Applus+ Laboratories to evaluate eSIM security under GSMA scheme

The GSMA eUICC security assurance (eSA) scheme is an independent security evaluation scheme for evaluating embedded UICC (eUICC) against the provisions of PP-0089 and PP-0100. The scheme aims to establish trust for Mobile Network Operators (MNOs) and other risk-owners ensuring that their assets, including profiles for eUICC remote provisioning, are secure against state-of-the-art attackers. The scheme is based on the ISO 15408 Common Criteria methodology, optimized for GSMA compliant eUICCs. 

The scheme owner is the GSMA, and it is operated by the Certification Body ‘Trust CB’, in accordance with the provisions and expectations of ISO 17065.
Applus+ has successfully met all of GSMA’s and TrustCB’s requirements to become a security evaluation laboratory, and is ready to conduct eSA evaluations for the remote provisioning functionality on eSIM/eUICC, for both M2M and Consumer Device solutions. 

The eSIM and the Remote provisioning functionality

eUICCs are device-embedded SIM cards that allow “over the air” provisioning for the first subscription with a telecommunications operator, as well as subsequent subscription changes from one operator to another.

Unlike traditional SIM cards, this solution avoids having to physically change the card but requires a common ecosystem for eSIM manufacturers and operators. The GSMA compliance programs are frameworks that define the requirements for an eUICC to enter the RSP (Remote SIM provisioning) ecosystem, applicable to both M2Ms and Consumer Device solutions.

eUICC M2Ms (machine-to-machine) are solutions designed for mobile connections made by any type of machine, such as smart meters, smart vehicles, traffic lights and surveillance devices, among others. eUICC Consumer Devices are an equivalent solution for personal consumption products, such as mobiles, tablets, laptops and wearables.

eUICC Applus+ Service Portfolio

This new accreditation reinforces Applus+ position as a partner for eUICC developers. Besides this new GSMA eUICC Security Assurance scheme, GSMA offers two alternative routes to certify the security of eSIMs.

• Common Criteria Evaluation: an official Common Criteria Certificate, following eUICC consumer device or eUICC M2M protection profiles, is accepted by GSMA as prove of compliance for eSIM.
• GSMA eUICC interim evaluation: this methodology was released by GSMA as an interim option until the official GSMA eUICC Security Assurance scheme (eSA) was in place, and is a second-party evaluation conducted by a recognized security lab. Both methodologies will coexist until January 2022, and then only the GSMA eUICC Security Assurance scheme (eSA) will be accepted. 

Applus+ is able to evaluate eUICC following the three options (GSMA Security, Common Criteria and GSMA interim) and can help you decide the best approach for your project. Moreover, Applus is also accredited to conduct functional and interoperability testing for GlobalPlatform Certification, the last step for eUICC compliance with GSMA requirements.