Death of the SIM card?

One of the topics which came up in the ‘Digital Worker’ stream at the recent Telco 2.0 event was the role of the mobile operator and their SIM card. We asked Colin Mallett, our ‘analyst-in-residence’ for that session, and who spent many years working in R&D for BT, to share his thoughts with us:

“10 years ago BT started looking at a new kind of player called the ‘SoftTelco’. Later, with a multi-million pound R&D budget, we tried to implement some of the ideas, eventually ending up in the Brightstar incubator. This included looking at MVNOs and how to by-pass the Mobile Operator’s SIM.

The GSM SIM card uses tamperproof silicon to provide the client for the mobile operator’s Home Subscriber Subsystem (HSS). It provides a strong authentication token which can be managed securely over the cellular channel. This is a powerful platform that binds the user subscription, handset and network together.

Unfortunately, as readers of this blog know all too well, this sort of tight commercial and technical integration is being ripped apart by IP. It’s happened in fixed telephony with VoIP and it’s soon going to come to mobile – by around 2010 or 2011 according to a recent Telco 2.0 survey – even if, in the short term, operators ban VoIP from their ‘unlimited’ data packages.

So, are SIMs really appropriate for supporting converged services, especially on laptops or on the new classes of Mobile Internet Devices?

SIM Is Good…

The beauty of SIM authentication is that you switch on and a few seconds later you have a connection – more or less anywhere in the world. The whole process is hidden from the end user and everyone takes it for granted. Only traffic over the cellular interface is encrypted, but that is optional for the local mobile operator. So, for end-to-end IP data traffic to remain fully secure, familiar techniques such as the Transport Layer Security protocol (TLS) are still needed. While automatic and secure WiFi authentication is more complicated, it can be achieved if an application is linked to a SIM card (and TLS or IPSec protocols are employed).

…But is Under Attack…

So if the SIM card is so effective, why is it threatened? Mobile operators don’t want to give up the tight control that SIM’s give them, especially in the face of a growing number of MVNOs in increasingly saturated markets. For the majority of operators, in voice and messaging in particular, their reaction to the developing Telco 2.0 trends is to defend against convergence rather than embracing it, which giving open access to WiFi via 3G and HSDPA implies.

…It Hasn’t Evolved…

Over the last 5 years, compared with on-line transactions, SIM based mobile-commerce has failed to take off, partly because the mobile operators and payment card issuers have not been able to agree on appropriate business models and partly because the payment companies have not been able to accept that their logo should not appear on the physical card.

As a result, multi-application SIM cards have never appeared and the SIM has been seen as a blocker to progress, stimulating multiple research projects to bypass it.

..But Other Technology Has…

Device diagram

For many years, handset manufacturers opposed the dual-slot phone – one for the SIM and one for the credit card. However, the battle is now lost. In the diagram above, the mobile handset looks remarkably like a computer with added Cellular and WiFi modules. A second slot was originally needed for removable media to store photographs or music. Now it can take a ‘secure’ MultiMedia Card (SMC) consisting of a flash memory device combined with Java Card™ smart card silicon.

This, of course, could include banking credentials with the SMC even bearing the financial card issuer’s logo. Although the SIM card is still required for access to mobile networks, the SMC can run all the added-value applications and the processor can run secure automatic WiFi authentication processes and banking applications using SSL.

So, in this scenario, the poor little SIM card supports its original function, but is surrounded by modules and connections that bypass it for everything except connection to a mobile network. The cellular data connection is merely one channel through which servers can be reached securely.
SIM cards are fighting back by adding large amounts of flash memory (512 Mbytes), a high-speed USB interface and a Web server. In all these scenarios, the card manufacturers will grow their businesses.

Gorillas Entering the Fray

Compounding the issues, Intel is working on an Identity-Capable Platform (ICP). The ICP will be a secure hardware area in a processor which supports future converged mobile wireless security and high-value, trusted services including secure access to any device, network or service.
For mobile handsets and possibly other devices such as home gateways, ARM has an equivalent technology called TrustZone. This provides a secure hardware execution zone and memory partitioning. Many silicon vendors are licencing TrustZone. These innovations make possible the advent of downloadable SIM-style applications that could replace the need for a physical SIM card.

What Does the Future Hold?

– The SIM: will co-exist with its cousin the ‘softSIM’. New items will appear, like the ‘secure’ MultiMedia Card (SMC).
– The SIM vendors should do well: They will broaden out and embrace convergence. They have huge experience in securely issuing and managing trusted silicon devices. There is no reason why they should not turn their attention to provisioning and OTA (Over-The-Air) management of secure solutions, such as credentials on ‘soft SIMs’ or trusted platforms like the Intel Identity-capable Platform.
– The SIM card: will continue to be made and used, but will become a low value commodity item, always competing against managed secure intelligence in the mobile device.
– The mobile operator: will no longer be ‘in control’. They must embrace convergence fast.

The SIM is a wonderful platform, why restrict it to mobile operators!”