Feeds

Mind out, Apple: Ericsson leads charge against the SIM

Gemalto pitches in to manage the machines

High performance access to file storage

Gemalto and Ericsson have partnered to create SIM-less mobile phones aimed at machines rather than people - though the technology and techniques developed will be well-received in Cupertino.

The partnership will create a provisioning system to allow things (cars, electricity meters, etc) to be fitted with an embedded mobile phone*, without knowing the network on which it's going to operate, or even in which country it will be used. Gemalto, meanwhile, will kick in the secure provisioning system which will make the removable SIM redundant.

European mobile phones are required to conform to the GSM standard, which mandates a removable SIM so customers can easily switch networks, but Apple has been (successfully) leading a project to extend the standard to encompass embedded SIMs. Such SIMs could change network operators, letting Apple sell connectivity in the iTunes store and car buyers to select a mobile network** on first turn of the key.

Doing that in a secure way is hard, and replicating the long-term success of the removable SIM will be very tough.

Each GSM SIM stores a different secret key, which is replicated in the Authentication Server at the network operator. The key is never transmitted and can't be extracted from the SIM without an enormous amount of effort, and physical access. That shared secret is used to create matching "session" keys with which GSM communication is secured, and those session keys have been broken from time to time, but the shared-secret authentication made possible by the SIM remains secure.

Shared secret is always the best cryptography, assuming the secret can't be intercepted. Dual-key systems (such as RSA or ECC) only exist because of the difficulties in distributing a shared-secret, and such systems are only used in order to safely create a shared secret.

The removable SIM solves this problem by sending the secret in a secure package (the SIM) over a separate communications medium (the post), removing the need for more complicated solutions.

So an operator-independent SIM will have two options: store a shared secret for each network operator, and select which one based on user choice, or store a shared secret from a third party such as Gemalto, or Apple, then use that secret to encrypt the selected operator's secret on request.

The latter solution is better as it offers more flexibility and wider application, but it requires the network operators to share some secrets with that third party, and that is an enormous favour to ask. It's hard to imagine the operators agreeing to share secrets with anyone, but Gemalto is already providing the SIMs to many of them (and thus responsible for programming the secrets into those SIMs) so if they'd trust anyone then it would be Gemalto.

But it never pays to underestimate how craven the operators can be when confronted with iShiny, so where machines lead so human customers will likely follow. ®

* Technically the eUICC (embedded Universal Integrated Circuit Card) does perform the functions of a SIM, but through a chip soldered on the handset's motherboard rather than a detachable, removable unit.

** All new European cars will need a mobile network within two years, to conform with eCall legislation. ®

High performance access to file storage

More from The Register

next story
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
Broadband Secretary of SHEEP sensationally quits Cabinet
Maria Miller finally resigns over expenses row
Skype pimps pro-level broadcast service
Playing Cat and Mouse with the media
Beat it, freetards! Dyn to shut down no-cost dynamic DNS next month
... but don't worry, charter members, you're still in 'for life'
EE dismisses DATA-BURNING glitch with Orange Mail app
Bug quietly slurps PAYG credit - yet EE denies it exists
Like Google, Comcast might roll its own mobile voice network
Says anything's possible if regulators approve merger with Time Warner
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.