One thing that has been surprisingly absent on this blog so far was a discussion on how embedded-SIM cards work. Call me a traditionalist, as for me, the SIM card in its current form has been the greatest invention since sliced bread and so I saw no reason to change the concept. This is because a removable SIM card allows me to use my mobile network subscription(s) with any device. I can move my subscription, i.e. the SIM card quickly from one device to another and, equally important, I can put in another SIM card in my main device, e.g. to use a local SIM card while traveling. The device belongs to me and there is no lock-in of a device to a specific network operator. Does this also work with eSIMs (or with eUICCs, to be exact), i.e. when the SIM card is soldered in place and thus no longer removable and subscriptions have to be downloaded?
The answer to the question above is fortunately a clear YES. But how does this work in practice?
There are a number of GSMA eSIM (eUICC) and eSIM Remote Service Provisioning (RSP) requirements, architecture and test specifications that describe in detail how the eSIM Remote Service Provisioning work in practice. Also, a number of videos have appeared on Youtube that show how the theory works in practice. To reduce the pain before going through these documents (to which I will link later) it’s a good idea to first understand the general concept of eSIM provisioning, who has a business relationship with whom, and how this is different from today’s removable SIM card environment. One can get this information out of a number of public GSMA documents but it’s a rather unpleasant exercise. I’ve thus decided to write a number of blog entries to give a general introduction to eSIM and remote eSIM provisioning to help.
Removable SIM – Business Models and Relationships
Let’s have a look how things work with traditional removable SIM cards today. When getting a monthly subscription or a prepaid contract today, the network operator gives a SIM card to the customer. The SIM card stores, among many other things, it’s serial number (the UICCID), the International Mobile Subscriber Identity (IMSI), the secret key Ki and a few other things. When a contract is made and a SIM card is given by the network operator to the customer, these pre-provisioned values are then linked to the network operator’s subscriber database (HSS, HLR) and the service becomes active for the customer. The customer then puts the SIM card in his device, which he can buy separately, and he is good to go.
In this model the SIM card vendor produces the SIM card and pre-provisions the data mentioned above on the SIM card. The SIM card is then sent to the mobile network operator together with the information which UICCID, IMSI, Ki etc. was put into a SIM card. The network operator in turn gives the SIM card to the customer who puts it into his device. The relationship is thus as follows:
SIM card manufacturer –> network operator –> customer
The important part: The device manufacturer (e.g. Samsung, Sony, LG, etc.) is not involved in this business relationship at all! The only thing he has to make sure is that the device can handle standardized SIM cards from many different manufacturers.
Embedded-SIM relationship model
With the embedded SIM, the relationship model changes completely! The SIM card vendor produces an embedded SIM chip without subscription information and sells it to the device manufacturer (e.g. Samsung, Sony, LG, etc.) who then solders it into the device:
SIM card manufacturer –> device manufacturer
It’s important to realize at this point that the network operator does not play a role so far, i.e. he is no longer involved in any way with the physical SIM card part of the business model. The device manufacturer can select any vendor for the eSIM he solders into his device as long as the eSIM is compatible to the common remote service provisioning standard (more about that later). This is because when the device is sold to the customer the eSIM is empty, i.e. there’s no subscription information (IMSI, Ki, etc.) on the SIM card yet. This information has to be downloaded. In other words the “download process” replaces the “Insert SIM into device ” process.
Who Is In Control
The crucial point at this step is who is in control of downloading, activating, deleting and removing the subscription information in the eSIM. Is it the device manufacturer, the network operator or the customer? Fortunately, the customer is in control of this process and he can decide at any time to download subscription information of a network operator (called a ‘Profile’), to activate it, to deactivate it, to delete it, or to trigger his subscription to be downloaded to another device after he has deleted it on the previous device (analogous to moving a removable SIM card from one device to another).
So much for this time. In part 2 of this series I’ll take a closer look at how this is implemented in practice, i.e. how the user remains the party to decide which subscription he wants to use or remove from a device without asking for permission of the network operator or the device manufacturer first.
After securing my tin foil hat, I have to ask, what safeguards are in place to prevent evil parties (hackers, TLA agencies, Sony BMG, etc.) from downloading malware to the eSIM?
Hi Chris, keep your tin foil hat on 🙂 I’ll describe the security measures in a separate post.
-Martin