HomeMobile EuropeSIM: Security in mobiles

    SIM: Security in mobiles


    The SIM card has been an inherent part of GSM systems from the beginning. However, according to Mark Melling of Intuwave, thinking laterally about the SIM as a smartcard adds utility and value to the mobile proposition, especially when it comes to securing data.

    Mobile operators seeking to increase mobile data revenues by simply perpetuating PC-based usage models, rather than exploiting the intrinsic capabilities of the mobile device, are missing a trick. For example, if the SIM is viewed as a smartcard, it opens up security possibilities that resonate far beyond the mobile world. However, operators will have to change their approach in order to take full advantage.

    The fixed-line Internet is often regarded as the model for how mobile data services should develop. In this scenario, the mobile handset is seen as a PC replacement and simply providing the same kind of enterprise access that a laptop might need is key to success. However, Intuwave has always argued that the ‘always with you’, ‘always on’ and ‘intermittently connected’ nature of the mobile device means that usage patterns are sufficiently dissimilar from those of the PC, to require new revenue models to be developed if full advantage of its capabilities is to be made.

    An excellent example of the kind of thinking that is required concerns the SIM card. It is becoming clear that the SIM — a feature unique to the mobile world — has applications far beyond those for which it was originally designed. The clue is in the name — Subscriber Identity Module. It was created to remotely authenticate users to the network and to the billing systems that allow operators to generate revenues from voice traffic.

    In practice, however, the SIM is effectively a mass-market smartcard. By combining stored evidence of identity (such as a key) with personal information only the user will know (a password, for example), it offers the same two-tier authorisation provided by smartcards. This ability of the SIM card to hold personal data that can authenticate users to a variety of systems is an ideal solution for enterprises and content developers grappling with the exploding issues of digital rights management (DRM).

    Built-in benefits

    As a smartcard, the SIM’s mobile heritage has many advantages. Firstly, SIM cards can be remotely configured to enable deployment of security keys and to ease blocking of transactions in the event of loss or theft. They also offer secure storage of sensitive data and keys in a way that PCs do not. And crucially, the SIM is tied directly to billing mechanisms for the purposes of micropayments.

    The mobile phone is also the one device that we take with us wherever we go and its small size and sheer portability means that locating a smartcard on this device is a practical step. In essence, the SIM is a smartcard to which we have all ‘opted in.’ As operators and financial services organisations now see the combination of simple security devices (passwords) and a smartcard as acceptable security, there is no reason why the SIM cannot gain wider acceptance as an authentication tool, irrespective of the actual device (PC, kiosk, etc) used to access information.

    Intuwave believes that the most immediate impact of the mobile phone as smartcard will be in the implementation of effective DRM for the mobile world with a business usage case revolving around access to corporate data and a consumer scenario around intellectual property, access to which incurs royalty payments.

    In the business world, the smartcard might be used to encrypt and decrypt information enclosed in e-mails. Today, there is virtually no way of controlling access to information once it is sent out via e-mail: the sender merely hopes it reaches only the addressee to which it has been sent and is not forwarded to any other parties. If access rights to that e-mail can be tied to the user information contained on a SIM card, then a higher level of security is achieved. Also, it would be possible to freeze access to information on a PC if users left their desks, meaning that even an open email system would still be protected. The SIM might also authenticate access to a whole host of enterprise systems.

    In a broader sense, there are a number of initiatives, particularly to do with recorded music, where intellectual property is openly available on a commercial basis over the internet. Again, the issue is how to control the onward distribution of this content. Using the SIM card as a basis of authenticating content to individual users might be an effective way of tackling this problem. Currently, this usage case is about controlling illegal distribution — in the medium term, the automatic link between the SIM card and the operator’s billing system might authenticate onward recipients to access the intellectual property by adding any due royalties to their mobile phone bill.

    There are, of course, a variety of security initiatives currently underway but, far from being at odds with these, the approach outlined is complementary to many of the solutions now being advanced. For example, the Open Mobile Alliance is implementing a mobile DRM solution that doesn’t exploit the smartcard capabilities of the SIM — but its efforts would be significantly enhanced by doing so.

    Reality not fiction

    At the moment, the SIM as smartcard scenario might sound like science fiction but Intuwave is working with a variety of different organisations that have the experience and industry weight to usher such solutions into being. However, while we believe the technical challenges can be solved, there is one issue that will need to be resolved if the SIM is to become an effective smartcard solution.

    At the moment, the SIM card is owned by the mobile operator that issues it with the phone and its ownership rights are set out in the small print of every service contract. While this remains the case, there are limited incentives for other parties, particularly corporate entities, to invest resources in a solution that remains the property of another. After all, any enterprise wishing to download sensitive security keys to a SIM card will want the security of knowing that they can assert some claims over its ownership.

    Concrete steps

    Some steps are already being taken to address this. For example, the EC’s Trusted Transaction Roaming (T2R) project brings together operators Orange and Vodafone, technology providers Gemplus, SmartTrust, and Ubizen and wireless trust organisation Radicchio. It aims to leverage the available GSM infrastructure, particularly the SIM card, to provide mass-market authentication and end-user consent services. This will allow third parties, such as governments, financial institutions and businesses, to use mobile handset as a complementary authentication and consent channel.
    In the same way that an individual with a private car can be insured to carry commercial property belonging to his company or a physical property is bought by one party to be leased to another, so we believe operators can find some way for another’s intellectual property to be carried on its SIM cards without compromising the latter’s rights. Initiatives such as T2P are an important step in the process towards that.

    Overall, mobile operators looking only at PC usage models for inspiration will short-change themselves and Intuwave believes that the SIM card is an excellent case in point. Its utility and value as a smartcard solution has no parallel in the PC world and is an essential feature of its ‘mobileness’. However, its ubiquity, portability and convenience together with its ability to store key personal data and link to billing systems means it might have been specifically designed to function as a smartcard. Moreover, as it already exists in the mobile handsets carried by all of us, it minimises many of the barriers to adoption of smartcards. In the creation of mobile data service revenues, it’s time to think out of the (PC) box.