Leveraging the 5G SIM for enhanced subscriber privacy

Leveraging the 5G SIM for enhanced subscriber privacy

Eurosmart welcomes the initiative of Trusted Connectivity Alliance (TCA) to leverage the capabilities of the 5G SIM / eSIM to enhance subscriber privacy. In previous network generations (2G, 3G, 4G), the identifier of the subscriber, aka IMSI, is transmitted in clear text over the air interface and hence is subject to certain threats.

In 5G, this security weakness is addressed. The 5G successor of the IMSI, the Subscriber Permanent Identifier (SUPI), can be encrypted and transmitted over air as a Subscriber Concealed Identifier (SUCI). The key used to encrypt the SUPI is securely stored within the 5G SIM / eSIM. According to the 3GPP specifications, the encryption procedure as such can either be performed within the device or within the 5G SIM / eSIM.

TCA created a whitepaper stating that there are certain scenarios where SUPI encryption is not activated – either on the network side or within the device.

Eurosmart echoes TCA’s position that (1) protection of the 5G subscriber permanent identifier (SUPI) shall be made mandatory and (2) performing the subscriber privacy related encryption (SUCI calculation) shall be done within the 5G SIM / eSIM.

Eurosmart also highlights that these issues have direct consequences on the cybersecurity and resilience of critical infrastructures and Operator of Essential Services (OES), and as such shall also be considered in the light of cybersecurity legislation (NIS Directive).

In addition, Eurosmart believes that respective regulatory measures should be put in place to:

  • define an ad hoc security certification scheme covering SUPI encryption within 5G SIM / eSIM under the Cybersecurity Act (CSA), taking into consideration the constraints of the market;

  • require (1) SUPI to be encrypted within the 5G SIM / eSIM, and (2) 5G SIM / eSIM to be mandatorily security certified, to demonstrate its security capabilities.

Please find below Eurosmart’s full position paper on this topic.