Enabling M2M device connectivity

M2M Remote-Subscription
Management
By 2020, Ericsson envisions there will be more than 50 billion connected devices.
A significant number of these devices will be machine-to-machine (M2M) and connected
consumer electronics (CCE), using mobile networks for data communications.
..
LU I S BA R R IGA , BE N S M E E T S A N D K R I S T E R S A L L BE RG

In a world with large volumes of mobile networks a more attrac- alternatives such as connecting devices
M2M and CCE devices, the SIM tive means of communication for to the internet via a WLAN. Cost is one
card – along with its convention- the M2M and CCE industries. of the main issues the telecoms indus-
al procedures and processes for try must overcome in order to support
managing subscriptions – will Background and benefit from the emerging M2M
no longer be a cost-efficient The emerging M2M and CCE devices and CCE markets. Organizations such as
solution. This article describes market is an area of potential business GSMA1 and 3GPP2 have acknowledged
a potential alternative based on growth for many industry stakehold- this and started several initiatives to
the concept of an M2M com- ers – and for mobile operators in par- address the issue.
munications identity module ticular. The need for communication in One specific difference between
(MCIM). The MCIM solution M2M and CCE applications is obvious. today’s major mobile communication
meets the new market require- However, selecting a viable communica- systems and other systems that provide
ments generated by the CCE tions technology is a challenge for M2M- connectivity for M2M and CCE devices
vertical industries. 2G and 3G mobile is the Universal Integrated Circuit Card
industry as well as industries de-
technologies provide excellent coverage (UICC) containing the SIM application
veloping M2M solutions. Based
and are as such very attractive solutions for access security. The rigid security
on open standards and mature
for both fixed-mounted and mobile of a UICC has been very successfully
security technologies, the pro-
devices. The total cost of ownership to and widely adopted for mobile systems
posed solution is trustworthy,
connect devices through a mobile net- and handsets. However, the UICC is a
scalable, sustainable, future- work is, however, higher than other major hurdle for new industry segments
proof, cost-efficient, and makes and could prevent them from selecting
mobile communications as their tech-
nology of choice. The solution presented
in this article focuses on the UICC and
BOX A  Terms and abbreviations how innovative methods can be used
to realize SIM functionality in conjunc-
2G second-generation wireless telephone IP Internet Protocol
tion with mature security technologies.
technology M2M machine-to-machine
Removable SIM cards make it easy
3G third-generation of standards for MCIM M2M communications identity module
to transfer a subscription from one
mobile telecommunications services MGS MCIM generation service
device to another and for subscribers to
3GPP 3rd Generation Partnership Project NMT Nordic Mobile Telephony
change operators. However, M2M device
AMPS Advanced Mobile Phone System OMA Open Mobile Alliance
requirements are considerably more
ASIC application-specific integrated circuit OMA DM OMA Device Management
diverse than those of mobile phones,
BSS Business Support System opex operational expenditure
CCE connected consumer electronics PCB printed circuit board
varying not just from industry to indus-
DS discovery service PS provisioning service
try but also from application to applica-
eUICC embedded UICC QoS quality of service tion. Despite this diversity, there is one
GSM Global System for Mobile SIM subscriber identity module requirement that is common to almost
Communications TEE trusted execution environment all M2M and CCE applications: an unau-
GSMA GSM Association (general purpose) thorized party should not be able to
HLR/AuC home location register/authentication TRE TRusted execution Environment remove or tamper with the UICC.
center (MCIM specific) One way of achieving this is to her-
HO home operator UICC Universal Integrated Circuit Card metically seal the device during produc-
IC integrated circuit USIM universal SIM tion. This approach is appropriate, for
IMEI international mobile equipment WLAN Wireless Local Area Network example, in the health-care and auto-
identifier motive6 industries. Another solution is

E R I C S S O N R E V I E W • 1 2011
a soldered, embedded UICC, hereafter
referred to as an eUICC, on the device FIGURE 1  Logistics and provisioning processes for embedded UICC.
PCB board.
The automotive industry has adopt-
ed the eUICC solution as it meets indus- M2M Communication M2M device Embedded
Home operator
industry vertical module provider manufacturer SIM provider
try requirements such as resistance to
humidity, temperature and vibration.
Place subscriptions order Order eUICCs Manufacture and
While the eUICC approach resolves
Place devices order personalize eUICCs
some of the issues created by M2M, it
also introduces new challenges such as Place modules order
how to change home operator. The need Mount eUICCs
Deliver eUICCs
to change home operator may arise Mount eUICCs
Deliver eUICCs
more than once during the lifetime of a Provision Deliver
device. Solving this issue is vital, as M2M Deliver modules Integrate subscriptions eUICC data
devices often have long lifetimes. A util- modules in network
ity meter, for example, may have a life- Deliver M2M devices
Deploy M2M device
time in excess of 20 years. Utility com-
panies would face substantial costs for
labor, administration and carbon emis-
sions if field engineers were required maintaining a stock of readers, and nodes and devices should be possible
to manually change subscriptions in BOX B  repair and service handling of faulty upon device deployment with minimal
all of their meters in the event of an MCIM-related SIM readers. Component count and lim- user intervention, minimizing resource
operator change. terms its on the space available for the eUICC usage and capacity requirements in the
The logistics of provisioning SIM The USIM or SIM can increase design costs. network nodes; and
credentials in the business flow create is an applica- Power consumption is an important operator change – it should be possible
additional issues, such as the handling tion residing on device-related cost factor as it affects to remotely change operator while under
of provisioned eUICCs during manufac- a UICC. It can battery costs, maintenance expenses, the current operator’s control and this
ture of the communication module or be seen as an mechanical design, size, and operat- may be necessary more than once
the M2M device as shown in Figure 1. application that ing and standby performance. UICCs or during the lifetime of a device.
There are at least two unknowns at is executed eUICCs are not as power efficient when Some of these requirements have been
the time of manufacture of an M2M/ in the secure compared to a fully integrated solution. identified by GSMA1 and 3GPP2.
CCE device: the geographical market environment For environmental and sustainability
where the devices will be sold or used provided by the reasons, it is desirable to keep power Remote-Subscription
and the mobile network operator that UICC. In 3GPP consumption to a minimum and avoid Management
the device will use to connect to the net- terminology, the wasting material resources for cards The solution described in this article
work. During manufacture, access to a word USIM as we and readers. This is especially impor- is based on alternative 1 in reference
mobile network might be needed for use it today has tant given the predicted large number 2 and is built on a TRusted execution
test and verification procedures. Local become synony- of M2M and CCE devices. Environment (TRE) in the main ASIC of
subscriptions are often used for this pur- mous with the Considering all of these aspects, the the communication module.
pose and they will need to be replaced SIM application M2M market will aim to integrate the
by another subscription – with any residing on the SIM application on an existing ASIC Logistics and network pre-provisioning
UICC.This is the
operator worldwide – when the device – preferably the main ASIC – of the Early operator binding during manu-
reason for the
is finally operational. communication module. facture can be avoided if M2M devices
introduction of
Remote provisioning and manage- are manufactured with initial cellular
the term MCIM. M2M market requirements
ment of mobile phones has been a suc- connectivity credentials (pristine cre-
According to ref-
cessful method for performing tasks Based on the above analysis, the dentials). Figure 2 shows a setup that
erence 2, MCIM
such as updates to firmware and soft- market requirements for an M2M should suit most vendors, in which the
is a term that
ware. Such proven technologies can be subscription-management solution can initial HO – selected by the device man-
indicates the col-
used as a basis for a secure solution for be summarized as: ufacturer – provides the pristine creden-
lection of USIM
remote provisioning and management security data
low bill of material – low cost for provi- tials. However, for small businesses or
of subscriptions. and functions
sioning and logistics in the production private customers, the communication
Low-cost M2M communication solu- to allow an M2M process using sustainable technology; module provider may need to deliver pre-
tions are vital for many of the M2M- device to access low power consumption – for battery provisioned communication modules.
vertical industries. The cost of provision- a 3GPP network. cost and lifetime reasons; Pristine credentials are securely
ing an eUICC for an M2M device needs to An MCIM may late operator-binding – operator selec- configured into the TRE of the main
be lower than the costs of provisioning reside on a UICC tion should be possible after purchase ASIC and are usually temporary, as they
a SIM for a mobile phone. For tradition- or a TRE. and upon device deployment; provide initial cellular connectivity
al SIMs, provisioning cost can include late subscription-provisioning – so that operational MCIM
compliance-testing, logistics such as subscription provisioning in the network credentials can be downloaded.

E R I C S S O N R E V I E W • 1 2011
Enabling M2M device connectivity

Additional information – such as

Logistics and network-provisioning processes for M2M remote-subscription
FIGURE 2  vendor and initial HO root certificates,
management in a TRusted execution Environment (TRE). as well as the IMEI – can be configured
during the manufacturing process. In
this way, M2M devices become MCIM-
M2M Communication M2M device Initial New enabled.
industry vertical module provider manufacturer home operator home operator The industry vertical chooses
the new operational HO for its M2M
devices prior to deployment and agrees
Personalize
module TRE Establish initial operator credentials a subscription contract with the select-
ed HO. The new operational HO creates
Place modules order
Device MCIM subscriptions and makes them
Deliver modules
production available as MCIM blobs through an
Provision credentials Provision credentials MCIM-provisioning service. The new
in module TRE in initial network operational HO contacts the initial HO
to provide operator-binding data that is
Place devices order then provisioned in the initial HO net-
Device
purchase Deliver M2M devices
work. This entire process may require
roaming and service-level agreements.
Place subscriptions order for M2M devices Provision
subscriptions Provisioning of MCIM blobs
in network The initial HO providing pristine
Network Provide operator- credentials does not need to be an
provisioning binding
operator in the traditional sense. This
Provision operator- HO could operate its own HLR/AuC and
binding in network
Subscriptions ready for download have roaming agreements with other
operators, without owning a physical
Device subscription provisioning and management network. Such a setup is described in
reference 6.
Figure 3 illustrates how an MCIM-
enabled device can be initially provi-
sioned and then re-provisioned for a
FIGURE 3  Network-initiated provisioning flows for operator change through discovery new operational HO. The initial MCIM-
and download. blob provisioning process (bootstrap-
ping) can be re-used to conduct a lat-
Provisioned er change of operator while still under
with Initial/current New the control of the current operator. The
connectivity home operator Provisioned with home operator new operational HO makes the MCIM
credentials subscriptions in
per device MCIM blobs blob available through a provisioning
service. In accordance with the agree-
2. New device ment between the two HOs, the current
detected HO configures its discovery service with
the provisioning service address of the
CS DS PS CS
new HO.
In this model, the network detects
when a device attaches to the network
and then the Discovery service makes
1. Network attach using 3. Bootstrap device 4. Download 5. Network attach using
initial/current connectivity with address to MCIM blob and new HO credentials use of the OMA Device Management
credentials provisioning service provision new (OMA DM) bootstrap procedure to
HO credentials trigger MCIM provisioning. The OMA
DM standard3 specifies protocols for
MCIM-enabled
remote provisioning and management
M2M device of mobile devices and this standard is
widely supported and fully interopera-
CS = Connectivity service ble over IP. Technically, MCIM-blob dis-
Provisioned with DS = Discovery service covery and provisioning can be based on
connectivity HO = Home operator
credentials this standard. Besides network-initiated
PS = Provisioning service provisioning, the model also supports
device-initiated provisioning.

E R I C S S O N R E V I E W • 1 2011
Security, trust and operator control
In first-generation mobile systems, such FIGURE 4  A two-step configuration procedure in the manufacturing environment.
as NMT and AMPS, both users and oper-
ators faced the risk of fraudulent sub- Step 1: TRE personalization Step 2: MCIM loading
scription cloning due to a lack of secure
implementation of subscriber authen-
tication mechanisms. Benefiting from M2M services M2M services
improvements in IC card technology,
GSM introduced the SIM card and basi- Communication API Communication API
cally removed this threat. Today’s UICCs
are no longer at the forefront of IC card
technology. However, established qual- TEE TEE
ity-assurance programs incorporate Firm_key Firm_key
such a high level of trust that it is still TRE TRE
hard to clone authentication credentials SW Dev_ID SW Dev_ID
by copying them from the UICC. keys
The current UICC can be enhanced
ROM + ROM +
to support MCIM capabilities. One way firmware firmware
of achieving this is to implement the
MCIM on a Java card. This approach pro-
vides appropriate levels of security but
would not fully meet the expectations
Pristine
of improved device economics. Another TRE data Bounded Bounded MCIM credential
alternative, which avoids a separate + keys provision preparation
blob and distri- HLR
hardware component, is to implement bution AuC
the TRE as a subsystem on the main
ASIC of the communication module.
Operator control – the MCIM archi-
tecture has been designed so that there
is always a home operator in control of of the communication module then an credentials. In practice, this TRE can be
the device subscription. To complete BOX C  inherently strong lock to the current implemented using different technical
a change of operator the current opera- Figure 4 HO is obtained: an operator lock. solutions; ARM TrustZone is one such
tor, the newly selected operator and the Using a firmware An operator lock is similar to a SIM solution. Consolidation of trusted com-
end user need to participate in the pro- key in the main lock, where an embedded MCIM binds puting technologies for mobile-devices
cess. The operator-change process takes ASIC the MCIM the device to the operator. Users can- is ongoing as GlobalPlatform (Device
technical conditions into consideration TRE in the device not remove, insert or copy credentials Committee)4 and Trusted Comp­uting
as well as agreed formal and commer- trusted execu- to or from other devices. This implies Group5 are working on standards
cial procedures. The MCIM architecture tion environment that the device cannot be used with any to harmonize the application program-
is, therefore, designed to implement a (TEE) is first other operator. This binding is even ming interfaces for using trusted execu-
strong operator-controlled procedure. configured with stronger than for a SIM-locked device/ tion environments.
Controlled transfer of trust – upon the TRE keys. UICC combination.
change of operator, the current HO These keys are The details of how credentials are System Impacts
employs mature security mechanisms then used to stored depend on the implementation Device Impacts
to introduce the newly chosen trust- implement a technology. Modern mobile platforms MCIM implementation relies on the use
ed HO to the device. Technically, this secure import implement advanced protection mech- of a TRE and its security mechanisms
is achieved by the current HO sending of the pristine anisms, such as IMEI and SIM lock, to such as: execution isolation, secure key
a digitally signed bootstrap message MCIM blob. The prevent end users from manipulating storage and crypto functions. In many
containing the digital certificate of the two steps can be firmware. Most mobile platforms have a cases the TRE will build on an existing
new HO followed by secure provisioning combined into a generic trusted execution environment generic TEE in the platform. Within the
of the actual credentials. single configura- (TEE), to implement these protection MCIM framework the TRE needs to be
Secure provisioning – MCIM cre- tion step. mechanisms. The TEE will give the plat- configured with keys and data to:
dentials are strongly encrypted and form vendor leverage when implement-  ecurely handle MCIM data in a manu-
s
digitally signed into a blob so that the ing the MCIM-specific TRE to include facturing environment;
communication device can check the MCIM functions to handle blobs and securely handle the MCIM-blob data dur-
origin of the received MCIM blob. Only sensitive MCIM credentials. ing remote provisioning; and
the target device TRE can open the Protected credentials – securi- provide proof of its knowledge of the TRE
encrypted blob and obtain access to the ty in the MCIM architecture builds private key.
MCIM credentials in plain text. If the on a TRE that provides advanced Figure 4 shows a two-step con-
MCIM is implemented in the main ASIC protection against extraction of figuration procedure for the

E R I C S S O N R E V I E W • 1 2011
Enabling M2M device connectivity

manufacturing environment in
Remote-subscription management system architecture. Dashed lines
FIGURE 5  which the TRE is configured first, and
indicate network provisioning. Solid lines indicate device provisioning. then the MCIM. For business models
requiring pre-provisioned MCIMs,
the pristine credentials will probably
New home operator be prepared offline to support batch
configuration of devices, rather than
being prepared for a specific TRE and
MGS device combination.
The pristine credentials may be sim-
ilar to that of an MCIM blob – in other
words, they could be a fully functional
MCIM blob
operator MCIM and not just an MCIM
PS BSS HLR for bootstrapping. Thus we can envision
AuC
MCIM-enabled M2M devices that end
users can use directly. This possibility
Initial/current is interesting for certain use cases, such
home operator as time-limited trial subscriptions
offered by the initial HO also acting as
BSS an operational home operator.
Fully operational pristine credentials
do not require any changes to the rest of
the mobile system. From an operation-
M2M al context, the operator needs to inspect
device Comm
module Bootstrap device-platform products instead of
TRE HLR UICC-vendor products. Additionally,
DS AuC the HLR/AuC has to be fed with MCIM
data, which can be identical to SIM data
Attach in structure and format.

System architecture
Figure 5 illustrates a possible system
architecture for remote-subscription
management.
The MCIM system services are:
 usiness Support System (BSS) – coor-
B
dinates the pre-provisioning processes
BOX D  Subscription bundling associated with a subscription request
from an M2M subscriber. Depending on
A consumer decides to buy a the operator’s role, the BSS handles pre-
gaming device equipped with an provisioning at MCIM discovery or MCIM
MCIM-enabled mobile broad- provisioning services, and also user
band communications module. databases HLR/AuC. Additionally, the
This consumer primarily wants Request MCIM BSS coordinates the provisioning of the
to play games at home, but also for my CCE relevant service-execution environment
wants the option to play when
enablers (not shown in the diagram).
mobile. To facilitate this, net-
Discovery service (DS) – stores per-
work-access credentials must be
device information about the location of
present in the gaming device.
the MCIM blob and the address of the
Allowing consumers to use the
provisioning service. This service ideally
same home operator for their
has an interface to the core network to
gaming device as their mobile
detect when devices attach to the net-
phone enhances operator loyalty.
Provision MCIM work, facilitating network-initiated dis-
The MCIM architecture can
in CCE covery and bootstrap. Additionally, this
be easily extended to allow
service exposes a pull interface for
consumer-triggered MCIM down-
loading to the gaming device via device-initiated bootstrap and discov-
a spawning-activation service. ery. In this case, the device has to be
pre-provisioned with the address of the
corresponding discovery service.

E R I C S S O N R E V I E W • 1 2011
  rovisioning service (PS) – keeps the
P
Luis Barriga Ben Smeets
MCIM blobs on a per-device basis so that
each device can download its MCIM blob is a senior specialist in is an expert in security
after authentication. network security at systems and data
MCIM generation service (MGS) – Business Unit Networks in compression at Ericsson
handles the generation of the MCIM Kista, Sweden. In 1997, he Research in Lund,
data, encryption and signing, resulting received his Ph.D. in computer sys- Sweden. He is also a professor at Lund
in an MCIM blob. This service is triggered tems from the Royal Institute of Tech- University where he received a Ph.D. in
by request from the BSS. nology (KTH), Stockholm. He then information theory in 1987. In 1998 he
The new operational HO may perform joined Ericsson Research where he joined Ericsson Mobile Communica-
launched security research activities tion where he worked on security
partial provisioning of network nodes
that led to the establishment of the solutions for mobile phone platforms.
including service enablers, such as
Security Research Area. Since then, His work greatly influenced the securi-
location or messaging. This optimiza-
he has worked with various Ericsson ty solutions developed for the Ericsson
tion reduces the need for node capaci-
units, working with product develop- EMP platforms. He also made major
ty and network resources. Full network
ment, innovation, standardization, contributions to Bluetooth security
provisioning is achieved upon MCIM
business opportunities, customer proj- and patents in this field. In 2005, he
download. This process is known as late
ects, technical coordination and pro- received an Ericsson Inventors of the
provisioning and can be orchestrated
fessional services, while always main- Year award and he is currently working
by the BSS through a trigger from the taining a focus on security. Currently, on trusted computing technologies
MCIM-provisioning service. he is the system area security driver at and the use of virtualization.
The architecture described above the Systems & Technology
relates to one possible business model – division.
there are others. Of particular interest
Krister Sällberg
is the model in which home operators
outsource the MCIM-provisioning pro- is head of terminal
cess to a trusted third party acting as a standardization at
provisioning broker. Ericsson Group Function
Techno­logy Strategies
Summary and conclusions and Industry. For the last 10 years, he
has been manager of the Terminal
The MCIM architecture allows remote-
Standardization Unit. He holds a M.Sc.
subscription management that meets
in electrical engineering from Lund
the market demands posed by the
University of Technology and joined
M2M and CCE industries. It eliminates
Ericsson in 1986. Initially he worked
barriers for using 3GPP-compliant
in the research area of switching
communication module in M2M and
technologies and data communication.
CCE devices. Applying mature security
Before joining the Ericsson mobile
and open-standard technologies makes
terminal organization in 1997 he
the MCIM a future-proof solution. worked with GSM data communication
The architecture has been designed to services at the system management
keep the operator in control. Device unit of Ericsson in the US.
and module manufacturers can lever-
age trusted execution technologies
available in the platform to implement
a TRE, hence reducing the number
of entries on the bill of materials and
overall device costs.

References

1. White paper Embedded Mobile Guidelines. V1.0. GSM Association. March 2010. http://www.gsmaem-
beddedmobile.com/upload/resources/files/GSMA-Embedded-Mobile-Guidelines-Rel1-White-Paper.pdf
2. 3GPP TR 33.812 “Feasibility study on the security aspects of remote provisioning and change of
subscription for Machine to machine (M2M) equipment” in section 5.1 and Annex B.
3. Open Mobile Alliance Device Management. http://www.openmobilealliance.org/Technical/DM.aspx
4. GlobalPlatform, http://www.globalplatform.org
5. Trusted Computing Group, http://www.trustedcomputinggroup.org
6. SIIV Sistema Integrado deInformações Veiculares DENATRAN SINIAV – SIMRAV Setembro 2009,
http://www.scribd.com/doc/48393715/3f-spl2-p15

E R I C S S O N R E V I E W • 1 2011