Security Analysis of the Consumer Remote SIM Provisioning Protocol

TL;DR

This paper provides a formal security analysis of the consumer Remote SIM Provisioning protocol, revealing vulnerabilities in partial compromise scenarios and suggesting improvements for enhanced eSIM security.

Contribution

It models the RSP protocol in applied pi calculus, verifies security goals with ProVerif, and identifies weaknesses under realistic attack scenarios.

Findings

RSP protocol protects against network adversaries with honest participants

Weaknesses are exposed when adversaries control participants or channels

Security depends unnecessarily on TLS encapsulation and lacks user intent verification

Abstract

Remote SIM provisioning (RSP) for consumer devices is the protocol specified by the GSM Association for downloading SIM profiles into a secure element in a mobile device. The process is commonly known as eSIM, and it is expected to replace removable SIM cards. The security of the protocol is critical because the profile includes the credentials with which the mobile device will authenticate to the mobile network. In this paper, we present a formal security analysis of the consumer RSP protocol. We model the multi-party protocol in applied pi calculus, define formal security goals, and verify them in ProVerif. The analysis shows that the consumer RSP protocol protects against a network adversary when all the intended participants are honest. However, we also model the protocol in realistic partial compromise scenarios where the adversary controls a legitimate participant or communication channel. The security failures in the partial compromise scenarios reveal weaknesses in the protocol design. The most important observation is that the security of RSP depends unnecessarily on it being encapsulated in a TLS tunnel. Also, the lack of pre-established identifiers means that a compromised download server anywhere in the world or a compromised secure element can be used for attacks against RSP between honest participants. Additionally, the lack of reliable methods for verifying user intent can lead to serious security failures. Based on the findings, we recommend practical improvements to RSP implementations, future versions of the specification, and mobile operator processes to increase the robustness of eSIM security.