1 research outputs found
Security Analysis of the Consumer Remote SIM Provisioning Protocol
Remote SIM provisioning (RSP) for consumer devices is the protocol specified
by the GSM Association for downloading SIM profiles into a secure element in a
mobile device. The process is commonly known as eSIM, and it is expected to
replace removable SIM cards. The security of the protocol is critical because
the profile includes the credentials with which the mobile device will
authenticate to the mobile network. In this paper, we present a formal security
analysis of the consumer RSP protocol. We model the multi-party protocol in
applied pi calculus, define formal security goals, and verify them in ProVerif.
The analysis shows that the consumer RSP protocol protects against a network
adversary when all the intended participants are honest. However, we also model
the protocol in realistic partial compromise scenarios where the adversary
controls a legitimate participant or communication channel. The security
failures in the partial compromise scenarios reveal weaknesses in the protocol
design. The most important observation is that the security of RSP depends
unnecessarily on it being encapsulated in a TLS tunnel. Also, the lack of
pre-established identifiers means that a compromised download server anywhere
in the world or a compromised secure element can be used for attacks against
RSP between honest participants. Additionally, the lack of reliable methods for
verifying user intent can lead to serious security failures. Based on the
findings, we recommend practical improvements to RSP implementations, to future
versions of the specification, and to mobile operator processes to increase the
robustness of eSIM security.Comment: 33 pages, 8 figures, Associated ProVerif model files located at
https://github.com/peltona/rsp_mode