Dutch Telco Concerned With e-SIM Security Risk

e-sims security KPN

The Internet has become more and more widespread and used for all sorts of different purposes from accessing and initialising banking transactions and buying and selling on line, so inevitably security has become a bit of an issue. Generally though, checks and balances have been put in place to ensure secure payments for online shopping to tight security for online banking. The use of the e-SIM has not been highlighted as a particular security risk until now, when KPN, the Dutch landline and mobile telecommunications company, says this useful technology could offer an opening for concerns about security.

e-SIM standards need to be secure

The Dutch telco has recently released the 2017 European Cyber Security Perspectives report. This is a look into the threats throughout the globe concerning the eSIM. This is being promoted by the GSMA, which KPN has highlighted as having a problem with the e-SIM’s provisioning standard.

The problem it seems, according to KPN’s Cyber Security Academy spokesperson Daan Planqué, is that the traditional SIM card is unique to a particular telco. The phone with the SIM card inserted has an encrypted connection which links it to a specific mobile network. This means the mobile provider and the SIM are linked using what could be called a key which is hard to access and unlock by anyone else. If a phone user believes he or she has been affected by an outside infiltrator, the phone company can sort the problem out by providing the subscriber with a new unique key with a new encrypted connection.

Daan Planqué’s concern is because the new style SIM, the eSIM, will be integrated into the components of the phone and its processor, there would no longer be a unique identity established between the e-SIM and its provider.

GSMA claims it has solved this problem

GMSA has outlined a standard, which uses a unique key, verified through what is called Subscription Management Data Protection (SM-DP+), a remote server. When a phone or other device seeks a profile, the SM-DP+ will request from an operator its approval and, if approved, a subscription profile will be conveyed to the e-SIM.

Planqué believes there is a problem with the SM-DP+, because of its online status, which makes it more vulnerable to possible threats. In particular, hacking unique keys could take place which would decrypt any traffic between a device and a base station.

From this, Planqué predicts a criminal could clone a SIM card and use it to make phone calls and then intercept a user’s internet experience. He says the only way this could be prevented is by implementing a safeguard that would make the root certificate authority more secure. It also could cut-off completely the ability to verify the network using the remote SIM (e-SIM). If this were to happen the only way of rectifying the problem would be by replacing the phone’s processor or motherboard where the e-SIM is to be attached.

Security must come first

Planqué states that when a new device or standard is released, its security should take priority over anything else. Cyber attacks, stolen data and breach of security have become a widespread phenomenon. Hans De Vries, who heads the Dutch National Cyber Security Centre recently expressed that cyber attacks can have a devastating effect on wide areas in society. They can cause complete breakdowns in power systems. Also, personal IoT gadgets have been used to perform distributed denial-of-service (DDoS) attacks on websites.

These sorts of cyber threats are becoming embedded in society. There was a news announcement n 12th May that malware, called WannaCry, has attacked numerous Windows operating systems throughout the world, including those responsible for running the national health system in Britain. It encrypted files on computers which completely blocked them. A message then comes into view demanding $300 to regain access. This has to be paid in Bitcoin, a virtual currency, before the screen and file access is unlocked.

No one is sure how this sort of cyber crime erupts but it could occur either through organised crime or quite simply by the slip of a finger of a kid on a computer. It seems that a couple of months ago, Microsoft being aware of the presence of the virus had released a patch for the bug which is exploited by the virus. As a result, many systems had failed to apply it.

Global impact reports:

  • 1,000 computers in Russia
  • A German railway ticket machine
  • An Italian university computer lab
  • Spanish firms such as Telefonica
  • Portugal Telecom.


Cybersecurity is a big concern these days, so it’s no wonder organisations like KPN are worried about the e-SIM’s potential effect. The latest May 2017 global cyber attack will no doubt will lead to more focus on global cyber security.

Neil Aitken

Having worked in 3 countries for 4 telcos on both voice and data products, Neil is in a position to give you the inside track. Get beyond the marketing messages to the best plan for you.