11 Replies Latest reply: Mar 31, 2010 5:35 AM by elizabeth foster RSS

SIM Security... tips

Newbie

Hi there,

 

I am new on this forum. Just found it googling for some tips... Quite hard to find detailed info on m2m.

 

I am currently helping a company designing a remote health care monitoring solution.

 

May be someone here can help me on the best way to bind a SIM and the device so that no one can use it to do something else....

 

I am not really keen on using IMEI bind as it is not very flexible ooption...as if I discover during factory test a problem on my device I am kind of stuck with my SIM lock to the IMEI... Do you know any alternative way ? What are the pros and cons ?

 

Many thanks !

 

Lea.

  • Re: SIM Security... tips
    Apprentice

    Hi Lea,

     

    IMEI bind is indeed limiting when you need to replace the device.

     

    Jasper Wireless has a product called SecureSIM designed to prevent SIM Fraud by ensuring that the SIM will only work with the device for which it was intended. If SecureSIM is enabled, the network authentication process will look for a username and password (supplied by the trusted device/application), and won’t allow a data connection if there is a mismatch in credentials. Therefore, someone attempting to commit fraudulent activity would not be able to remove the SIM from a device, plug it into another device (phone or air card, for example), and use exorbitant amounts of data and run up an expensive bill you.

     

    Hope this helps.

     

    Cheers

    Sandy

  • Re: SIM Security... tips
    Newbie

    As you point out, fraud prevention solutions that bind a SIM directly to the IMEI (or some other module identifier) can be effective, but are not very flexible since the technique physically alters the SIM in a way that is, for all practical purposes, impossible to reverse. An alternative strategy is to use standard username and password credentials that are part of standard wireless connection protocols as the basis for a software-based fraud prevention solution.

     

    For example, the approved devices that will be connecting to the network can pass user credentials known only to the device application. The authentication logic on the wireless network can store the credentials expected for each SIM. If a mismatch is detected, the system can deny the connection request or, better yet, allow the customer to define the appropriate action to take on a credential mismatch (e.g., send an alert, deny the connection, include in a report).

     

    Since the solution is software based and does not alter the SIM, it can be much more flexible (even reversible). For example, a customer can decide the level of security. Sending a unique credential for each device (e.g., the device serial number) provides very granular security. Defining a common username across all devices deployed by the customer provides less granular fraud protection, but allows SIMs to be shared among like devices. This can be very useful for exchange and RMA situations where the SIM is still functional. If a SIM is legitimately transferred to another device that is programmed with a different password, the system can be set to accept the new credential, or even be “reset” to read and store the new credential automatically for future comparisons.

     

    Good luck

    -Erik

    • Re: SIM Security... tips
      Newbie

      Thank you for the detailed and helpfull answers.

       

      Lea.

      • Re: SIM Security... tips
        Newbie

        Hi Lea,

         

        See a good example of how easy these devices can be hacked.

         

        Barnes and Nobel’s Nook ereader gets hacked.  Secure SIM could easily eliminate all fraudulent use of the network.

         

        http://androidandme.com/2009/12/hacks/nook-rooted-how-to-and-teardown-pics/

         

        Cheers,

         

        Ludo

        • Re: SIM Security... tips
          Newbie

            Ludovic

           

          Can you explain in more detail how secure sim would stop the Barnes and Noble hacking ?

          • Re: SIM Security... tips
            Newbie

            Secure SIM will only prevent the SIM inserted in the device to be used into an other device frauduly, thus generating high cost for Barnes Nobles. It will not prevent other hacking such as access book store for free or any other kind of stuff...

             

            First of all, voice will be blocked at HLR level so it will be unavailable. SMS (if needed otherwise blocked as well) will be restricted to closed user group, so if the end user uses the SIM to send receive SMS to mobile phone, it will be blocked as well.

             

            Now on the data path, we will use credential mechanism generated randomly at manufacturing point in the PPP context while opening PDP to secure the data channel. If these credentials are not passed during the establishment of PDP, an alert is generated to the SIM owner (it could be blocking alert). So typically, if a consumer put the SIM in its PDA to surf on 3G network, it is unlikely he will have the credential with PPP context and will generate alerts.

             

            Hope it clarifies ?

             

            I will be happy to send you more detailed information on the process diagram, you can send me an email with you details.

            • Re: SIM Security... tips
              Newbie

              ?

              .OK  so secure sims stops someone using the sim card with  another device . I think  I get that. I did not understand how this is implemented by that is ok , no need for diagrams. and I like to keep my mail private on forums (sorry)

               

              Only one question. What software is required to implemnet this security feature

               

              As I understand it , this was not the iussue with Barnes and Noble

              • Re: SIM Security... tips
                Newbie

                There is no specific software required to implement this feature. However, your device shall have a logic built in to generate automatically random credential for PPP authentication.

              • Re: SIM Security... tips
                Novice

                Elizabeth,

                If you're using SecureSIM, your device application will include a username and password when it authenticates to the GGSN/network to establish a data connection. When SecureSIM is enabled, the network system will copy the username and password that was submitted by the device the first time that it connects. Then the username and password is locked on the network. Each time that SIM connects and authenticates in the future, the network system will compare the included device credentials with the locked network credentials. You can decide if you want to allow or deny a device/SIM that passes incorrect credentials, and be alerted when this happens. This solution gives you lots of flexibility on how complex your username/password is and how you want to handle potentially fraudulent attempts. If your device has a SIM that's easy to remove, it's a good idea to consider this security measure.

                Hope this helps.

                -Tim

  • Re: SIM Security... tips
    Newbie

    Good answers above... but there are two other ways that may provide a practical approach to help reduce fraud/swapping:

     

    1. use a SIM Form Factor that prevents removal (one of the reasons that Apple allegedly went for the 3FF SIM was to help prevent SIM swaps). An even better way is to solder the SIM to the PCB in the device then swaping SIMs becomes almost impossible. See the thread here http://m2m.com/message/1016#1016 on SIM types. The smaller SIMs may also help if you have miniature medical devices like glucose meters or watches where the size of the SIM, the carrier and the slot/loader mechanics take up too much real estate

     

    2. use a dedicated Access Point with your own Access Point Name that is not published (and hence not one of the APNs that are used by the main carriers). This is quite a simple approach and should deter 'some' of the swapping - and most devices have a mechanism to change the APN so perhaps cycling the APN every few months would also help. Note also that having a dedicated access point will also route all the IP traffic only to your servers/proxies, so that the SIM can not be used to access the open internet. This will require a VPN to the GGSN but may offer a simple solution to the whole authentication issue.

     

    Hope this helps - David

    • Re: SIM Security... tips
      Newbie

      David

       

         Solderable sim is definately the way forward . The only percieved drawback  is that you cannot change it but then why wouldl you. It makes operator choice  more important.

       

         Private APN also important.

       

        From the B and N article it impied that the security breach was actually deeper than this. They hacked into the device app itself. So the lesson here is... even though you are communicating with your device , over your apn  you still need security checks.

       

        Liz