Attacks against GSMA's M2M Remote Provisioning

Maxime Meyer, Elizabeth A. Quaglia & Ben Smyth (2018) Attacks against GSMA's M2M Remote Provisioning. In FC'18: 22nd International Conference on Financial Cryptography and Data Security, LNCS 10957, Springer, pp. 243-252. (First appeared at Black Hat Europe 2017.)

Download

Abstract

GSMA is investigating, developing and standardizing an embedded SIM card with remote provisioning (that is, over-the-air installation of subscription data), called an eUICC, to improve the current mobile-phone subscription model. In this presentation, we will review remote-provisioning security mechanisms and show that these mechanisms are vulnerable to attacks that prevent network operators from providing service, in particular, we: Identify three classes of attacks by malicious insiders that prevent operators from installing subscription data on eUICC's; and a further attack by a network adversary that exhausts an eUICC's memory. These attacks arise from flaws in the specification, and we will discuss fixes that will improve security for next generation telecommunication networks. The presentation will include insights to the specification that are not yet public. It will also include GSMA's reaction to our findings. The presentation is based on research by Maxime Meyer, Elizabeth Quaglia and Ben Smyth, and it is supported by a detailed technical report, which will be released after the presentation.

Acknowledgement from GSMA

Our contribution has been acknowledged in GSMA's Hall of Fame.

Media coverage

This article has been discussed by Zataz (archive.org cache).

Talk

Our Black Hat talk is available on YouTube:

Bibtex Entry

@inproceedings{2017-attacks-against-eUICC,
	author = "Maxime Meyer and Elizabeth A. Quaglia and Ben Smyth",
	title = "Attacks against GSMA's M2M Remote Provisioning",
	year = "2018",
	booktitle = "FC'18: 22nd International Conference on Financial Cryptography and Data Security",
	publisher = "Springer",
	series = "LNCS",
	volume = "10957",
	pages = "243--252",
	note = "(First appeared at Black Hat Europe 2017.)",
}