokers to proactively manage their connectivity demands.

Opportunities in the Face of Disruption

The supply chain for mobile devices and IoT connectivity modules is improved using eSIMs, since the eSIM functionality can be embedded in the device at the time of manufacture. The eSIM could then be provisioned with the appropriate profiles for the markets where they are shipped. In addition, eSIM program-ability might create opportunities for device manufacturers and MNOs to customize products for specific market segments, sub-segments and individual users, without the need to swap out removable SIM cards. For example, device manufacturers might introduce product catalogs that allow device users to mix and match their connectivity provider and service plans at the time of purchase and while the devices are being used. Device manufacturers might also use the eSIM to dynamically manage device connectivity and absorb the associated costs. For example, this might build on the approach used for Amazon’s Kindle, and potentially create functionality akin to the MVNO service model patented by Apple in 2011.

Most MNOs have yet to develop strategies to anticipate the disruptions that are inevitable with the growing adoption of eSIM technology. However innovative strategies that capitalize on eSIM technology are on the increase, albeit primarily targeted towards IoT market opportunities. Notable strategies include the following:

  • Advanced Subscription and Service Distribution, which in many respects parallel those being contemplated by device manufacturers and other third parties. In a growing number of cases, MNOs are driving service and connectivity solutions beyond their own network boundaries to offer multi-national and global connectivity capabilities.
  • Alternative Subscriber and Service Life Cycle Management Strategies, to cope with the new ways in which subscriptions and services can be acquired and consumed. With eSIMs, physical store-fronts can be replaced with digital store-fronts. An innovative service might rely on the knowledge of the device location and the applications and peripheries that it has active to drive a particular service profile.

As eSIM solutions are developed and mature, we believe that industry players need to pay careful attention to the broader role of authentication and access control in identity management and service orchestration. This is particularly the case as services become reliant on multiple attached end-point devices and sensors, which leverage eSIM and other authentication and access control mechanisms. For example, a consumer might use a variety of wearables and periphery devices in addition to their smart-phones, for fitness, productivity, communications and collaboration, and physical security. When these various devices are deployed, mash-up techniques are commonly used to create innovative services and applications. From a systems architecture perspective, this effectively creates a many-to-many relationships between the identities of the devices, peripheries and the services offered. MNOs are well positioned to capitalize on the opportunities this creates.

Exhibit 2 illustrates an identity management architecture for several potential consumer applications. Each application requires specific virtual identity information from both cloud and device based sources. The virtual identities are abstracted from the physical identities of the devices and persons involved. This abstraction is enabled via digital identities that are used to secure the physical identities. In the case of the eSIM, the digital identities are the PKI key pairs that are used for authentication and access control.

Exhibit 2: Creating an Effective Architecture for Securely Scaling Identity
Source: Tolaga Research 2016

Based on the architecture in Exhibit 2, it is clear that the eSIM has the potential to play an important role in identity management. Exhibit 2 also demonstrates the need to abstract physical and digital identities from the virtual identities used by the applications. Unfortunately SIM technology and the subsequent eSIM standards have been designed for a different purpose and do very little to protect physical identity attributes. We believe that MNOs and other ecosystem players must pay attention towards the abstraction layers needed to ensure services and applications perform reliably without compromising identity. This will be investigated further in an upcoming Tolaga Report in the context of current and emerging identity management techniques such as those proposed with Block-Chain.

Conclusions and Recommendations

The eSIM is needed to address the challenges created by removable hardware SIMs. Many industry participants, most notably MNOs, are clinging to business models that are underpinned by the removable SIM, the market dominance of eSIM technology is inevitable, albeit with a relatively protracted time-horizon. As eSIM technology gains a market foot-hold, it creates opportunities for device and connectivity module providers and IoT technology providers to significantly improve their supply chains, and manufacturing and systems integration processes. Furthermore, using eSIM technology, consumers device manufacturers and other third party solution providers are potentially well positioned to slip into the “drivers-seat” for providing mobile network connectivity, which is particularly disruptive for many mobile operators.

As eSIMs gain market momentum, MNOs must respond with innovative solutions that focus on the benefits that they can garner from eSIM technology. This might include, opportunities to advance their service subscription and distribution models by reducing the friction for adoption and providing services beyond the boundaries of their networks using MVNO offerings. It might also involve advancing subscriber and service lifecycle management strategies that capitalize on the digital nature through which services are provisioned, and “mashed-up”.

While eSIM plays an important role to ease mobile network connectivity challenges, we believe that it lacks robustness for identity management. This is particularly the case as services and applications span multiple connected devices and virtual identities. MNOs are well positioned to capitalize on the growing value of identity, by addressing the shortcomings with SIM solutions. However this is also the case for other ecosystem players depending on how the solutions are implemented.