GSMA’s recent release of an eSIM specification for constrained IoT devices revolutionizes remote SIM provisioning. Addressing challenges in managing smaller sensors, this innovation simplifies the process. Device owners order profiles from a mobile service provider, enabling the eSIM IoT Remote Manager to facilitate secure, encrypted profile downloads to the eUICC. Anticipated to streamline eSIM adoption for IoT, this advancement promises easier connectivity management that integrates well with different device management solutions.  eSIM Innovation

eSIM is a remote SIM provisioning technology that replaces plastic SIM cards with electronic profiles containing the same subscription data. A device supporting eSIM is equipped with dedicated hardware on which the electronic subscription profiles are provisioned remotely. This hardware is either a separate embedded chip called an embedded universal integrated circuit card (eUICC) or integrated into another chip, such as the modem chip, and referred to as an integrated eUICC (ieUICC).

So far, eSIM technology has been used for consumer devices and large IoT devices, such as cars. However, the technology has not supported constrained IoT devices, and remote management has been complicated. There is high demand from the industry for a simpler eSIM solution that works on constrained IoT devices, such as small sensors, which have limitations in network, memory, power, user interface (UI), central processing unit (CPU), and so on. Ericsson has been working with GSMA on the new eSIM specification addressing these devices.

A simplified architecture of the new specification is shown in the figure below. The remote provisioning of subscription profiles works as follows: The device owner (for example, enterprise, IoT service provider, or user) orders one or more profiles for its devices from a mobile service provider (MSP). The profiles are prepared at a provisioning server, that is, Subscription Manager-Data Preparation + (SM-DP+), and the eSIM IoT remote manager (eIM) is requested to trigger each device to download a profile. The profile is delivered in encrypted form from SM-DP+ so that only the targeted eUICC can open it. The profile is downloaded, installed, and enabled by leveraging some form of connectivity—either through cellular connectivity, utilizing a previously provisioned subscription profile in the eUICC, or through another radio interface, such as Bluetooth or WiFi, or a physical interface, possibly facilitated through another device. The IoT Profile Assistant (IPA) in the device assists in profile download and profile management.

Subscription provisioning over LPWA networks

To expedite the introduction of eSIM for constrained IoT into the market, it’s crucial to leverage the existing eSIM ecosystem. However, the current eSIM specifications for consumer devices and machine-to-machine (M2M) devices depend on devices supporting protocols like hypertext transfer protocol secure (HTTPS) over transmission control protocol (TCP) and SMS for SIM profile provisioning. These protocols are not suitable for low-power IoT devices connecting through low-power wide-area (LPWA) networks such as narrow-band IoT (). Despite both architectures facing protocol issues, the architecture from the consumer eSIM specification was selected as the foundation for the new specification.

To address the protocol issue, a new entity, the eIM, is introduced in the new specification. It can act as an intermediary and assist in subscription provisioning, converting from the nonconstrained protocols to the constrained protocols. The eIM relays profile download messages between the provisioning server, also known as SM-DP+ and the IoT device. SM-DP+ utilizes HTTPS over TCP for profile transfer. The eIM terminates this protocol and forwards messages using a protocol suitable for low-power IoT, such as constrained application protocol (CoAP) over datagram transport layer security (DTLS) over user datagram protocol (UDP), to communicate securely with the device. It should be noted that the subscription profile is protected end-to-end between the SM-DP+ and the eUICC, the same way as for consumer devices.

To accommodate the diverse range of protocol stacks employed in today’s IoT landscape for management and communication—such as lightweight machine-to-machine (LwM2M), message queuing telemetry transport (MQTT), and distribution line message specification/companion specification for energy metering (DLMS/COSEM)—the new specification permits the use of any protocol stack (provided it ensures sufficient security) between the IoT device and the eIM. For constrained IoT devices grappling with limitations in power, CPU, and memory, leveraging the same protocol stack for device and data management, including profile download and management, serves to reduce the device’s complexity. Similar to eSIM for consumer devices, profile provisioning is possible over any connectivity supported by the device, such as Wi-Fi or Bluetooth. This allows for flexibility in managing the device over its life cycle. In particular, there is no need to pre-provision the eUICC with a profile at eUICC manufacturing or personalization. Instead, the first subscription profile can be installed on the device over any connectivity at any point in time.

The new specification also addresses IoT devices that are only constrained in terms of UI. Such devices may support HTTPS over TCP and can directly connect to the provisioning server (SM-DP+) for the profile download, similar to consumer devices. These devices may connect to the eIM only for subscription management. HTTPS over TCP can also be used in communication with the eIM.

Simplification in remote subscription management eSIM Innovation

Subscription management, in this context, refers to enabling, disabling, and deleting a subscription profile on the IoT device. The new specification caters to devices with constrained UI or those without UI. Such devices cannot utilize local subscription management, as used in the eSIM specification for consumer devices, and in many use cases, there is no user present who can perform local subscription management. In the new specification, subscription management is instead handled by a remote subscription manager, the eIM.

In addition to secure communication between the IoT device and the eIM, a binding has been introduced between the eIM and the eUICC to prevent unauthorized profile management operations. For example, malware on the IoT device cannot issue profile management commands toward the eUICC due to this binding. The binding is realized by the eUICC storing the public key or certificate of the eIM. The eUICC accepts only profile state management operations (PSMOs) signed and replay-protected by the eIM to manage the state of subscription profiles. The eUICC may respond with signed and replay-protected messages, utilizing its eUICC identity and certificate, which is also employed to authenticate the eUICC during profile download.

The remote management of the subscription profiles in the new specification is simplified compared to the remote management for M2M devices, where the Subscription Manager-Secure Routing (SM-SR) acts as the remote subscription manager. In the M2M specification, to secure remote profile management, a binding between the SM-SR and the eUICC must be pre-established at eUICC manufacturing or personalization. In the new specification, the establishment of a binding at eUICC manufacturing or personalization is not mandatory. Instead, the eIM can be configured and easily changed in the eUICC at any life cycle state of the device, enabling the manufacturing of large batches of devices without pre customizations or bindings.

With the new eSIM specification, there is no need for the costly and complex integration of the SM-SR with provisioning servers, which typically restricts one SM-SR to work only with a limited number of MSPs. The common HTTPS-based interface supported by all SM-DP+s is inherited from the eSIM consumer specification, and the same activation codes used for profile download for consumer devices can be used for the IoT. How the activation codes are delivered from the MSP to the IoT device owner and to the eIM is up to the MSP to define. Consumer device activation codes are often provided as QR codes. For many subscriptions purchased for IoT devices, something simpler should be considered; for example, a simple file containing a list of activation codes. It’s up to the MSP to define and provide convenient procedures.

Embedded versus standalone eIM eSIM Innovation

The eIM may either be a standalone eIM or embedded as part of a management platform, such as a device management platform. In the latter case, the same existing protocol stack for device and data management can also cover profile download and profile management. This reduces the complexity of the device, which is important for constrained IoT devices. An enterprise or IoT service provider may implement an eIM as part of its device management platform, and existing device-triggering mechanisms of the management platform can also be used for profile download and profile management. Such an embedded eIM doesn’t need costly and complex certifications similar to SM-SRs and provisioning servers, such as SM-DP+s.

The standalone eIM may be operated by a third party, such as a SIM vendor. It offers eIM services to many different IoT devices with different constraints and complexities, supporting different protocols for communication and triggering mechanisms. The standalone cannot support all IoT protocols; therefore, the new specification explicitly describes how to use two protocols, namely HTTPS over TCP and CoAP over DTLS over UDP, for secure communication between the eIM and the IoT device. It’s expected that standalone eIMs and, most likely, consumer IoT devices will support these protocols. For the standalone eIM, providers can seek certification to establish evidence of a trusted service.

Optimizations

Besides the possibility of using protocol stacks for low-power IoT, the new specification supports optimizing data exchange for constrained IoT. Such optimizations involve offloading some of the functionality from the device to the eIM, such as profile metadata verification and activation code handling. The end-to-end protocol between the provisioning server (SM-DP+) and the eUICC remains unchanged in the new specification to leverage the existing eSIM ecosystem and provisioning servers. Optimizations reduce the number of transmitted bits by the IoT device.

These optimizations prevent the need to send data from the IoT device to the eIM, which the eIM is already aware of. For example, the eUICC certificate and intermediate CA certificates chaining back to the GSMA root CA certificate, which is sent from the eUICC to the SM-DP+, may already be known to the eIM (for example, preprogrammed) and don’t have to be transmitted over the constrained network to the eIM. These may then be added to the eUICC-signed messages by the eIM when forwarding the eUICC-signed messages (received from the IoT device) to the SM-DP+.

Efforts are underway to optimize the actual profile structure, aiming to decrease the number of transmitted bits over the constrained network. The end-to-end protocol between the SM-DP+ and the eUICC may also benefit from optimization in terms of the number of roundtrips and data structure formats, but these enhancements are reserved for future releases of the specification.

Applying the new specification

We anticipate widespread adoption of the new specification across various use cases. This includes scenarios traditionally addressed by the M2M specification as well as novel applications in the realm of constrained IoT, consumer IoT, and industrial use cases.

To illustrate how the new specification could be used in practice, let’s consider a company that ships temperature-sensitive vaccinations around the globe. Each vaccination batch must be kept at a precise temperature, so the vaccination batches need to be equipped with a temperature sensor to detect and alert to any deviations in the required conditions. Given the lengthy sea shipping routes and the fact that devices can only connect to cellular networks in ports, the devices must have batteries with a duration of several months. The company wants to track each vaccination batch and its conditions along the route through its logistics department.

The company can now purchase general temperature and location sensors equipped with an eSIM and cellular radio. First, the device is connected over Bluetooth to its device management platform, which also contains an eIM. The device management platform, together with the device and IPA, programs the eIM public key into the eUICC to create the secure binding. The eIM, together with the device and IPA, then download a subscription profile from an MSP’s SM-DP+ after acquiring the subscription and an activation code for the profile download. After this, the device can be managed and monitored with the device management platform over a cellular low-power network utilizing LwM2M.

When the device moves to another country and reports its location along with the temperature readings from the vaccination container, the company can buy a new subscription from the local MSP and download it to the device. Upon the device’s return to the original region, the eIM of the device management platform can seamlessly transition the device back to its original subscription.

Consumer devices, such as mobile phones and smartwatches, have support for eSIM management through the consumer specification. However, consumer IoT devices with limited or no UI have been lacking an eSIM solution. The new specification can enable a whole new set of consumer IoT devices to utilize cellular connectivity. For example, remote eSIM management for surveillance cameras, consumer electronics, and various devices such as smart dog collars and light bulbs could be enabled with eSIM.

For a service provider, the new specification opens up new possibilities for equipping new and even smaller devices and NB-IoT devices with mobile subscriptions without the logistics costs of physical plastic SIM cards. For equipment vendors, the new specification enables the use of eSIM in new kinds of devices—with extremely low battery consumption and hermetically sealed devices without any latches.

Next steps eSIM Innovation

The work on the test specification, compliance, and certification of the eUICC for IoT is expected to be ready during the first half of 2024. The new specification will co-exist with the M2M specification but will likely gradually replace the M2M specification for nonconstrained devices due to the complexity and cost associated with it. Further work within GSMA is expected to improve eSIM for IoT. Besides optimizing the end-to-end protocol between SM-DP+ and the eUICC mentioned above, it’s expected that the new specification will align with improvements and new features in version 3 of the eSIM specification for consumer devices (the new specification is currently based on version 2 of the consumer variant). For example, the Public Key Infrastructure changes and the use of multiple enabled profiles (MEPs) within one eUICC are features introduced in version 3 of the consumer specification and are useful for IoT devices. MEP is, for example, interesting for less constrained IoT devices (for example, only constrained in UI) where multiple modems may be deployed and they must always stay connected. One should be careful to keep the IoT specification simple and easy to deploy while introducing the new features from the new consumer specification and when evolving the IoT specification. eSIM Innovation

Like this? "Sharing is caring!"