'Out of the box' Secure Connectivity for eSIM IoT Devices

By Nuno Teodoro, Chief Information Security Officer, TRUPHONE

Nuno Teodoro, Chief Information Security Officer, TRUPHONE

The Internet of Things (IoT) is no longer a trend, a hype, nor a utopic technological goal that the world will see in the future. The IoT is now a reality that places ubiquitous connectivity not only in the traditional phones and laptops, but in people’s homes, hospitals and medical centres, governments and critical infrastructures like industrial water reservoirs and electric grids.

Connectivity is more than ever a key factor in the IoT landscape. It’s safe to say that one of the latest biggest evolutions for IoT was the migration from the traditional Physical Removable SIM to the Embedded SIM (eSIM). The eSIM brings the flexibility for connectivity that physical SIMs prevented, by allowing seamless access to different networks, over the air, ease of management and interoperability. Moreover, this new technology represents increasingly small chips, allowing IoT devices to be more compact, reduce battery usage and be more resistant. Swapping operator profiles without removing the SIM is now a reality, as well as storing multiple profiles on a single device, meaning that roaming and moving devices can now automatically navigate between network providers for better coverage and rates.

As always in the cyber world, global connectivity between devices represents both massive business opportunities and security threats. Some threats will surely surpass the ‘by default’ embedded device technical controls and become more relevant and predominant as the IoT ecosystem matures. Several recent events show that the materialization of these threats may represent physical harm through manipulation or failure of devices, impersonation and fraudulent usage and the capabilities to redirect connectivity from devices to provoke massive Distributed Denial of Service (DDoS) and botnet attacks.

With the rise of ease of connectivity leveraging the IoT world, several organizations are building standards, frameworks and guidelines to safeguard this emerging ecosystem and finding ways to provide assurance that the IoT devices’ purpose remains safe and controlled. Some of the most known and active sources are the OWASP IoT Security Guidance, the IoT Security Foundation that created the IoT Security Compliance Framework and the GSMA IoT Security Guidelines.

With that in mind, Truphone has created an ‘Out of the box’ secure connectivity for the IoT ecosystem leveraged by the eSIM.

Truphone operates a GSMA certified Remote SIM Provisioning (RSP) site in which operators around the world trust their operator credentials to allow network subscriptions to be provisioned over the air.

These operator relationships allow for the digitalization of the physical SIM card profile and forms part of an eSIM profile consisting of network identification, credentials and applications. Once provisioned, these profiles are stored securely and protected by FIPS 4 certified hardware security modules.

Truphone has created a secure environment that is certified against both the ISO 27001 and GSMA Security Accreditation Scheme (SAS) Standards and implements several best practices aligned with the OWASP IoT Security Guidance and IoT Security Compliance Framework.

It’s not just a small change in the IoT world. The eSIM will actively improve cybersecurity. On the very basics, it will practically remove all threats of device theft as there is almost no need for physical access to the device for connectivity purposes.

The removable nature of the SIM translates immediately into the risk of changing connectivity in one device from the original owner’s SIM to a new ‘owner’. Reselling stolen devices will be a hard task for thieves as in the moment an eSIM-enabled device is switched on it will have connectivity and could be instantly traced by the authorities or by the manufacturer.

This tracking capability would also be extremely useful on a larger, industrial scale. Vehicles, equipment, and any other hardware with eSIM connectivity would be locatable at all times, so accidental loss or deliberate theft could be quickly remedied.

We are entering a new era in the IoT ecosystem, and Truphone believes that as eSIM becomes the de facto connectivity, these benefits will be increasingly evident. Security comes from an ‘out of the box’ connectivity for eSIM IoT devices, from the continuous ability to track and manage connected devices.