ENISA’s New Report on eSIM Technology Security Challenges and Risks in Europe
The European Union Agency for Cybersecurity (ENISA) publishes one report on eSIMs and a second one on fog and edge computing in 5G. Both reports intend to provide insights into the challenges of these technologies. The latest news about the Europe eSIM report by ENISA finds out below.
ENISA deep dives into the eSIM technology security challenges and investigates security issues for fog and edge computing in 5G in order to support the national security competent authorities of the ECASEC group and the NIS Cooperation Group workstream on 5G cybersecurity.
The case of eSIMs Europe eSIM report ENISA
eSIM is the generic term used for the embedded form of a SIM (subscriber identity module) card. Built into the device, the eSIM is hosted on a tiny chip that provides storage for the mobile subscription details in digital format.
Like the regular SIM card, the eSIM identifies a subscriber within a mobile operator’s network and can be found in a wide range of products, such as wearable devices, computers, medical internet-of-things (IoT) devices, home automation and security systems, and handheld point-of-sale devices.
eSIMs are found in a wide range of products, such as smartphones, wearable devices, tablets, computers, medical internet-of-things (IoT) devices, home automation and security systems, connected cars, and handheld point-of-sale devices. eSIM technical specifications are standardised by industry bodies and allow for power efficiency, remote SIM provisioning and interoperability. eSIM-compatible devices are gaining momentum now that major operating systems such as Android, IOS, and Windows 10 support them.
eSIM advantages & security challenges
There are multiple advantages to using eSIMs over traditional SIMs. Devices can become flatter, more waterproof and more resistant to dust, and the eSIM’s small size leaves more room for other features. End users can also rewrite their eSIM, for example, to get a local pre-paid phone when abroad.
For MNOs, logistics and support are simplified and new business opportunities are presented since eSIMs can provide connectivity to IoT devices more easily, which then become ‘smart’ within an IoT ecosystem.
eSIMs also present security opportunities. For example, if the device is stolen, it is easier for the MNO to switch the user profile. It is also harder for a thief to discard the SIM card after stealing the device.
The change from the traditional removable SIM card to an eSIM provides multiple benefits for the involved stakeholders.
| SIM manufacturers | MNOs | Business customers |
|---|---|---|
| Gain access to new markets by providing the infrastructure and services that remotely provision SIMs, while the reduced space coming from the embedded design also has a positive impact on device designs, enabling additional functionalities (e.g. space saving for a bigger battery). | Gain new distribution models of subscriptions for consumer and M2M devices. They are able to provide quick tests for customers (‘trials’ of their network), while maintaining the same security levels. At the same time, they can reduce the substantial logistical costs for procurement and distribution to commercial channels previously associated with traditional SIM cards. | Gain flexibility and efficient management of their extensive numbers of M2M devices, with the comfort of no additional compromises on the existing SIM-card abilities. |
On the other hand, eSIMs present new security challenges and risks. For example, the arrival of eSIMs has opened up the possibility of eSIM swapping. Another challenge is the security of eSIM profile provisioning. End users can download a profile directly onto their devices. This could be targeted by attackers, who could push a new profile onto a device and take it over.
Still, no major technical vulnerability has been detected so far with only limited reported cybersecurity breaches. However, the large-scale IoT deployment and the subsequent rise in the use of eSIMs could result in a rise in such cyber incidents.
SIM market and usage in Europe Europe eSIM report ENISA
The eSIM market has expanded significantly in recent years, with at least 232 mobile service providers launching eSIM services in 82 countries globally, including nearly all of the European Union’s member states.
Furthermore, according to the Trusted Connectivity Alliance’s most recent estimates of eSIM shipment quantities, the total number of eSIM shipments reported in 2021 hit 337 million units, an increase of 9% over the 309 million reported in 2020.
According to projections, this will result in eSIM shipments of more than 1.2 billion per year by 2025. When it comes to M2M solutions, eSIM is regarded as the best choice for long-term Internet of Things (IoT) implementations; predictions indicate that by 2025, there will be approximately 1.1 billion active profiles, up from 32.6 million in 2019 (a compound annual growth rate (CAGR) of 82%).
Overall, despite the COVID-19 crisis, forecasts indicate that the global market for eSIMs will reach an estimated EUR 1.7 billion by 2026, increasing at a CAGR of 28% from its current EUR 622.7 million estimates in 2022.
Germany’s market is projected to expand at a CAGR of 27.7% within Europe, while the rest of the continent’s market is anticipated to reach EUR 178.6 million by 2026.
However, despite the significant commercial growth in the availability of devices with an eSIM, the market adoption is relatively low regarding its long-term uptake, with one key issue being consumer awareness. In particular, research by the Global System for Mobile Communications Association (GSMA) indicates that only 20 % of consumers in the 25–34 age group are aware of eSIMs.
Another issue that might affect market adoption concerns network operators and their fear of losing direct access to the consumer. Specifically, through the adoption of eSIM, consumers will gain a flexible way to manage profiles between different MNO networks on the same device, which will redefine the competitive market of MNOs by breaking the existing lock-in effect (i.e. a SIM card being tied to a single MNO).
Despite obstacles, the market has been expanding gradually. According to the GSMA, more than 500 million smartphone connections worldwide – out of the total 8.3 billion SIM connections – will use eSIMs by the end of 2022, with Europe setting the pace with the fastest adoption rate. Additionally, it is anticipated that 2.4 billion smartphone connections—or about 30% of all connections—will use eSIMs worldwide by 2025.
Overview of Security Challenges and risks Europe eSIM report ENISA
| Risk | Description |
|---|---|
| Risk 1: eSIM swapping | Obtaining personal data can lead to an attacker claiming a device is damaged and gaining access to a subscriber’s account, initiating an eSIM swap, and conducting a swap attack. eSIMs in IoT devices used in factories can be updated maliciously to get devices to join an attacker’s remote network where data can be manipulated. |
| Risk 2: Memory exhaustion | Attackers deplete the memory resources of a computing system by carrying out a denial-of-service attack that prevents the system from providing services to legitimate users. The GSMA’s eUICC specifications define a remote-provisioning procedure, called ‘Download & Install,’ which transmits subscriber profiles to an eUICC from an MNO and installs these profiles onto the eUICC. During this step, memory is assigned, and the profile’s unique application identifier is set. |
| Risk 3: Rogue SM-DP | A rogue SM-DP can impersonate an actual SM-DP and create false profiles, which can then be installed on eUICCs. These false profiles can include malicious content, leading to attacks on devices or networks. |
| Risk 4: Rogue MNO | A rogue MNO can hijack the issuer security domain and install rogue profiles onto eUICCs, including those with malware or information-leaking functions. |
| Risk 5: Malicious profiles | Malicious profiles can be installed onto an eUICC, leading to several threats such as data theft, privacy infringement, malware spreading, espionage, denial of service, and fraud. |
| Risk 6: Rogue SM-SR | A rogue SM-SR can disrupt the ‘Download & Install’ procedure by returning error messages that may cause the entire process to fail, leading to a denial-of-service attack. |
| Risk 7: Social engineering attacks | Attackers may use social engineering techniques to trick customers into revealing their personal data, including device identifiers, IMSIs, MSISDNs, and IP addresses. Attackers can then use this information to carry out attacks, such as eSIM swaps and identity theft. |
The case of fog and edge computing: the role it plays in 5G
Fog and edge computing has created new opportunities and novel applications in the 5G ecosystem. However, the telecommunications, cloud and industrial communities need to address multi-modal security challenges.
With architecture being a layer below cloud computing, the main goal of fog and edge computing is to reduce the workload of edge and cloud devices by offering additional network and hardware resources to both parties. Europe eSIM report ENISA
Resorting to this technology provides computing, storage data and application services to end users while being hosted at the network’s edge. It reduces service latency and improves the overall end-user experience. End users benefit from remote access to data storage and from the availability of services without extensive resources needed, therefore reducing costs.
The report provides an overview of fog and edge technologies in terms of 5G, in relation to their architecture, attributes, and security aspects. The different architectural approaches are also introduced and their applications. It also outlines the standardisation solutions and provides an analysis of application scenarios.
Conclusion
eSIMs have been fully and successfully introduced into the mass market and are now supported by all major network operators across Europe and by a variety of devices. With the help of all major device manufacturers, eSIMs are expected to become a standard feature in all major smartphone releases over the next few years.
eSIMs are also becoming the key Root of Trust (RoT) solutions for IoT devices. They have proven to be a secure evolution of SIM technology, supported by standardisation and advances in relevant enabling technologies. Although several security issues have been identified, current standards and evolving standardisation efforts seem to have adequately addressed these issues.
The role of authorities is twofold: enabling the adoption and introduction of a more secure technology that supports consumer interests while safeguarding and reviewing the integrity of supporting processes.
If you’re ready to start using an eSIM and looking for a reliable provider with global coverage, we highly recommend BNESIM as they offer a wide range of affordable eSIM plans, reliable connectivity, and excellent customer support.
