Mobile broadband networks are developing rapidly, for example with the introduction of 3rd generation and 4th generation wireless standards (3G,4G), and this means higher and higher speed wireless connections allowing for more complex applications. At the same time devices such as “smartphones” offer more advanced computing abilities and connectivity, and run complete operating systems with advanced hardware, such as dual-core processors, for example based on ARM or Nvidia. (The term “smartphone” generally refers to a device that combines the functions of a mobile telephone and a personal digital assistant (PDA) or notebook.)
A “Subscriber Identity Module” is used to identify the user of a mobile device (through a PIN entry mechanism), and to authenticate the user to a mobile network operator so that the network operator can authorise the user to make and receive calls using the mobile device. (In fact the SIM identifies the subscriber associated with the mobile device, that is the person or organisation that has a contract with an operator relating to the mobile device; the user of the device may be different from the subscriber—for example, where the subscriber is an organisation the user will typically be an employee of the subscriber, or where the subscriber is a person they may permit other family members to use the mobile device. For simplicity this application will assume that the user of the mobile device is also the subscriber, but the invention described herein may also be applied where the subscriber and user are different from one another.)
The SIM associated with a mobile device contains information about the user of the mobile device, including for example identification information such as the user's mobile number and network access credentials (key and key ID), and saved contact details (eg telephone number(s) or e-mail address(es)) for people with whom the user has communicated. In addition, a SIM contains encryption information that enables the mobile device to encrypt speech or data being sent from the mobile device, and to decrypt received speech or data. Currently the personal identity information for a smartphone is held on a SIM Card (Subscriber Identity Module) card in the smartphone, or on a USIM (Universal Subscriber Identity Module) card in the smartphone. (In 3G networks a SIM or USIM may be an application running on a Universal Integrated Circuit Card (UICC).) A SIM card, USIM card or UICC is a secured microprocessor chip with protected persistent storage.
Existing solutions have a number of problems, for example including the following:
1. SIM card memory is very limited, usually at most about 1 MB, which places a limit on how much user data and personal information data can be saved.
2. Security issue—when losing a mobile telephone, people have to buy a new SIM card and, and are unable to recover the information contained on the SIM card of the lost mobile telephone (which is usually very useful and/or private information).
3. Currently there exist SIM cards (reported from China) whose content can easy be copied.
4. User data on the SIM card, albeit protected by a PIN, is poorly protected on a smartphone against eavesdropping applications since the card interface as soon as the interface is open by a successful PIN verification is open for anybody to use. That is, a conventional SIM card lacks user access control.
For the sake of simplicity we have described these problems only in connection with SIM cards. However, all of what is said equally applies to USIM cards as well, or to an R-UIM card as used in the CDMA system. The term “SIM” as used herein is intended to cover USIM as well as SIM. The term “SIM card” as used herein is intended to cover a USIM card as well as a SIM card, and also to cover a UICC running a SIM or USIM application or a CDMA R-UIM application.
Regarding 1) we note that already today people hardly use the SIM card to store user data such as contact phone number (i.e. phone book) and/or dialled phone number history data. Instead people use storage on the mobile phone, and use a synchronization solution to synchronise contacts. This trend erodes the value of the SIM to the network operator.
There are proposed solutions for exporting UICC services from one phone to another like, for example, standardized in the Bluetooth SIM access profile (available at: https://www.bluetooth.org/Technical/Specifications/adopted.htm). The remote provisioning of UICC has been studied by the GSMA task force. For example a proposal how to move access credentials into a UICC is given by M. Walker in “Embedded SIMs and M2M Communications”, Proceedings of ETSI Security Workshop, 20 Jan. 2011 (also available at: http://docbox.etsi.org/Workshop/2011/201101SECURITY WORKSHOP/S4 MOBIILE WIRE LESS SECURITY/WALKER EmbeddedSIMs.pdf addresses). These solutions are incomplete as they do not consider the creation and secure provisioning of the SIM and the needed components and keys, but focus on the remote access and security aspects thereof.