On the Performance and Consistency Trade-off of the eSIM M2M Remote Provisioning Protocol

This paper analyzes the Embedded SIM card's Machine-To-Machine Remote Provisioning Protocol's (eSIM M2M RSP) design. The eSIM M2M RSP simplifies 5G connectivity for IoT devices by securely delivering connection bootstrapping information over the air without human intervention. As IoT adoption with 5G connectivity surges, the eSIM infrastructure must handle a growing number of concurrent remote SIM provisioning requests. The statefulness and shared states of the RSP make it challenging and error-prone to implement concurrency without data races. The GSMA eSIM standard does not explicitly define any atomicity assumptions required for concurrent execution. A formal analysis of the standard-prescribed M2M RSP design reveals that explicit atomicity assumptions are necessary; without them, 31 data races can violate key invariants. During the responsible disclosure process, discussions with the standards body revealed that the M2M RSP design relies on unstated and implicit atomicity assumptions. However, we find that the standard prescribed implicit assumptions are not strong enough to maintain all the invariants. The identified race conditions can be exploited by third-party eSIM management platforms to defraud network operators. To mitigate these risks, we developed a fine-grained synchronization mechanism that we formally verified for correctness and empirically evaluated for performance. Empirical evaluations show that our synchronization mechanism ensures correctness while outperforming a baseline with a 6× speed up.