Securely connected in the IoT: Testing of SIM, eSIM, iSIM and nuSIM
The Internet of Things (IoT) is developing rapidly: Everything is connected to everything; machines talk to machines. The chip industry is also increasingly adapting to this by developing SIM products that are specifically tailored to the needs of digitalization. TÜViT has been involved in IT security issues from the very beginning.
SIM, eSIM, iSIM and nuSIM on trial
Whether SIM, eSIM, iSIM or nuSIM – they all manage and process data that are stored in protected form, such as the unique card number or cryptographic key, for example. In order to ensure that these critical data remain private, it is important to protect their confidentiality and integrity accordingly and deny potential attackers access to them.
With our comprehensive security tests, we support you by taking a close look at the IT security of your SIM products and putting the technical security requirements of your SIM solution to the test.
Would you like to provide proof of the security of your SIM, eSIM, iSIM or nuSIM in a manner that is also visible to the outside world? If so, we will support you on the way to successful certification.
Our services in the evaluation and certification process at a glance
Within the framework of our Scoping Workshop, together with you we define first of all the specific item that is to be certified. In the case of integrated solutions such as iSIM and nuSIM in particular, a key objective is to separate this logically from other items. The advantage of this focused distinction from other items is self-evident: Even if other parts of the chipset change, the certificate remains valid.
Design Review Workshop
Within the Design Review Workshop, the security of your product is scrutinized in detail within the context of a design and architecture analysis. This includes questions such as: What specific mechanisms does the SIM solution use to guarantee the confidentiality of the data stored on it? And how does it ensure their integrity? If problems are ascertained during this step, corrective action can be taken before penetration tests are initiated.
Testing the Product
The design, architecture and source code analysis is followed by intensive vulnerability analyses and penetration tests of your product. Here, practical testing is restricted to the specified item that is to be certified and the security requirements which are to be specified. Since test aspects can be processed in parallel as a rule, the runtime for the tests of a SIM, eSIM or iSIM is usually limited to 10 weeks – and those of a nuSIM will even take only 4 to 6 weeks due to its minimalistic nature.
All partial results of the evaluation are written down in a conclusive audit report. All tests are logged in such a way that they can be repeated and reproduced by a third party at any time. If all previously defined security requirements are robustly implemented by the item that is being certified, nothing else will stand in the way of the issue of a certificate.
Useful information about SIM, eSIM, iSIM and nuSIM
Frequently Asked Questions (FAQ):
What are the similarities and differences between the SIM solutions?
Whether SIM, eSIM, iSIM or nuSIM, all four solutions ultimately serve the purpose of uniquely identifying an edge device and authenticate it in the mobile network. This is carried out with the help of cryptographic secrets which are stored on the SIM solution and known outside the SIM by the respective network operator only.
And as we all know: If we change our contract from provider A to provider B, we will receive a new SIM card. After all, our new provider must know its cryptographic secrets in order to recognize us as a contractual partner.
The objective of eSIM is to replace this annoying card exchange. Instead, the so-called profiles on the SIM card are simply to be renewed by means of a software update. iSIM goes one step further in this respect: The card, which it has been possible to update since the launch of eSIMs, is now an integrated part of the device. The term iSIM stands for integrated SIM. Therefore, you don’t need to search for the SIM card slot of the mobile phone, as the SIM is installed inside the mobile device on the circuit board.
This makes iSIMs more cost-effective already at the production stage, while further advantages such as lower logistics and warehousing costs and the comparatively low energy consumption of the SIM solution can be achieved. nuSIM can be considered to be a variant of iSIM that has been reduced to the essential functions required for IoT devices. The focus here is on products such as sensors, which should have a battery life of at least 10 years.
How can eSIM, iSIM and nuSIM be differentiated from one another?
eSIM (embedded SIM) is a physical integrated circuit – i.e. a separate component – that is soldered onto the circuit board of a smartphone or IoT device and therefore permanently incorporated into the device. eSIM replaces the classic SIM card formats, such as nano, micro or mini-SIM, and within this context does not require additional hardware components such as card slots. So no new card is required when changing providers, only a software update. At the same time, eSIM offers all the functionalities of a physical SIM card. However, many of these are not required for the purposes of IoT.
This is where nuSIM comes in. The specific nuSIM solution was designed by Deutsche Telekom in cooperation with leading technology partners for applications on the Internet of Things. In contrast to its predecessor eSIM, it intentionally dispenses with the functions of a classic SIM card, which are scarcely required – if at all – for many IoT scenarios. The direct integration of the SIM functions into the modem chipset means that a space-hungry SIM card is no longer required and the free space gained is available for other components of an IoT solution.
At the same time, nuSIM belongs to the iSIM category (integrated SIM). This means that the SIM function is integrated directly into the modem chip and no additional component – as with the eSIM – is required.