What Is IoT SAFE and How Does it Improve IoT Security?


Quick Definition: IoT SAFE (IoT SIM Applet For Secure End-to-end Encryption) is a standard established by GSMA to leverage SIM cards as a secure hardware “Root of Trust” for device-to-cloud IoT security. It uses an applet in the SIM to store security credentials and facilitate basic security functions.

IoT SAFE is one of the many ways the mobile industry is consolidating security functions into fewer components and shifting the data-intensive burdens of security away from IoT applications. It leans on the SIM card to help mitigate risks associated with IoT devices, so you can build a more secure infrastructure for your IoT solutions.

But what does it actually do? And why should IoT manufacturers trust SIMs (and the connectivity providers who supply them) to handle these aspects of their IoT security? And how do you get SIMs with IoT SAFE applets?

Let’s discuss each of these questions separately.

What does IoT SAFE do for your devices?

Think of IoT SAFE like a highly advanced password manager. The applet saves the shared keys, certificates, and authentication credentials your device needs to access key services and applications, including everything involved in the Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) protocols, which are required every time the device transmits or receives data.

To use IoT SAFE, you need something called a device Middleware library. Think of it as a security guard for the data traveling between your device and a remote server. This guard uses a standard security stack (D(TLS)) and works closely with an IoT SAFE interface. This interface is like a secure locker where Pre-Shared Keys (PSKs) and certificates, which are needed to establish a secure connection with other devices or servers, are stored.  

When your device needs to access IoT SAFE, it usually does so through a set of instructions known as standard modem/module AT commands. These commands allow your device to send messages to the SIM card. Enclosed within a specific command (AT+CSIM), the IoT SAFE messages go directly between the SIM and the device application. This happens through a pathway known as an ISO7816 interface located in the modem/module, making the process more secure and efficient.

Additionally, the applet handles much of the actual TLS/DTLS operations, sort of like how a password manager saves you the trouble of manually retrieving and entering credentials. Of course, authentication between network entities is far more complex than manually logging into a website or web app—there’s more back-and-forth and more advanced processes like the handshake—but that’s what makes IoT SAFE’s functions so valuable to IoT businesses. It offloads these responsibilities from other applications and hardware, and keeps them secure and encrypted on the device hardware.

Why IoT SAFE leverages SIMs

SIM cards are highly standardized components that all cellular IoT devices have. While they come in various form factors and can have vendor-specific software or applets, the components themselves have to meet the same fundamental specifications. With a standardized applet designed to operate on these standardized SIMs, the SIM can function as a hardware Root of Trust that scales with your business—because it’s built into a device component you already have. There’s no need to invest in additional hardware or design your device around extra components. It provides the same level of security as hardware-level Trusted Platform Modules (TPMs).

Historically, connectivity and security have often been treated as disparate services provided by separate vendors. But this model complicates your IoT ecosystem. It requires constant work to ensure your connectivity and security solutions are in sync, and as your business evolves, these separate technologies need to keep up and integrate with your other tools and services. IoT SAFE helps consolidate these functions by empowering your connectivity components (specifically, the SIM) to handle key security capabilities.

Most IoT devices lack the data storage or processing power to handle security processes themselves. Authentication and encryption can be especially data intensive, and storing keys, certificates, and application credentials can take a lot of space. The SIM, however, has plenty of space to support these processes in an applet. Until IoT SAFE, there simply hasn’t been a standardized applet to handle this in the SIM.

Additionally, SIMs and their applets can be managed remotely. So as credentials and authentication processes change or devices need access to new services (and thus, new credentials), you can simply update the information stored in the IoT SAFE applet.

As modern IoT businesses move to consolidate connectivity and security solutions, aligning with SASE architecture is a must. Download our free ebook to see how our SASE-driven architecture helps protect your IoT devices and customers.

How to get IoT SAFE SIMs

As a leader in cellular IoT, emnify will be among the first providers to offer SIMs that meet the IoT SAFE standard. While they aren’t currently available, we will begin testing toward the end of 2023.

To learn more about when we’ll have these ready for your devices, talk to one of our IoT experts today. Or, to see what else emnify can do for you, start a free trial. We’ll send you a free test SIM with a prepaid data plan and 60 days of complete access to our platform.

Get in touch with our IoT experts

Discover how emnify can help you grow your business and talk to one of our IoT consultants today!