Mobile network operators (MNOs) sometimes use a business model of offering a wireless device to a buyer at a discounted price bundled with a service contract; this bundling is known as subsidy lock. The dollar value of the wireless device on the open market is higher than the discounted price. A person attempting to defeat the subsidy lock may be referred to as an attacker.
Universal integrated circuit cards (UICCs) and embedded UICCs (eUICCs) are secure elements (SEs) for hosting profiles. A profile is a combination of operator data and applications provisioned on an SE in a device for the purpose of providing services by an operator, for example, an MNO. A profile can be identified by a unique number called an ICCID (Integrated Circuit Card Identifier). A wireless operator is a company providing wireless cellular network services. An MNO is an entity providing access capability and communication services to its subscribers through a mobile network infrastructure. A wireless device may also be referred to herein as simply a device. An end user or customer is a person using a device. An enabled profile can include files and/or applications which are selectable over an SE-device interface. To use the device, the profile is activated with the MNO. Two documents related to activation of profiles are GSM Association document GSMA SGP.22: “RSP Technical Specification,” Version 1.1 Jun. 9, 2016 (hereinafter “SGP.22”), and 3GPP 22.022: “Personalisation of Mobile Equipment (ME); Mobile functionality specification,” Version 13.0.0 January 2016. Device manufacturers may also use proprietary methods to activate profiles (physical SIMs/eSIMs). A document related to communications generated by an SE is 3GPP 31.111: “Universal Subscriber Identity Module (USIM) Application Toolkit (USAT),” Version 13.4.0, June, 2016 (hereinafter “3GPP 31.111”). A document related to communications with an SE is ETSI TS 102.221: “Smart Cards; UICC-Terminal interface; Physical and logical characteristics,” Version 8.2.0, June, 2009 (hereinafter “ETSI 102.221”).
A goal of the attacker is to activate the wireless device with an MNO using a subscriber identity module (SIM) not approved under the service contract. SIM functionality is achieved in wireless devices in a number of ways using secure elements (SEs). For example, SIM functionality can be achieved by building the SIM functionality into an SE or by provisioning an SE with a profile, for example, after an end user obtains the wireless device. In the latter case, the SIM functionality is provided by a profile known as an eSIM. In some instances, the SE is a removable UICC that is placed in a SIM tray in the wireless device before the wireless device is used with MNO services. SIM functionality is provided herein by profiles, and a profile may be realized either with a physical SIM or with an eSIM.
In order to begin using the services of an MNO by activating the device, the device needs be registered in a home location register (HLR) of the serving MNO and the profile in the device needs to be enabled.
During activation, the baseband processor may communicate with an SE in the SIM tray of the wireless device. The SE has a hardware interface (I/F) that matches with a hardware I/F of the wireless device in order to support communication. An attacker may attempt to break the subsidy lock by inserting a specially designed circuit board with a computer chip, the board and chip known as a proxy SIM, between the SE I/F and the SIM tray I/F.