Technical Field

The present invention relates to the establishment and/or management of connections to a wireless network such as a cellular data network.

Background

Access to public cellular data networks is based on the ability for the network to recognise the identity of devices which are seeking to connect to it and to associate that identity with a profile or subscription information held on a suitable database. This information can then be used, for example, to direct PSTN voice calls to the device when its telephone number is dialled, and for billing the owner of the device for network services used.

Conventionally, the information used to identify a device is provided on what is commonly known as a Subscriber Identity Module (SIM) card, but now more accurately referred to as a Universal Integrated Circuit Card (UICC) which is a physical removable‘smart’ card provided by a Mobile Network Operator (MNO) and inserted into a slot in the device, typically when the device is first purchased or when a new contract is entered into - e.g. with a different MNO. A UICC comprises a CPU and a small amount of memory, and can run various applications. One of which is a SIM application, which performs the functions of a SIM card.

The system for identifying devices, which is regulated by standards drawn up by the Groupe Special Mobile Association (GSMA), was originally designed for managing cellular telephones which are typically relatively high value devices, purchased individually by users and carried with them. In more recent years, as network capabilities have increased, the wireless data connections to the Internet that they offer have taken on greater importance. It is now common for other devices, which require only a data connection to the internet, to access cellular networks too, and thus they too must be provided with a removable UICC in order to permit this.

Since a removable UICC uniquely identifies a single subscription, the only way to change the subscription is to remove the UICC and insert a new one. However, as the number and application of connected devices grows, as part of the development of the‘Internet of Things’ (loT), the limitations imposed by the need to have a physical card to provide identify information has become more of a hindrance to the adoption of new technologies.

One growing application for loT devices is in distributed sensor networks. Having a large number of autonomous, connected sensor devices can offer a big

improvement in efficiency by reducing the need for expensive periodic and timely manual inspections. This is particularly the case where it is desired to monitor harsh environments, such as those that are normally not considered safe for humans. Connected sensors that allow for such remote monitoring, inspection and predictive maintenance, often need to be installed at relatively inaccessible locations, typically outdoor areas, but be connected to the Internet. It may be seen that using a cellular data network will often provide the most appropriate access technology in terms of range, data rate etc. for many such use cases. However, use of a physical UICC to get access to the network may pose other challenges.

One challenge is that many loT devices such as remote sensors are designed to be small so that the physical size of the UICC, albeit reduced in recent years, may still limit the achievable size of these devices. Another is that the use of cellular networks for loT is evolving both in terms of technology (LTE-M, NB-loT), and in term of business models. The existing models of pricing and subscriptions may not apply to loT use cases. For example locking a device to one operator may be detrimental for device manufacturers, users or both. In light of this, the need to exchange a physical card in order to change a service provider, thereby negating the benefit of having remote sensors, could be a significant disadvantage.

It has also been appreciated that in contrast with a smartphone model, in which a subscriber would have a single device transferring relatively large amounts of data, in an loT remote sensor deployment there could be hundreds or thousands of devices, each of which only may send very small amounts of data sporadically. Billing a user for small amounts of data for each of a large number of devices is unmanageable and inconvenient for the user as well the network operator. Hence a newer pricing and subscription management model is needed. Moreover there is a need to be able to add new devices regularly (either for expansion or replacement) and to be able easily to change ownership or management of sensors - e.g. as part of a resale of services and/or properties.

In view of the above considerations, the embedded UICC (eUICC) has been developed and is also the subject of a GSMA standard, Remote Provisioning Architecture for Embedded UICC Technical Specification. In contrast to the physical cards discussed above, an eUICC is not detachable from the device but rather is integrated in the device at the time of manufacture. However rather than the eUICC being fixed to a single unique subscription, it can adopt new subscription

information which offers the ability to manage and change the subscription of the device remotely. This addresses many of the difficulties outlined above. It also allows, for example, the ability to switch profiles based on location, to get better services and/or more attractive pricing, in use cases such as connectivity in smart cars or tracking devices.

When a device incorporating an eUICC is manufactured, the eUICC is provided with an initial provisioning profile. As defined in GSMA standard, this allows the device to make a first connection to the cellular network in order that it can be registered. The initial provisioning profile serves only the purpose of providing initial internet connection to the Subscription Manager-Secure Routing (SM-SR). This profile is prohibited to be used for any other purpose. Thereafter, the device can be provided with a more permanent profile for accessing the network, albeit one that can be remotely managed as described above.

The Applicant has realised however that the existing system for provisioning devices with eUICCs has some drawbacks, particularly that in order to provide an initial provisioning profile at manufacture stage, it is necessary for a manufacturer to pre-select a MNO (and possibly therefore a geographic area in which it can be used) and to have an agreement in place with that MNO.

Summary

When viewed from a first aspect the present invention provides a method of connecting an unprovisioned first mobile unit to a wireless telecommunication network comprising a plurality of base stations and a plurality of further mobile units, the base stations being connected to a network infrastructure including a subscriber profile management system comprising storage having stored thereon a plurality of subscriber profiles including unique identifiers associated with each of said further mobile units, the method comprising:

establishing a connection from said first mobile unit to a further network, separate from said wireless telecommunication network;

said first mobile unit issuing a subscription access request over said further network to said subscriber profile management system;

said subscriber profile management system issuing a subscriber profile for said wireless telecommunication network including a unique identifier for said first mobile unit;

communicating said new subscriber profile to said first mobile unit using said further network; and

said first mobile unit using said subscriber profile to connect to one of said base stations using said wireless telecommunication network.

Thus it will be seen by those skilled in the art that in accordance with the invention an mobile unit can connect to a subscriber profile management system without having to do so via the wireless telecommunication network (typically a cellular network). This makes it possible to circumvent the typical requirement of cellular networks that a mobile unit cannot connect to a base station without a valid profile. Thus it provides, for example, a way for an unprovisioned mobile unit to connect to the network without requiring an initial provisioning profile. The device can communicate with the subscriber profile management system, unconventionally, via the further network, and obtain a new subscriber profile. This subsequently allows the device to communicate with the wireless telecommunication network as desired. It will be understood by those skilled in the art that the term‘new subscriber profile’ as used herein may refer to an initial provisioning profile, or a full Issuer Security Domain Profile (ISD-P).

This may provide a number of advantages, particularly in the loT context mentioned above. It allows, for example, a device manufacturer to produce devices which can be used in any jurisdiction, without any pre-existing arrangements with mobile network operators (MNOs), or can be easily moved between MNOs or jurisdictions without requiring any physical interaction with the device. This is advantageous where the device is one of a large number dispersed widely and/or remotely, and otherwise designed (e.g. with appropriate battery life or other power source) not to require physical attendance thereto.

In a set of embodiments the method comprises the subscriber profile management system choosing a subscription for the device automatically. This allows the device access to the wireless telecommunication network automatically, with no input required from the device operator.

In an alternate set of embodiments, the method comprises transmitting information relating to a plurality of subscriptions to the device using the further network. This may allow a user to choose which subscription is desired on initial provisioning.

The device may then transmit information relating to a chosen subscription to the subscriber profile management system using the further network.

The further network recited above could comprise any network able to provide connectivity to the subscriber profile management system. Typically the subscriber profile management system would be connected to the Internet and thus the further network need itself only provide a connection to the Internet. The further network could comprise any access network, for example, Bluetooth, WiFi or even a wired networks like a Point to Point Protocol (PPP) over a Universal Asynchronous Receiver-Transmitter (UART). In a set of embodiments the further network comprises a Wi-Fi network. This is advantageous as many loT devices will be provided with Wi-Fi connectivity capability in addition to the cellular network connectivity described herein.

In a set of embodiments the first mobile unit comprises an eUICC. This could be a hardware or software eUICC.

In a set of embodiments said wireless telecommunication network comprises a cellular communication network, e.g. an LTE network - e.g one that supports NB- loT.

In a set of embodiments the method comprises the device communicating with the subscriber profile management system in order to manage subscriptions after the initial connection. Brief description of the drawings

Certain embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings in which:

Fig. 1 is a schematic diagram of a known device and network configuration;

Fig. 2 is a simplified schematic diagram of an eUICC and its security components; Fig. 3 is a known remote provisioning method for switching a device’s mobile network operator; and

Fig. 4 is a schematic diagram of a device and network configuration in accordance with an embodiment of the present invention.

Detailed description of the drawings

A conventional Universal Integrated Circuit Card (UICC) is typically used to enable a host device to communicate with a mobile telecommunications network. A UICC used for such purposes will run a Subscriber Identity Module (SIM) application, which contains the relevant profile and unique identification data for establishing communication with the network. This data is present on a UICC upon purchase, and can not be changed.

Recently, a new type of UICC has been developed, known as an embedded Universal Integrated Circuit Card (eUICC). This is typically a physical chip embedded into a host device that performs the functions of a classical UICC, and is provided with an initial profile upon sale of the device. eUICCs are commonly used in cases where physical replacement of a UICC e.g. to use the device with a new subscription is not feasible.

When using a standard UICC, if a user wishes to switch subscription or mobile network operator, a new UICC is obtained, and placed in the host device. However, this is not achievable with an eUICC. Therefore, a method is employed that allows the eUICC to download and activate a new profile, potentially from a new mobile network operator, directly from the network that it is currently connected to.

However, an initial profile is still required in order to have communication with the network upon initialisation of the device. Fig. 1 shows a highly simplified schematic diagram of a prior art device and network configuration that allows a device to initialise a subscription with a mobile network operator. A device 100, comprising an eUICC 102, is initially sold with the required provisioning profile for connection with a Mobile Network Operator (MNO) 108. This profile allows for communication between the device 100 and the subscription manager 110, in order to activate a pre-installed, or download a new ISD-P relating to a subscription for the device.

This ISD-P comprises unique identification information for the device’s

subscription, together with initial subscription information for the network, which is managed by a subscription manager 110 which is a common entity connected to the network. The subscription manager comprises a Subscription Manager - Secure Routing module 1 12 (SM-SR), and a Subscription Manager - Data

Preparation module 1 14 (SM-DP). The subscription manager 110 oversees identification and management of a specific subscription for a particular device. This is done regardless of the MNO for which the subscription is intended. The SM-DP 1 14 is the entity which a MNO 108 uses to securely encrypt its operator credentials to a particular profile, and the SM-SR is the entity that delivers the encrypted details to the device 100, and manages them thereafter.

With further reference to Fig. 2 the eUICC 102 may be seen in more detail, albeit still in simplified schematic form. The eUICC 102 comprises a plurality of Issuer Security Domain Profiles (ISD-P) 202, 204, an Issuer Security Domain Root (ISD-R) 206, and an eUICC Controlling Authority Security Domain (ECASD) 208.

An ISD-P 202, 204 encapsulates the profile of a specific subscription from a specific MNO 108 and implements the profile management interface towards the SM-DP 114. Typically, at least one ISD-P 202 containing a provisioning profile for communication with an MNO 108 is factory provisioned into the eUICC 102. This enables a network connection from the factory, but also requires the manufacturer of the device (comprising the eUICC 102) to have a contractual agreement with the MNO 108.

The device 100, once initialised, can attempt to connect to the MNO 108 using an initial provisioning profile. Providing it is in range of an appropriate cellular base station 104, the device 100 connects to the cellular base station 104, which may be, for example, a Long Term Evolution (LTE) eNodeB. Once the device 100 is connected to the base station 104, the unique provisioning profile information is passed to the subscription manager 110, via the MNO 108 and the internet 106. Once the network subscription manager 1 10 has approved the provisioning profile identification, the device may then request activation of a pre-installed ISD-P 202, 204, or request to download a new one. Once activated, the device 100 can communicate freely with the network under the terms of the subscription agreement tied to the activated ISD-P 202, 204.

After this initial connection is in place, the device 100 comprising the eUICC 102 may wish to switch profiles, for example by changing MNO, or changing the subscription. Therefore, the eUICC 102 may have multiple ISD-Ps 202, 204 during its lifespan, with only one enabled at any instant. The ISD-P 202, 204 provides access and protection to the profile that it encapsulates, and each specific profile is uniquely identified with the Integrated Circuit Card ID (ICCID). The ISD-P 202, 204 remains associated with the ISD-R 206 during the lifetime of the eUICC 102.

The ISD-R 206 is factory provisioned into the eUICC 102, and implements the platform management interface towards the SM-SR 112. This enables the device 100 comprising the eUICC 102 to have direct communication with the network 108. Furthermore, the ISD-R 206 also provides transport for any profile managing that the eUICC 100 performs. For example, the eUICC 102 may attempt to download a further profile from a mobile network operator (MNO), and this is handled by the ISD-R 206. The ISD-R 206 manages any memory and resources that an ISD-P 202, 204 may require, as well as creating the security domain for the ISD-P 202, 204.

The ECASD 208 encapsulates and protects the identity and authenticity of the eUICC 102. The ECASD 206 is factory provisioned into the eUICC 102 with an eUICC Identifier (EID), a public certificate and a private key to authenticate the eUICC 102. In order for this authentication and other secure processes to occur, key agreement and signature algorithms are also factory provisioned into the eUICC 102. The ECASD 208 remains associated with the ISD-R 206 during the lifespan of the eUICC 102, and serves as the root of all trust for all entities within the eUICC 102. Of course, the ECASD 208 is involved in key establishment with the SM-SR 1 12 and SM-DP 114. The ECASD 208 is only accessible via the ISD-R 206.

If and/or when the device owner decides to change the device’s subscription, the device undertakes a process as described below with reference to Fig. 3, in order to obtain a new subscription profile, and potentially to communicate with a different MNO.

Fig. 3 shows a simplified schematic implementation of a prior art method from the GSMA standard, Remote Provisioning Architecture for Embedded UICC Technical Specification. This method provides a way of enabling a device to have a series of subscriptions throughout its lifetime. These subscriptions can be remotely managed. Subscription management includes the ability to download new subscriptions, delete old ones, and enable or disable existing subscriptions.

Initially, a device 302 is sold that comprises an eUICC 306, with an initial provisioning profile. Once initialised, this device can communicate with a first MNO 310 using a now activated ISD-P 308 as described above. A subscription manager 312 comprising a SM-SR 314 and a SM-DP 316 verifies the profile, identification and subscription of the initial ISD-P 308 during communication of the device 304 with the first MNO 310.

After some time, a user 302 may decide to switch subscription, or MNO. This request is input into the device 304, and communicated to the first MNO 310 and subscription manager 312. The subscription manager 312 can then create a new, second ISD-P 320 for the device via the SM-SR 314. The second ISD-P 320 is then downloaded to the device 304, and stored in the eUICC 306.

The eUICC 306 then disables the initial ISD-P 308, and enables the second ISD-P 320. It is thus ensured that only one profile is enabled at any one time. Confirmation of this switch in ISD-P is communicated to the subscription manager 312. The device 304 can then use the second ISD-P 320 to communicate with a second MNO 318. Fig. 4 shows a highly simplified schematic diagram of a device and network configuration in accordance with an embodiment of the present invention that allows a device to obtain an initial provisioning profile and/or ISD-P for

communication with a cellular network. A device 400, comprising an eUICC 402, is sold with no initial provisioning profile or ISD-P. This means that there is no unique subscription for the device 400 and thus the device 400 cannot connect to a mobile network.

In order to establish communication with a mobile network, the device 400 first connects to a further network, such as a Wi-Fi network 406 in this case. This Wi-Fi network 406 is connected to the internet 408. Through the Wi-Fi network 406, and the internet 408, the device 400 can connect to a plurality of MNOs 410, 412, and a subscription manager 414, in order to issue a provisioning request. The

subscription manager can then issue a new provisioning profile, and/or a new ISD- P to the device, via the internet 408 and Wi-Fi network 406, which includes a unique identifier for the device. The subscription manager 414 may choose an appropriate ISD-P for the device, and activate it immediately to allow the device to communicate with the network. Alternatively, the subscription manager may provide the device with a plurality of subscription options. The device operator can then choose which MNO he/she wishes to register the device 400 with, and which specific subscription package they would like. Once selected, the device 400 can communicate the selection to the subscription manager 414, and establish a more permanent method of communication with the selected MNO 410, 412, via a cellular base station 404, as is described above with reference to Fig. 2.

Should the user decide to switch subscription at some point during the device’s lifetime, but after the initial ISD-P download/activation, the known method of Fig. 3 can be used. Alternatively, the device 400 may communicate with the subscription manager 414 via the Wi-Fi network 406, rather than the standard mobile network, in order to manage any subscriptions after the initial subscription has been set up - e.g. to download and activate a new ISD-P.

An advantage of the system described herein is that no extension of the existing interfaces is required. It is required by the eUICC standard that the intrinsic security of each realm and the data exchanged between them must be protected. Quoting from the standard:“Any communication between two security realms of the eUICC ecosystem shall be origin authenticated (mutual authentication), as well as integrity- protected and, unless otherwise specified... confidentiality protected”. In order for this to take place, Public Key Infrastructure is used for mutual authentication and key establishment. Advanced Encryption Standard (AES) is used for encryption.

The ECASD within the eUICC 402 is provisioned to use Elliptic Curve cryptography Key Arrangement (ECKA), and Elliptic Curve cryptography Digital Signature Algorithm (ECDSA). Transport Layer Security (TLS) is used for application protocols, where applicable, for communication between on-card and off-card components. Defining clear role definitions, access rights, privileges and security realms is crucial to good security. The eUICC specification mentioned above clearly defines domains within the eUICC, their access and roles, as well as specifying key sizes and other interface requirements. For example, there is no access of data between ISD-Ps.

These secure procedures extend to the interfaces between the device 400 and the Wi-Fi network 406, as well as to the interfaces between the Wi-Fi network 406 and the subscription manager(s) 410, 412.

Current standards for communication between the device 400 and the eUICC 402 already have the necessary commands for the eUICC 402 to be able to request a Domain Name Server (DNS) resolution and TCP connection from the device.

Therefore, the eUICC credentials never leave the eUICC 402 in the described embodiments and so these embodiments of the invention which use a separate access medium available on the device for remote provisioning is as secure as using the cellular network that mandates having a provisioning profile.

The secure communication between the eUICC 402 and the device 400 are standardized in the following specifications. http://www.etsi.org/deliver/etsi_ts/l02200_l02299/l02225/l0. 00.00_60/ts_l02225v

100000p.pdf http://www.etsi.org/deliver/etsi_ts/l02200_l02299/l02226/l2. 00.00_60/ts_l02226v l20000p.pdf