m2m devices communicate without human intervention. They are ubiquitous and have diverse applications, ranging from smart (e.g., smart-watches, -meters, and -cars) and medical devices, to ATMs and vending machines, for instance. A growing number of devices communicate over cellular networks , relying on infrastructures owned by mnos (mnos), who restrict network access to subscribers.
To receive service, m2m devices authenticate to MNOs, using an authenticated key-exchange protocol. For 3G and 4G networks, the Authentication and Key Agreement protocol (AKA)  is used,which allows a secure, over-the-air channel to be established between the device and the network. This is achieved using several cryptographic algorithms, a unique identifier (for each subscriber), and a symmetric key.
Historically, M2M devices have used dedicated smart cards, called sims (sims), to store the secrets needed to authenticate to and access operators’ networks. The SIMs used by M2M devices to access cellular networks are specified by the European Telecommunication Standards Institute (ETSI). They are known as Machine Form Factor (MFF2) sims  and are distributed using the following linear chain (illustrated in Figure 1):
MFF2 SIM cards are fabricated by manufacturers and shipped to MNOs.
MNOs personalize MFF2 SIMs by installing subscription data over a physical connection. (Subscription data refers to data and applications necessary to allow a device to connect and use a network, including a symmetric key, network parameters, a network access application (NAA), and an implementation of AKA.)111Alternatively, personalization is often done by the MFF2 manufacturer who ships SIM cards to MNOs along with the SIMs personalization information.
Personalized MFF2 SIMs are issued to M2M device manufacturers.
Device manufacturers embed MFF2 SIMs inside devices. (In Figure 1, the wireless logo appears on top of the M2M device to illustrate that the device has a subscription.)
Devices are then shipped to the relevant distributors, wholesalers, and retailers.
MFF2 SIMs suffer shortcomings including the following:
Subscription data must be installed using a physical channel, which increases costs and lead times.
MFF2 SIMs can only support a single subscription from a single MNO. Hence, a product intervention is required to change a subscription, which is costly for MNOs [10, p.13] and manufacturers, especially for devices in remote, inaccessible locations, e.g., underwater sensors used by offshore oil platforms.
Changing MFF2 SIMs is often a difficult operation, because to do so devices must typically be unsealed. Indeed, most remote M2M devices are sealed, either to prevent theft, or to protect its components when the device is operating in harsh environmental conditions.
Stakeholders are seeking new technologies to solve these shortcomings.
ETSI and GSMA are investigating remotely re-programmable sims to address shortcomings. The first specification for a remotely re-programmable sim was proposed by ETSI in working document TS 103.383 . This specification introduces an embedded uicc (eUICC) and the core requirements to enable remote provisioning. gsma have extended that specification , and have also released supporting documents , providing use cases and test cases for such an eUICC. GSMA’s specification has “received strong industry support” from several key operators, including AT&T, Deutsche Telekom, Orange, and Vodafone.
Contribution and motivation.
This article introduces and explains GSMA’s “Remote Provisioning Architecture for Embedded UICC” specification , with a focus on the smart card architecture, and on the remote provisioning mechanisms. Our work aims at facilitating the understanding of GSMA’s specification by presenting a comprehensive overview of GSMA’s specification, and of their M2M specification. GSMA’s specification for euiccs is marketed and considered by many operators and device manufacturers as the leading proposition for the next SIM technology that makes an attempt to meet the requirements for both remote provisioning and re-programmability of the SIM. As such, we believe it is of paramount importance to explain GSMA’s specification and the motivations behind it. As part of our contribution, we present detailed visuals of eUICCs and their environment.
We illustrate the changes to the SIM distribution and subscription model (Section 2), describe the newly proposed ecosystem for M2M devices (Section 3), and present the eUICC architecture (Section 4). Moreover, we explain the core functions and mechanisms behind remote provisioning (Section 5), and close with a brief conclusion (Section 6). (For reference, a list of abbreviations appears towards the end of this article.)
2 eUICC distribution chain and subscription model
Remote provisioning allows consumers to buy M2M devices before subscribing to an MNO. This leads to an evolution of the linear distribution model (used by SIMs), since distribution and subscription can be separated. To instantiate remote provisioning, GSMA introduces a sm, which acts as an intermediary between MNOs and eUICCs. This removes MNOs from distribution and results in a new chain, described as follows (and which we illustrate in Figure 4 (a)):
eUICCs are fabricated by eums (eums).
EUMs create an eUICC Information Set (EIS) file for each eUICC describing their characteristics,222These are permanent characteristics, such as the EUM identity or the eUICC production date signed by the EUM. and send the file to the SM.
eUICCs are shipped to M2M device manufacturers.
M2M device manufacturers embed eUICCs inside devices.
As before, devices are shipped to the relevant distributors, wholesalers, and retailers.
The eUICC distribution chain reduces production costs for EUMs and for M2M manufacturers. Indeed, as MNOs are removed from the distribution chain, eUICCs are manufactured without subscription and can be shipped directly to device manufacturers who can embed the eUICC. Furthermore, eUICCs can be embedded deep inside devices as they will be remotely managed. MNO costs are also reduced, as they need not ship SIMs to device manufacturers. Finally, eUICCs need not be personalized over a physical channel.
The new distribution chain leads to a new subscription model, whereby subscriptions are purchased as follows (and which we illustrate in Figure 4 (b)):
The owner of a M2M device subscribes to an MNO and the MNO sends a request to download the related subscription to the SM.
The SM writes subscription data corresponding to the MNO to the eUICC application, called a Profile, and remotely installs this profile on the eUICC present in the M2M device.
It follows that devices and subscriptions can be purchased separately, benefiting buyers who can independently leverage the device and subscription markets.
We next describe eUICCs and the mechanisms behind remote provisioning as well as the associated protocols.
3 eUICC architecture
MFF2 SIMs are compatible with GlobalPlatform’s333GlobalPlatform is a consortium maintaining multi-application smart card standards. smart card specification standard .444Markantonakis and Mayes present an overview of GlobalPlatform’s smart card specification  This standard specifies a general architecture for multi-application platforms, application lifecycle, platform management, and input-output channels between the card and external entities. In order to ease transition from MFF2 SIMs to eUICCs and for backward compatibility, eUICCs are also compliant with GlobalPlatform’s standard.
It follows that eUICCs build upon the architecture of GlobalPlatform-compliant smart cards. As such, eUICCs contain a runtime environment, a framework (called OPEN) that interacts with different applications and Security Domains, i.e., privileged applications that act as on-card representatives of off-card authorities and that can establish secure channels and handle some management functions. Each application, including security domains, depends on a parent (or master) application. This association permits parent-child communication, while other communication requires authorization from the parent. Messages received and processed by the eUICC respect the apdu format specified by GlobalPlatform standard.
Compared to MFF2 SIMs that are tied to a single subscription, the eUICC architecture can support several operators simultaneously. Each operator controls a profile on the eUICC. This profile is organised as an MFF2 SIM, i.e., the logical file system and internal application of an MFF2 SIM are preserved in the profile. The organisation of an eUICC, which we illustrate in Figure 5, is now described.
As discussed in Section 2, eUICCs are manufactured and shipped to the device manufacturer without subscriptions. Some components and applications are installed at manufacture, while some are installed later on, relying on remote provisioning. Freshly shipped eUICCs only contain the following elements (components represented with solid lines in Figure 5):
An interface, the ISD-R, for over-the-air communication with the subscription manager.
The isdr provides an on-card communication interface accessible by the subscription manager. The isdr is the highest privileged security domain on the eUICC, and, as such, has management capabilities over all other eUICC applications, including security domains. Remote commands sent to eUICCs are received and processed by the ISD-R, and then relayed to the targeted application, such as a profile. The isdr is equipped with a symmetric key during eUICC’s manufacture for establishing a secure communication channel with the subscription manager.
A Controlling Authority, the ECASD.
The ecasd is responsible for authenticating remote parties using a public key infrastructure. To achieve authentication, the ecasd holds cryptographic data, including the public key of the certificate authority. The ecasd also holds the private key of the eUICC used to set up a secure channel (see Section 5). The eUICC public key is stored in the EIS file stored by the subscription manager (see Section 2).
A communication application to enable initial remote management of the eUICC.
The fabrication process of eUICCs includes granting them with minimal connectivity services to allow remote provisioning of MNO’s profiles on the eUICC thereafter. For this purpose, a provisioning profile (i.e., a profile containing an NAA set with minimal connectivity capabilities) is installed.
Once embedded inside a device, eUICCs are remotely provisioned with operational profiles (i.e., a profile containing subscription data corresponding to an MNO). eUICCs support many operational profiles throughout their lifetime. Remote provisioning enables installation, management and deletion of those profiles. Each profile is dependent on a dedicated security domain called an isdp. ISD-Ps are created by the ISD-R, which, despite management capabilities, is unable to modify their profile content, which should guarantee integrity of the operators’ data stored in profiles. By using dedicated ISD-Ps, profile data can only be accessed with the ISD-R’s authorization, and is, as such, isolated from other profiles.
4 Remote provisioning ecosystem
In their specification, GSMA describe various communication channels between eUICCs and external entities (represented in Figure 6). As communications between entities and the eUICC are wireless, GSMA has chosen to rely on certificates for authentication. Thus, each entity involved in the remote provisioning framework is certified by an authority referred to as the ci in GSMA’s specification.
In addition to remote provisioning and re-programmability, the eUICC architecture allows several profiles (each being an application containing the subscription data of an MFF2 SIM), owned by different MNOs, to coexist on the same card during their lifetime. This improvement eases the embedding of eUICCs inside devices during manufacture. By comparison, MFF2 SIM cards are restricted to a single SIM application, owned by a single MNO. Due to this distinction, the role of the MNO for eUICCs compared to its role for MFF2 SIMs is revised, in particular, the management of eUICCs is pushed from MNOs to the subscription manager described in the following paragraph.
The subscription manager’s duties are split between two sub-entities: the dp and the sr (introduced in Section 2).
The dp is responsible for generating profiles containing an operator’s subscription data, and for transferring such profiles onto the eUICC.555GSMA suggests that an MNO can also assume the role of a DP or can own a DP .
srs are the main entity communicating with eUICCs. They remotely manage eUICCs using an eUICC’s ISD-R interface. All remote communication is secured through the secure channel that the SM-SR set up with the ISD-R.
To ensure confidentiality of messages exchanged, secure channels are used for communication between the eUICC and an external entity. In order to achieve message confidentiality and maintain those secure channels, remote provisioning relies on protocols defined by ETSI [3, 5], in particular, the Secure Channel Protocol (SCP80). This includes communication between the SM-DP and the ISD-P during profile installation (see Section 5), but also communication between an MNO and its profile (as represented in Figure 6). However it is important to note that the mentioned secure channels are built upon the secure channel between the ISD-R and the SM-SR.
Similarly to MFF2 SIMs that are managed by a single MNO, eUICCs are managed by a single sr, albeit, the SM-SR may change over time.
EUM send an eUICC’s data to the first SM-SR responsible for that eUICC.
This data includes the EIS file and the secret key needed to communicate with the eUICC.
After that, MNOs might request a change of the SM-SR responsible for an eUICC when a change of subscription occurs from one MNO to another.
GSMA’s specification describes the different communication channels and messages sent between the eUICC and its ecosystem, as depicted in Figure 6. The specification also outlines the profile life cycle induced by the remote provisioning protocols, which we will describe next.
5 Profile lifecycle
Upon receipt of an eUICC equipped device, a customer can subscribe to an MNO. To enable the contracted services, the MNO must upload a profile666In GSMA’s specification, this profile is referred to as an operational profile, to differentiate it from a provisioning profile. corresponding to the subscription made onto eUICCs. The upload and installation of a profile on an eUICC is as follows:
The MNO prepares a profile description containing the profile type and eUICC identifier (EID), and sends the description to the dp within a DownloadProfile request.
The SM-DP creates a profile corresponding to the request and containing the subscription data of the operator, then requests the creation of an ISD-P to the sr.
The sr instructs the ISD-R to create a new ISD-P capable of managing the profile created.
The dp derives a secret key from a shared secret with the isdp. The secret is obtained by following the Elliptic Curve Key Agreement (ECKA) protocol based on ElGamal .
After that, the profile, created by the SM-DP, is sent by the SM-DP to the eUICC over a secure channel set up using (see Section 4).
Finally, the profile is uploaded by the SM-DP onto the eUICC.
The ISD-P decrypts the profile using and installs the profile.
Installed profiles are initially disabled and may subsequently be enabled or deleted. To manage profiles, GSMA’s specification defines a set of policy rules, POL1, that are stored in a file inside each profile. Policy rules are instantiated by MNOs during profile creation and can be updated remotely by the MNO for the enabled profile only. For this purpose, MNOs can set up a secure channel with the profile using a security domain, the MNO-SD, present in the profile. To ease profile management, an unsynchronized version of those rules are maintained by the MNO in the EIS file (held by the SM-SR). Policy rules determine if a profile can be disabled, deleted or must be deleted once it is disabled. To ensure exclusivity, operators can lock devices to their profile. Indeed policy rules can prevent the change of a subscription by locking the device to the enabled profile – similarly to the SIM lock feature of mobile phones. M2M devices can only access the network with the profile that is enabled.
GSMA, in order to increase the reliability of eUICCs connectivity, also introduces another attribute for the profiles: the fallback attribute. This Boolean attribute can only be set to true on a single disabled profile which is enabled to prevent connection loss or errors.
GSMA choses to rely on profiles to improve over MFF2 SIMs, their lifecycle enabling re-programmability support remote provisioning. Furthermore the format of a profile eases the isolation of sensitive data ensuring the security requirements of the different stakeholders.
6 Closing remarks
The MFF2 form factor requires M2M SIMs be embedded inside devices. This presents some shortcomings, especially as such SIMs support only a single subscription that must be physically uploaded. New technologies have been explored to overcome these shortcomings. In particular, GSMA has released a specification describing mechanisms for remote provisioning, and their application to the management of a new SIM, called an eUICC, that is re-programmable. eUICCs can be embedded in M2M devices during manufacture, and need not be replaced upon a consumer changing subscriptions.
This article presents the motivation behind eUICC and remote provisioning, and the changes they will induce upon the telecommunication ecosystem. It also describes the technical challenges of remote provisioning and illustrates GSMA’s solution.
eUICC is being driven towards standardization. If eUICCs are adopted widely as the next generation SIMs for M2M devices, then, operators, device manufacturers and SIM manufacturers will have to adapt to the new eUICCs ecosystem. The evolution towards next generation telecommunications is exciting, but not without risk; flawed systems have the potential to cost society dearly, in terms of both lost liberties and financial costs. As such, similarly to the security analysis done by Meyer et al. in , it will be important to analyze in detail the mechanisms behind remote provisioning to be sure that the properties offered by the current model will hold for eUICCs, especially in term of security as it is paramount for operators. Such an overview is helping in that regard by easing the comprehension of those technical specification. Furthermore eUICCs are also likely to be considered as the next generation SIM for all devices, in particular Internet of Things devices considered as potential M2M devices  and mobile phones already marketed as an eSIM by GSMA . This represents a very important market, this is why it is crucial to look at the impact that eUICCs and remote provisioning can have, both in terms of changes to the network and to consumer habits.
We are grateful to Aisha Chudasama Mahmud for feedback that helped improve this article.
-  Blom, R., Norrman, K., Naslund, M., Rommer, S., Sahlin, B.: Security in the Evolved Packet System. Ericsson Review (February 2010)
-  ETSI: Smart Cards; Machine to Machine UICC; Physical and logical characteristics (Release 9). Tech. Rep. 102 671 (April 2010)
-  ETSI: Smart Cards; Secured Packet Structure for UICC based applications (Release 9). Tech. Rep. 102 225 (April 2010)
-  ETSI: Smart Cards; Embedded UICC; Requirements Specification (Release 13.1.0). Tech. Rep. 103 383 (February 2016)
-  ETSI: Smart Cards; Remote APDU Structure for UICC based applications (Release 13). Tech. Rep. 102 226 (May 2016)
-  GlobalPlatform: Security Upgrade for Card Content Management (Card Specification v 2.2 – Amendment E). Tech. rep. (November 2011)
-  GlobalPlatform: Card Specification (Version 2.3). Tech. rep. (October 2015)
-  GSMA: Business Process for Remote SIM Provisioning in M2M (Version 1.0). Tech. rep. (February 2015)
-  GSMA: Remote Provisioning Architecture for Embedded UICC. Tech. Rep. 3.0 (June 2015)
-  GSMA: Understanding SIM evolution. Tech. rep. (March 2015)
-  GSMA: eSIM: The SIM for the next Generation of Connected Consumer Devices (2018), https://www.gsma.com/esim/
-  GSMA: Remote SIM Provisioning for Machine to Machine (2018), https://www.gsma.com/iot/embedded-sim
-  GSMA Intelligence: Cellular M2M forecasts: unlocking growth. Tech. rep. (February 2015)
-  Markantonakis, K., Mayes, K.: An overview of the GlobalPlatform smart card specification. Information Security Technical Report 8(1), 17 – 29 (2003)
-  Meyer, M., Quaglia, E.A., Smyth, B.: Attacks against GSMA’s M2M Remote Provisioning. In: FC’18: 22nd International Conference on Financial Cryptography and Data Security. Springer (2018)