WO2017013127A1

WO2017013127A1 - Method for detecting remote access of a universal integrated circuit card (uicc)

Info

Publication number: WO2017013127A1
Application number: PCT/EP2016/067203
Authority: WO
Inventors: Guy VAN DER MEEREN
Original assignee: Sigos Nv
Current assignee: Sigos Nv
Priority date: 2015-07-21
Filing date: 2016-07-19
Publication date: 2017-01-26
Anticipated expiration: 2018-01-21

Abstract

According to the invention there is provided a method for detecting remote access of a UlCC by a mobile equipment in a telecommunication network.

Description

METHOD FOR DETECTING REMOTE ACCESS OF A UNIVERSAL

INTEGRATED CIRCUIT CARD (UlCC)

Technical Field

[01] The present invention generally relates to a method for detecting a mobile equipment making use of remote access of a UlCC. For example, a method for detecting a GSM mobile phone making use of remote access to a SIM card.

Background

[02] A Universal Integrated Circuit Card or UlCC is a smart card used for subscriber authentication in telecommunication networks. It is for example used in mobile stations of mobile telecommunication networks, such as for example Public Land Mobile Networks or PLMN, most satellite telephone networks, etc.

[03] Known examples of PLMNs which require use of a UlCC for subscriber authentication are for example:

- 2G or second generation mobile telephone networks, such as for example GSM or Global System for Mobile Communications or Groupe Special Mobile networks developed by standard developed by the European Telecommunications Standards Institute or ETSI, etc;

- 3G or third-generation mobile telecommunication networks such as for example UMTS or Universal Mobile Telecommunications System networks or other standards developed by the 3rd Generation Partnership Project or 3GPP, etc;

- 4G or fourth-generation mobile telecommunication networks such as for example LTE Advanced or Long Term Evolution Advanced, or the IEEE 802.16m or WirelessMAN-Advanced, etc;

- 5G or fifth-generation mobile networks or fifth-generation wireless systems as defined by the NGMN Alliance or Next Generation Mobile Networks Alliance;

- etc. [04] Although as the official reference for the term UlCC is found in ETSI TR 102 216, see for example http://www.etsi.org/deliver/etsi tr/102200 102299/102216/03.00.00 60/tr 102216v0 30000p.pdf , where it is defined as a "smart card that conforms to the specifications written and maintained by the ETSI Smart Card Platform project", and in it is noted that "UlCC is neither an abbreviation nor an acronym", it is often also referred to as the acronym for Universal Integrated Circuit Card. Additionally in the context of this application when the term UlCC is used, this should be interpreted as a reference to any smart card providing similar functionality in the context of a telecommunication network. This means providing for subscriber authentication of a mobile station. A typical UlCC is coupled to the mobile equipment of a mobile station in order to ensure the integrity and security of subscriber data. A typical UlCC is physically implemented as a smart card, usually made of PVC with embedded contacts and semiconductors, that can be inserted in a corresponding card slot of the mobile equipment. However it is clear that alternative embodiments are possible such as for example an Embedded Universal Integrated Circuit Card or eUICC which are available in a suitable package which may be soldered directly onto a circuit board.

[05] The UlCC is thus a physical component such as for example a smart card, comprising electronic circuitry that provides for hardware components such as for example a CPU, ROM, RAM, EEPROM and suitable I/O circuits. Currently available UICCs typically provide a storage capacity of 32 KB to more than 128 KB, this storage capacity is expected to be subjected to future growth in order to provide for the increasing demand for more services.

[06] Currently a UlCC comprises one or more applications that can be loaded when the UlCC is in use by the mobile station of a subscriber. Typically the applications of the UlCC communicate with the mobile equipment of the mobile station. Alternatively, however, the UlCC could be coupled to a suitable server or other suitable computing system, configured to communicate with the UlCC, for example by means of a suitable API, such as for example a SIM application toolkit as specified by 3GPP, ETSI, 3GPP, etc.

[07] Known applications of a UlCC are for example: - a SIM or Subscriber Identification Module application for subscriber identification in a GSM network;

- a USIM or Universal Subscriber Identity Module application for subscriber identification in a UMTS network;

- an ISIM or IP Multimedia Services Identity Module application for parameters for identifying and authenticating the user to the IMS or IP Multimedia Subsystem in a 3G mobile telecommunication network;

- a CSIM or CDMA Subscriber Identity Module application to support subscriber authentication in a CDMA2000 type 3G mobile telecommunication network;

- etc.

It is clear that the UlCC may comprise one or more such suitable applications in order to provide subscriber authentication functionality to a mobile station for any number of desired serves in any number of desired types of telecommunication networks. For example a UlCC may comprise both a SIM application and a USIM application in order to provide user authentication in both GSM and UMTS networks. In addition to the above mentioned applications the UlCC typically also provides for secure storage of network-specific information used to authenticate and identify subscribers such as for example an integrated circuit card identifier or ICCID, an International Mobile Subscriber Identity or IMSI, an Authentication key or Ki, etc. The UlCC often also provides for carrier -specific data such as the SMSC or Short Message Service Center number, Service Provider Name or SPN, etc. Most known UlCC also provide for storage of a number of SMS messages, phone book contacts and other applications. [08] Historically, in 2G networks, the UlCC smart card and SIM application were bound together. In this context a UlCC was often referred to as a "SIM card", thereby referring to any physical card comprising a SIM application. In general, especially in the context of third and subsequent generation mobile telecommunication networks, it is preferable to use the UlCC terminology for referring to the physical component which comprises one or more applications such as for example a SIM, USIM, ISIM, CSIM, etc application. It is thus clear that the term UlCC as used in the context of this application also refers to physical cards which are generally referred to as a "SIM card". [09] Typically a usual subscriber to a PLMN, such as a GSM network, makes use of a mobile station with a mobile phone as mobile equipment comprising a suitable card slot. In this card slot there is then inserted a physical UlCC smart card. The mobile phone with inserted UlCC smart card, thereby forming a mobile station comprising a mobile equipment in the form of a mobile phone and a Subscriber Identity Module application or other suitable application for identifying and authenticating subscribers as provided by the UlCC. The card slot and the corresponding electrical contacts on the UlCC smart card thus forming an interface between the mobile equipment and the UlCC which provides for a direct connection. During a sign-on operation to the telecommunication network there is at least one authentication phase in which the mobile equipment needs to exchange data with the physical UlCC smart card in response to an authentication request from the telecommunication network. An embodiment of such prior art communication between a mobile phone and a physical UlCC in the form of a physical "SIM card" or PSIM is for example explained in more detail in EP1566069, more particularly with reference to Figure 2.

[10] However there are also known alternative mobile stations in which the mobile equipment, which for example also comprises a suitable UlCC interface, such as a card slot for a physical UlCC, is not directly connected to a physical UlCC by means of this UlCC interface. Instead, the UlCC interface of the mobile equipment is connected remotely to the physical UlCC or physical "SIM card" or PSIM. This means that in between the UlCC interface of the mobile equipment and the physical UlCC there is at least a data communication network, such as for example a suitable local area network or LAN and/or a suitable wide area network, such as for example a suitable Internet Protocol based network as the internet. Along this data communication network, for example during the authentication phase of a sing-on operation to a telecommunication network, there is exchanged data between the mobile equipment and the remotely connected physical UlCC. An embodiment of such a mobile station in which the mobile equipment makes use of a remote physical UlCC is for example explained in more detail in EP1566069, more particularly with reference to Figure 3. This allows for additional flexibility in allowing one or more mobile equipment of a mobile station, such as for example an automated probe of a test platform for testing mobile communication networks, to selectively remotely connect to a plurality of physical UlCC for efficiently performing tests on the telecommunication network. According to an exemplary embodiment, the plurality of mobile equipment might for example be implemented as a test unit comprising a mobile gateway, such as for example a GSM gateway, with for example 30 mobile stations which can be automatically controlled by means of a suitable control system for performing tests on the telecommunication network. These mobile stations could then each be connected by means of a suitable data network, such as the internet, to selectively remotely connect to a plurality of physical UlCC. This plurality of physical UlCC, could for example be several hundred or over thousand physical UlCC which are arranged in a SIM card multiplexer or SIM Mux or SIM server for selective remote connection to a mobile station of a test unit. One known SIM MUX is for example the "SIM Rack 256" marketed by iQsim, see for example www.iqsim.com/sim racks.htm , and which allows to manage up to 256 physical UlCC in the form of SIM cards. Additionally a further known SIM MUX or SIM server is known as the IRON SIM Server One currently marketed by iQsim, see for example www.iqsim.com/iron_sim_server_one.htm , which is a SIM server which allocates remotely the most appropriate "SIM cards" to GSM Gateways based on usage, time and price plans criteria. The SIM Server One has an embedded capability to store up to 256 "SIM cards" and an additional capacity by adding external "SIM Rack 256" systems of up to 2496 "SIM cards". As a further refinement, in order to reduce the amount of data exchanged between the mobile equipment and the remote physical UlCC, in between the UlCC interface of the mobile equipment and the remote physical UlCC, there could be provided an application referred to as a virtual UlCC or virtual "SIM card" or VSIM. This VSIM functionality, such as for example explained in more detail in EP1566069, more particularly with reference to Figure 3, could for example be implemented in a SIM simulation computer and is often connected to the mobile equipment directly or with a data communication network that has a shorter roundtrip time then the data communication network between the mobile equipment and the PSIM. The UlCC interface of the mobile equipment could for example be connected to the VSIM functionality by means of a suitable adapter cable, or by means of a Local Area Network, while the signal path between the mobile equipment and the PSIM involves at least a Wide Area Network such as the internet. A further known manufacturer of such UlCC virtualization technologies and SIM Servers, enabling "SIM cards" to be stored and managed centrally and remotely utilized is implementa, see for example www.implementa.com. [11] Such remote access of a physical UlCC has legitimate use, such as for example in test systems for mobile telecommunication networks as for example known from EP1566069 or EP1554903. This allows for example to arrange a plurality of test probes at different test sites at different geographical locations within the telecommunication network under test. These test probes could for example be implemented as a test unit or mobile gateway , which comprises for example a set of 30 mobile stations, each comprising a mobile equipment with a suitable UlCC interface. The UlCC interfaces of the mobile equipments of these test probes could then be remotely connected along at least a suitable data communication network, such as for example a suitable internet connection, to a central authentication site which comprises a SIM multiplexer in which for example a high number of physical UlCC can be centrally arranged and maintained, for example several hundreds of physical UlCC, for selective use by the test probes. As already explained above, for example, locally at each test site, there could additionally be arranged a SIM simulation or emulation computer or server, providing for virtual UlCC functionality in order to reduce the amount of data exchange between the remotely arranged physical UlCC and the mobile equipment.

[12] Systems similar as described above have also been put to illegitimate use, such as for example in the context of fraud schemes in the context of mobile telecommunication networks, such as for example a fraud scheme involving a bypass of an interconnect of a telecommunication network. In order to avoid detection by means of suspicious call patterns, such as for example an abnormal high rate or number of outgoing calls for a single subscription, such bypass operators make use of such equipment, this means a mobile gateway or SIM BOX and/or a SIM multiplexer or SIM MUX, in order to efficiently use hundreds of different UlCC in order to distribute their illegitimate traffic amongst this high number of different related subscriptions in an attempt to reduce the risk of detection. Typically such systems for remote access to a plurality of physical UlCC are only put to use in test systems or in such fraud systems involving a bypass of an interconnect of a telecommunication network. The latter systems typically make use of remote access to a far higher number of physical UlCC then the former. In such fraud systems involving a bypass of an interconnect or a telecommunication network, similar as explained above SIM BOXes and/or SIM MUXes are used in order to avoid detection by means of suspicious call patterns. For example, in order to avoid detection by making a large number of calls correlated to a single fixed geographic location, such fraudulent bypass operators make use of a plurality of SIM BOXes spread amongst a plurality of different geographic locations. These plurality of SIM BOXes at different locations are coupled to a SIM MUX, which allows the remote use of any of its physical UlCCs to be spread amongst these different SIM BOXes and thus amongst the different geographic locations. The calling behaviour associated with each of the UlCCs in this way will show calls being spread amongst a plurality of locations, thereby more closely aligning with normal behaviour of real human subscribers and thereby reducing the risk of detection. According to another example, in order to avoid detection by making an unusually high number of calls per day with a particular UICC, typically the SIM MUXes operated by bypass operators provide for a very high number of UlCCs, for example 100 or 1000, while only supporting a limited number of channels for concurrent calls, for example 10 or 50. These SIM MUXes spread the use of the high number of UlCCs amongst the more limited number of channels for establishing calls, thereby reducing the number of daily calls for each of the individual UlCCs to a level of for example less than 10 calls per day which aligns better with call patterns of real subscribers and thereby reduces the risk for detection.

[13] There are available fraud detection systems that, based on statistical analysis of collected call data, try to identify call patterns correlated to subscriptions in use in such fraud schemes. However before detection and subsequent corrective actions are possible, there must be generated sufficient data in order to provide for a reliable statistical analysis, which means that even when the related subscriptions are detected, they have been in active use for a particular time period leading to a corresponding level of gain from the fraud scheme. Further there are also known test call based systems, such as for example the bypass detection system known from WO2012/104283 which make use of test call data in order to more quickly and efficiently identify subscriptions being used by bypass operators. However, when the number of subscriptions being used by the bypass operators by means of the equipment described above increases to several hundreds or even thousands, this decreases the share of the total amount of these subscriptions that is detected during the execution of the test calls, and it becomes increasingly difficult to detect all of the subscriptions. It is clear that even at a higher efficiency and rate of detection than with systems based on statistical analysis, when the number of subscriptions used by the bypass operators is increased, this will result in the time frame needed for their detection by means of a test call based system also being increased, as such a test call based system has a practical maximum limit to the rate of test calls that can be generated and to the correlated rate of detection of subscriptions of bypass operations by these test calls.

[14] Therefor there still exists a need to more efficiently detect remote access of UlCC by mobile equipment in a telecommunication network, so that this shortens the potential operational use of a remotely accessed UlCC and preferably even allows for detection during sign-on to the telecommunication network. Thereby allowing reliable detection of use of remote access of UlCC by mobile equipment even with previously unused UlCC or a large set of different remotely accessible UICCs.

Summary

[15] According to a first aspect of the invention, there is provided a method for detecting remote access of a UlCC by a mobile equipment in a telecommunication network, comprising the steps of:

- monitoring a plurality of messages between mobile equipment and the telecommunication network;

- selecting a plurality of said messages generated by said at least one mobile equipment involving a UlCC;

- detecting remote access of a UlCC by the mobile equipment if said selected messages differ from a reference.

[16] In this way remote access of UlCC can be detected automatically and efficiently.

[17] According to an embodiment the method comprises the steps of:

- monitoring said plurality of messages between mobile equipment and the telecommunication network;

- selecting said plurality of said messages generated by said at least one mobile equipment during a plurality of location registration operations and/or location update operations; - detecting remote access of a UICC by the mobile equipment if the frequency or pattern of said messages of such location registration operation and/or location update operation differs from said reference. [18] When the reference is set to for example a range for the frequency of location registration operations and/or location update operations of real subscribers, remote access of a UICC by bypass operators can be detected as the frequency of location registration operations and/or location update operations will be much higher, as each time the mobile equipment is coupled to another remote UICC this will involve such location registration operations and/or location update operations. It is clear that this will also result in a pattern for these location registration operations and/or location update operations which diverges from a reference pattern determined for real subscribers. For example the number of calls per location registration operations and/or location update operations for remotely accessed UlCCs of a bypass operator will typically be lower than the range which applies to real human subscribers, the time difference between the call start and end of calls and location registration operations and/or location update operations will typically be shorter for remotely accessed UlCCs of a bypass operator than the range which applies to real human subscribers, etc. [19] According to a further embodiment the method comprises the step of:

- detecting remote access of a UICC by the mobile equipment if the frequency or pattern of the usage of said Temporary Mobile Subscriber Identity or TMSI, and/or said International Mobile Subscriber Identity or IMSI during said location registration operations and/or a location update operations differs from said reference.

[20] Because of the high frequency of location registration operations and/or a location update operations when bypass operators make use of remotely accessed UlCCs, as compared to a reference frequency or frequency range associated with real human subscribers that don't make use of remote UlCCs, and as a consequence of the use of mobile equipment by the bypass operator such as SIM BOXes and SIM MUXes which diverge from general purpose mobile equipment such as for example a mobile phone, differences resulting from the mode of operation of such specific equipment and/or attempts to optimize the more frequent location registration operations and/or a location update operations in this way allow for detection of remote access of UICC by the mobile equipment. As a reference for example the mobile equipment of a real human subscriber without remote access of a UlCC will keep the frequency of usage of the IMSI during such location registration operations and/or a location update operations as low as possible by making use of the TMSI as much as possible in order to guarantee security and privacy. This thus allows to set a reference for the frequency of usage of the IMSI, or a reference for the share of usage of the IMSI with respect to the TMSI during such location registration operations and/or a location update operations by real human subscribers without remote access of a UlCC. As the equipment such as the SIM BOXes and/or SIM MUXes of the bypass operator which enable remote access to the UlCC for the mobile equipment might exhibit diverging behaviour, for example as there is more a desire to optimize the timing of these more frequent location registration operations and/or a location update operations than there is to guarantee security or privacy, the usage of the frequency of usage of the IMSI for such remotely accessed UlCC could be higher than the reference frequency. Alternatively a detection of a remotely accessed UlCC could also be based on a higher share of usage of the IMSI with respect to the TMSI during location registration operations and/or a location update operations than the reference share, for example in order to reduce the delay introduced by such location registration operations and/or a location update operations.

[21] According to a further embodiment the method comprises the step of:

- detecting remote access of a UlCC by the mobile equipment if:

- said International Mobile Subscriber Identity or IMSI is always used during said location registration operations and/or a location update operations;

- said Temporary Mobile Subscriber Identity or TMSI is reused during new location registration operations and/or location update operations;

- a Temporary Mobile Subscriber Identity or TMSI is reused during location registration operations and/or location update operations for different International Mobile Subscriber Identities or IMSIs;

- a pattern is detected indicative of storage of the Temporary Mobile Subscriber

Identity or TMSI at a location remote from a physical UlCC;

- a pattern is detected indicative of reuse of information, stored at a remote location from a physical UlCC, for a plurality of different physical UlCC accessed by the mobile equipment. [22] In this way specific diverging frequencies or patterns related to the usage of IMSI and/or TMSI during location registration operations and/or a location update operations by the equipment used by bypass operators in order to make use of remotely accessed UlCC can lead to a detection.

[23] According to a further embodiment the method comprises the step of establishing said reference in function of:

- one or more International Mobile Equipment Identifiers or IMEI, which uniquely identify a mobile equipment;

- one or more Type Allocation Codes or TAC, which identify a particular model of a mobile equipment;

- an average or mean for said messages in said telecommunication network;

- patterns or frequencies associated with one or more known Mobile Equipments and/or subscribers.

[24] In this way a more refined reference can be determined which allows to determine a specific reference value or range for a particular type of mobile equipment, network, etc.

[25] According to a further aspect of the invention there is provided a method for detecting remote access of a UlCC by a mobile equipment in a telecommunication network, comprising the steps of:

- monitoring a plurality of messages between at least one mobile equipment and the telecommunication network;

- selecting a first set of said messages, comprising at least one message generated by the mobile equipment after making use of a UlCC;

- establishing a time period reference range for said first set of said messages;

- detecting remote access of a UlCC by the mobile equipment if the corresponding first set of said messages involves a corresponding time period outside of said time period reference range.

[26] In this way detection of remote access of a UlCC by the mobile equipment is possible in a more efficient and reliable way by comparing the time period corresponding to the first set of messages with the time period reference range. The comparison of these time periods is possible without the need of prior assembly of sufficient call data for statistical analysis and without the need for prior execution of test calls. Detection of remote access of a UICC is possible based on time periods related to a particular set of messages received from and/or transmitted to the telecommunication network by the mobile equipment making use of the remote access of a UICC. It is clear that this improves the efficiency of detection, as in this way all subscriptions involved in the use of remote access to a UICC are immediately detected as soon as they are put to use, even the first time they are put to use. It is clear that this more efficient detection can be used to shorten the average operational life time of subscriptions related to remotely accessed UICC being put to use in fraud schemes such as a bypass of an interconnect of a telecommunication network, even when an increased number of UICC are involved as the detection is only dependent on the messages received from and/or transmitted to the telecommunication network by the mobile equipment making use of a remotely accessed UICC, and, for example, no longer subject to limits related to a minimum amount of data for allowing statistical analysis or a maximum rate for the generation of test calls.

[27] Several exemplary embodiments have been provided for by means of the dependent claims.

[28] It is further clear that, although according to a particular simple embodiment this time period reference range could be manually set to a suitable range for allowing detection, according to particular advantageous embodiments the time period reference range could be dynamically determined in function of time periods related to messages of other mobile equipments and/or to other messages of the same mobile equipment.

[29] According to these embodiment the time period reference range being used for the detection of remote access of a UICC is being determined in function of for example time periods established for further mobile equipments of which it is known that they do or do not make use of remote access, for example based on their IMEI, or for example by analysis of respectively the higher and lower maxima of the distribution of the time periods related to these messages of a plurality of these further mobile equipments.

[30] In general, according to such embodiments, the comparison of the time period of the first set of messages, which involve use of the UlCC, with the time period reference range, could thus also be seen as a comparison of the time period of the first set of messages of a mobile equipment with a time period or time period range related to this first set of messages of other mobile equipments of which it is known that they do or do not make use of remote access to the UlCC.

[31] According to still further embodiments of the dependent claims the time period reference range is determined in function of a time period associated with a second set of messages which do not involve the use of the UlCC. This second set of messages could be messages from the same mobile equipment as the first set of messages, or alternatively based on a time period of a second set of messages from a further mobile equipment or the analysis of a plurality of time periods of a plurality of such second set of messages from a plurality of further mobile equipment. According to such embodiments, it is clear that, in general, the detection is based on the comparison of the time period of a first set of messages of a mobile equipment with the time period of a second set of messages of the same mobile equipment or one or more further mobile equipments.

[32] According to still a further aspect of the invention there is provided a suitable system configured to perform the abovementioned method.

[33] According to still a further aspect of the invention there is provided a computer implemented method comprising the steps of the abovementioned method when executed by means of a suitable computing device.

Brief Description of the Drawings

[34] Figure 1 shows a schematic view of different components of an embodiment of a mobile telecommunication network in the form of a GSM network; [35] Figure 2 schematically shows the different components of the GSM network of Figure 1 in simplified form in order to identify the different types of interfaces in between them; [36] Figure 3 shows a schematic representation of the signalling during an IMSI attach operation or a location registration operation during a sign-on operation of the MS to the GSM network according to the embodiment of Figure 2. It concurrently shows the similar signalling during a location update operation. [37] Figure 4 shows the signalling of the IMSI attach operation or location registration operation according to the embodiment of Figure 3 in more detail.

Detailed Description of Embodiment(s)

[38] Figure 1 shows an embodiment of a mobile telecommunication network or public land mobile network or PLMN. The embodiment of the PLMN that is shown is known as a Global System Mobile or GSM network. A PLMN manages all traffic between mobile phones and all traffic between mobile phones and the other telecommunication networks, such as for example other Public Switched Telephone Network or PSTN, an ISDN network, the Internet, etc.

[39] The first component shown is identified as a Mobile Station or MS. The MS comprises a Mobile Equipment or ME, such as for example a GSM mobile phone. Additionally, as indicated the MS further also comprises a UlCC comprising a Subscriber Identity Module application or SIM. Both the ME and the UlCC comprising the SIM application are needed in order to allow the MS to function in the GSM telecommunication network. [40] The ME could for example be embodied as a suitable GSM mobile phone or any other suitable transmitter-receiver unit that is able to connect to the GSM network by means of suitable wireless radio signals. Typically such an ME comprises an International Mobile Equipment Identifier or IMEI. The IMEI is a number, comprising 15 digits which allow unique identification of a particular ME. [41] The UlCC comprising a SIM application, as already explained above with reference to a GSM network, is often provided as a smart card, or "SIM card" that can be inserted into a suitable card slot of the ME. As already explained above, according to the embodiment shown, the UlCC comprises data which allows for the unique identification of a subscriber of a GSM network, such as for example an International Mobile Subscriber Identifier or IMSI and a SIM application comprising security features allowing for secure authentication of a subscriber to the GSM network. [42] A UlCC with a SIM application for example comprises one or more of the following data and/or applications:

- the IMSI, which comprises a Mobile Country Code or MCC, a Mobile Network Code or MNC and a Mobile Subscriber Identification Number or MSIN;

- a Temporary Mobile Subscriber Identity or TMSI, which is an identifier provided to the MS by the telecommunication network in order to reduce the transmission of the IMSI;

- a secret key Ki;

- a current encryption key or session key Kc;

- a Ciphering Key Sequence Number or CKSN, which is an identifier send by the GSM network to the MS for the current session key Kc;

- encoding algorithms A3 and A8;

- a current Location Area Identity or LAI. The LAI comprising a Mobile Country Code or MCC, a Mobile Network Code or MNC and a Location Area Code or LAC. The GSM network transmits the LAI to the MS which subsequently stores it in the SIM. The LAI allows to uniquely identify a particular area within the GSM network;

- a list of preferred PLMNs;

- a list of forbidden PLMNs;

- a list of beacon frequencies of the home PLMN on which the cell towers of the provider broadcasts initial connection information to the MS in its service area;

- a Personal Identification Number or PIN used to gain access to the UlCC SIM application functionality;

- a Pin Unblocking Code or PUK used to reset the PIN and unlock the UlCC SIM application functionality, when the wrong PIN number has been provided an unallowable amount of times; - Storage of Short Message Service or SMS, a phone book comprising telephone numbers, etc.;

[43] As shown in Figure 1 , one of the MS comprises an ME with a directly connected physical UICC comprising a SIM application, such as for example a physical "SIM card" inserted in a suitable smart card slot of a GSM mobile phone, which is indicated in the drawing as "SIM". There is further also shown, as already explained in more detail above, an MS which is remotely connected to a physical UICC comprising a SIM application, indicated in Figure 1 as PSIM, as the coupling between the ME and the PSIM comprises at least a data network, such as for example a suitable IP network, such as for example the internet. According to the embodiment shown, and already explained in more detail above, the ME is connected directly to a virtual SIM application indicated as "VSIM", such as for example a SIM simulation computer, and subsequently remotely via the data network with the PSIM. As further shown, according to this embodiment, this latter MS is able to selectively connect to a plurality of PSIM provided in a SIM multiplexer referred to as "SIM MUX" via the data network.

[44] As further schematically shown in Figure 1 , the GSM network further comprises a Base Station Subsystem or BSS and a Network switching subsystem NSS. Their generally known components will only be briefly described as far as useful in the context of this description. As shown, the BSS is an interface for the communication between the MSs and the NSS. The BSS comprises a plurality of Base Transceiver Stations or BTSs. These BTSs are the transceivers installed on the cell towers of the GSM network. One BTS defines a single cell of such a cellular network. A BTS is identified by its Cell Global Identification or CGI, which comprises the LAI and a Cell Identity or CI. As further shown, the GSM network comprises further a plurality of Base Station Controllers or BSCs. A BSC controls one or more BTSs such that the radio channel setup between a BTS and an MS and handover from an MS from one BTS to another BTS connected to this BSC are provided for. As shown, the BSC can according to some embodiments also comprise a Transcode Rate and Adaption Unit or TRAU to manage transcoding of the data rate of voice data.

[45] The Network Switching Subsystem or NSS controls multiple BSSs. The NSS houses all subscriber services. It authenticates the UICC through its SIM application for access to the GSM network and setting up calls. The NSS also enables to locate the MS for an incoming call and is able to route outgoing calls inside the GSM network or to other telecommunication networks. [46] The NSS comprises, as shown, an Authentication Centre or AuC. The AuC allows to authenticate a subscriber in order to allow the SIM application of the UICC to set up an encrypted connection between the GSM network and the MS. The AuC comprises the following information for each IMSI:

- The secret key Ki, which is the same as on the UICC comprising the SIM application for this IMSI;

- The encoding algorithms A3 and A8, which is also the same as on the UICC comprising the SIM application for this IMSI.

[47] As generally known, the AuC computes a random challenge or RAND and a corresponding reply or signed response or SRES and an encryption key or Kc, using the A3 and A8 algorithms. These three values RAND, SRES and Kc are often referred to as authentication triplets. These authentication triplets are then stored in the Home Location Register or HLR, which supplies them to the Visiting location Register or VLR, which on its turn supplies them to the Mobile Switching Center or MSC in which service area an MS performs an authentication operation, for example during a sign-on to the telecommunication network.

[48] The actual authentication operation takes place at the level of the MSC, which after sending the random challenge or RAND to the MS via the BSC and BTS, subsequently verifies the MSs response SRES, as will be explained in further detail below. If the MSs response SRES matches the SRES of the authentication triplet provided by the VLR to the MSC, then the encryption key Kc of this authentication triplet is sent from the MSC on to the BTS. This encryption key Kc then allows subsequent encrypted data communication between the ME and the BTS. The implementations for the A3 and A8 algorithms and the secret key Ki are only stored and invoked in the SIM application on the UICC and in the AuC and are only available to the provider of the GSM network. [49] The Home Location Register or HLR comprises the subscriber's information for call control and location determination. There is only one HLR per provider per GSM network. The HLR comprises for each IMSI:

- The subscribers MSISDN or telephone number;

- The current VLR serving the subscriber, which is used to locate the MS in the service area of this VLR;

- GSM services that the subscriber is allowed to access;

- Possible call divert settings;

- etc.

[50] Each MSC maintains one VLR which stores subscriber information for all the MEs with a UICC with a SIM application for the GSM network that are active within the MSC's service area. When a MS is successfully logged on to an allowed GSM network, the home network's HLR is queried for some subscriber information which is then stored in a record in the VLR. This happens after the VLR informs the HLR of the presence of the IMSI of the UICC of the MS in its VLR service area, also referred to as an IMSI attach procedure or location registration for example during a sign-on of the MS to the GSM network. The VLR can then be used by the MSC to route incoming calls to the correct BSS. After some period of inactivity or when a MS has travelled to a different service area, the record for an IMSI is removed from the VLR. In the latter case the removal is commanded by the HLR, and this is also referred to as a Location Update procedure or in the former case an IMSI detach procedure. For every IMSI of a UICC of a MS present in its service area of the related MSC, the VLR stores one or more of the following items:

- a subscribers current Temporary Mobile Subscriber Identity or TMSI, which is allocated by the VLR in order to reduce exchange of the IMSI;

- The subscribers MSISDN;

- The subscribers current LAI, or alternatively a different VLR is maintained for every LAI;

- The subscribers current CI. The LAI and the CI together form the Cell Global Identification or CGI and form a unique identifier for each cell in every GSM network;

- GSM services that the subscriber is allowed to access;

- The HLR address of the subscriber;

- Up to five authentication triplets, received from the AuC via the HLR; - etc.

[51] The Mobile Switching Centre or MSC, one for each VLR, is the main component of any NSS. Every BSS can only be connected to a single MSC. All the BSSs connected to a MSC comprise the service area of this MSC and its related VLR. The MSC performs several functions:

- Managing the location, this means the current BSC and BTS for all MSs in its service area;

- Set up and release of end-to-end connection between MSs;

- Control of handovers between BSCs;

- Managing call data and sending this to the billing system;

- Collecting traffic statistics for performance monitoring;

- etc.

As further shown, there is also available a special MSC referred to as Gateway Mobile Switching Center or GMSC through which all communication between the GSM network and other telecommunication networks, such as for example other PLMNs other PSTNs, etc. is routed.

[52] The GSM network also comprises an Equipment Identification Register or EIR. The EIR can comprise lists of IMEIs. As will be explained in further detail below, during a sign-on operation of an MS to the GSM network, the network can give the MS an identify command. In response to this identify command the MS will transmit its IMSI, which identifies the UICC comprising the SIM application, and the IMEI, which identifies the ME such as for example the physical mobile phone. The IMSI ends up at the HLR, but the IMEI can be checked against the stored identifiers in the EIR, for example to be able to blacklist stolen mobile phones by means of their IMEI and prevent access to the GSM network even when equipped with a valid UICC.

[53] Figure 2 schematically shows the different components of the GSM network of Figure 1 in simplified form in order to identify the different types of interfaces in between them. As shown, the GSM network comprises several different interfaces. The main interfaces, are the interfaces that connect an MS to the other telecommunication networks, this thus means the interfaces referenced as Urn, Abis, A and E. These interfaces are all split in traffic channels that comprise the speech information during a call and control channels on which the meta-data is transmitted. The Urn or air interface connects the MS to the BTS wirelessly via radio waves. The Abis interface connects the BTS to the BSCs and is defined as an LAPD or standard ISDN interface and largely coincides with the data link layer of the Urn interface. The Abis interface also allows control of the radio equipment and radio frequency allocations in the BTS. The A interface connects the BSS with a NSS and the E interface is the main interface inside a NSS. All the control channels on the A and E interface are part of the Signalling System #7 or SS7, a collection of telephony signalling protocols defined by the International Telecommunication Union or ITU. The TRAU does not interfere with any of the signalling channels, it only transcodes the voice data. The B, C, D, F and G interfaces are defined by ETSI to synchronize all the different information sources within a PLMN. The ETSI has not defined an interface between the AuC and the HLR, so every provider can make their own decision here. Most providers have the AuC located at the HLR site and often these two databases are integrated.

[54] Figure 3 shows a schematic representation of the signalling during an IMSI attach operation or a location registration operation during a sign-on operation of the MS to the GSM network according to the embodiment of Figure 2. It concurrently shows the similar signalling during a location update operation. Figure 3 shows the messages or signals for the authentication during a sign-on operation of an embodiment of an MS remotely accessing a UICC as shown in Figure 2. During such a sign-on operation, for example after powering on the ME of the MS, the MS will request for a service to the MSC referred to as a request for a location registration, also referred to as an IMSI attach operation. Subsequently the MSC will decide to initiate an authentication procedure as already mentioned above. During a location registration operation the MS will issue this request by means of its IMSI. Subsequently the MSC will request authentication triplets corresponding to the MS's IMSI from the VLR. If the VLR has not yet a related entry for this IMSI or the VLR has already used its supply of authentication triplets for this IMSI, the VLR will, as shown, request up to five new authentication triplets to the HLR/AuC. When the VLR has a supply of authentication triplets, the VLR will return one of these authentication triplets to the MSC. [55] As already mentioned above, the AuC creates the authentication triplets based on the stored secret key Ki and the A3 and A8 algorithms for each IMSI. These authentication triplets are referenced as "(RAND, SRES, Kc)" in Figure 3, in which RAND is a randomly chosen number by the AuC, SRES is a signed response computed by the AuC as A3(Ki,RAND) and Kc is the session key computed as A8(Ki,RAND). The Ki is a secret key uniquely linked to a corresponding IMSI in the AuC, and additionally this secret key Ki is also uniquely linked with the corresponding IMSI for the corresponding subscription in a corresponding UICC comprising a SIM application. The authentication triplet thus comprises the challenge or RAND, the response or SRES and the session key or Kc for the MSC to authenticate the MS and for the BTS to set up the encrypted channel to the MS.

[56] During a set of messages, referenced in Figure 3 as "Type I", the MSC sends the challenge RAND of the authentication triplet received from the HLR on to the MS with a message referenced as "Authenticate(RAND, CKSN)". This message when received by the ME of the MS is forwarded to the VSIM and must subsequently be forwarded by this VSIM through the data network to the PSIM. This incoming message for the MS, of the Type I set of messages, cannot be handled at the level of the VSIM, as the Ki, A3 and A8 algorithms are stored on the physical UICC referred as "PSIM" in such a way that they cannot be extracted for simulation or emulation in a VSIM. Based on the received RAND and the secret key Ki stored in the UICC, the SIM application of the physical UICC, referenced as "PSIM", will now compute for the MS a signed response or SRES as A3(Ki,RAND) and the session key or Kc as A8(Ki,RAND) and provide these via the data network, to the ME. The ME will subsequently transmit a message with the signed response, referenced as "SRES" to the MSC. It is clear that both these Type I messages relate to a particular first set of messages, which comprising at least one message, in this case the message referenced "SRES" that was generated by the ME after making use of a UICC. It is clear that making use of a UICC is to be interpreted as a physical UICC. It is further clear, as already explained with reference to Figure 2 above, that these Type I one messages, when exchanged between the MS and the telecommunication network, according to the embodiment described above this means between the ME of the MS and the MSC of the NSS, these messages will be exchanged respectively along the Um interface, the Abis interface and the A interface. [57] The MSC can now verify if the SRES it has received from the MS matches with the SRES from the authentication triplet received from the HLR. If they match, then the session key Kc is sent by the MSC to the BTS and from this moment on it is possible to start encrypting the Um-interface that connects the BTS with the MS. As shown, the location registration will be finalised by the MS sending an "Accept LocationRegistration (TMSI)" confirmation message to the MS. The TMSI will be generated prior to that message by the MSC and/or the VLR and in this way allow the MS to identify its subscription subsequently by means of this TMSI instead of the IMSI. After this final message from the MSC to the MS the MS can send a TMSI reallocation complete message up to the MSCA/LR after which the BSS instructs the MS to go into idle mode by sending it a Channel Release message. Subsequently the MSCA/LR sends an update Location message to the HLR which records which MSCA/LR has the MS in its service area for subsequent localisation of the MS.

[58] If the SRES received from the MS by the MSC and that of the authentication triplet from the VLR do not match, then the MSC will send a message to the MS telling it that authentication failed. Possibly the MSC can re-attempt authentication, or end the MS connections.

[59] It should be clear that the Type I messages identified above, as already mentioned above are messages which relate to a particular first set of messages, which must be processed by a physical UlCC. So, in the embodiment shown in Figure 3 for an MS remotely accessing a PSIM, it is clear that these Type I messages must have proceeded through the data network in between the ME and the remotely accessed PSIM.

[60] Of the other messages exchanged during the sign-on procedure, some might be processed at the level of the PSIM, VSIM or ME. This is schematically illustrated by means of the arrow representing the data network shown in dotted lines. The IMSI for example could be simulated or emulated by the VSIM in function of the IMSI stored on the PSIM, this would for example allow the "Request LocationRegistration(IMSI) message to be generated without necessarily accessing the PSIM and without the this message necessarily traversing through the data network in between the ME and the PSIM. [61] It is further clear that Figure 3 also concurrently shows a Location Update operation, which is similar to the Location Registration operation described above, however in such a case the VLR already has a TMSI associated with the IMSI of the MS, so that the IMSI, as used in the Location Registration operation described above, can be replaced by the TMSI, as this TMSI can be correlated to the IMSI at the level of the VLR when necessary. This TMSI is also communicated and stored at the level of the VSIM and/or PSIM shown in Figure 3, or at the level of the UlCC for an MS with a directly connected physical UlCC. In this way the need for subsequent retransmission of the IMSI, for example along the Urn interface, is reduced. As will be explained in more detail below, in general for real human subscribers making use of such a Location Registration operation is only performed during sign on or log on of their mobile station, such as a mobile phone, to the mobile telecommunication network, such as for example a GSM network. It is clear that the frequency of such a Location Registration operation for such real human subscribers not making use of a remotely accessed UlCC is thus rather low. Location Update operations by mobile stations of real human subscribers not making use of a remotely accessed UlCC are initiated by the MS, for example periodically, or when the MS moves to another location,or experience a change in signal transmission coverage, etc. During such a location update operation the MS informs the telecommunication network of its location. This location is for example represented as a Location Area Identity or LAI. The GSM network transmits the LAI to the MS which subsequently stores it in the SIM. This LAI allows to uniquely identify a particular area within the GSM network. Optionally the SIM can store a list of the most recently used LAIs. Location update operations of human subscribers are initiated by the MS with its current TMSI and current LAI and results in a new TMSI. When the MS requests to perform a location update operation, it identifies itself with its current TMSI, also referred to as the old TMSI and its current LAI also referred to as the old TMSI. It should be clear that, as typically a single VLR serves several LAIs, when a location update operation is performed the new LAI can be equal to the old LAI. The BSC then appends the CGI of the current BTS to the location update message. The Cell Global Identifier or CGI, which is formed by the subscribers current Cell Identity or CI and the LAI together and which define a unique cell in every PLMN, then comprises the LAI and the CI of the current Base Transceiver Station or BTS also referred to as the new LAI or new CI. Subsequently it is checked whether this MS is already authenticated and possibly full authentication as explained with reference to Figure 3 takes place. If authentication was successful, the VLR stores the new LAI for this TMSI and transmits its VLR-ID or VLR identifier to the HLR together with the correlated IMSI of the MS. It is clear that it is possible that the new VLR-ID received by the HLR will be the same as the VLR-ID the HLR had already stored. The HLR then responds by sending additional subscriber data to the serving VLR, such as for example a collection of services that this MS is entitled to use. Concurrently the VLR also generates a new TMSI which is transmitted to the MS after the HLR has acknowledged the location update. As will be explained in further detail below it is clear that MS which remotely access a UlCC, for example, in addition to a higher frequency of location registration operations, will also exhibit a diverging patterns or frequencies for the location update operations and for example usage of the IMSI or TMSI in such operations, for example related to the spread use of a PSIM in its SIM MUX with a plurality of different SIM BOXes, which serve at MS at different locations, etc.

[62] It is clear that the Type I messages identified above, which are an embodiment of in general a first set of said messages comprising an incoming message for the UlCC and a subsequent outgoing message for the UlCC, involve a corresponding time period, referenced as TP1 between these subsequent messages. This time period TP1 involved in such a corresponding first set of messages can now be used to detect remote access of a UlCC by the ME. It should be clear that when a MS makes use of remote access of a UlCC, the involved data network between the physical UlCC or PSIM and the ME will introduce an additional round-trip delay time for such a first set of messages. This additional round-trip delay time of the data network will not be present when the ME accesses the UlCC locally. It therefor becomes possible to establish a time period reference range for such a first set of messages, for example for the Type I messages identified above, that will allow for the detection of remote access to a UlCC by an ME, as will be described in more detail below. [63] According to a particularly simple embodiment the time period reference range could be set to a time period range for TP1 corresponding to a time period range correlated to an MS that makes use of a locally arranged physical UlCC. Such a time period reference range could for example be determined on theoretical basis, such as for example a range of 1 ms to 100ms, or be derived from a number of reference measurements of TP1 for MS with a locally arranged physical UICC. It is clear that this then allows for detection of remote access of a UICC by the ME as soon as the corresponding first set of messages involves a corresponding time period TP1 outside of this time period reference range. According to the simple embodiment mentioned above this would thus for example mean a time period TP1 higher than 100ms.

[64] Figure 4 shows the signalling of the IMSI attach operation or location registration operation according to the embodiment of Figure 3 in more detail. The location registration of Figure 4 as mentioned above is performed during a sign-on procedure of the MS to the GSM network. As also mentioned above changing every occurrence of the IMSI for TMSI shows a location update scenario.

[65] The first two messages show the channel setup phase, in which the MS sends a message to the BTS on the RACH, namely a "CHANnel REQuest" message. The Random Access Channel or RACH is a channel of the Urn interface that is used by an MS to request a channel on which to send or receive traffic or signalling information. This "CHANnel REQuest" message comprises the reason for the request, in this case a location registration and a reference number, which the network uses in its "IMMediate Assignment CoMmanD", so that the MS can see this assignment is meant for it. The subsequent message from the telecommunication network, more particularly from the BTS, comprises an immediate assignment command which assigns a Standalone Dedicated Control Channel or SDCCH channel to the MS by giving it the Absolute Radio Frequency Channel Number or ARFCN and time-slot of the reserved channel. Subsequently a channel setup happens at a Radio Resource management or RR sublayer of the Urn interface between the MS and the BTS. The MS then tunes to the SDCCH channel and transmits a subsequent message comprising a request. The request on this channel is seen by the BTS as the acknowledgment of the immediate assignment. The request in this case is a "LOCation UPDate REQuest" message comprising the IMSI and old LAI of the MS. This request is a MobilityManagement or MM sublayer of the Urn interface type of request. As shown, the sequence of an incoming and subsequent outgoing messages from the MS is referenced as Type III and involves a corresponding time period referenced as TP3. It is acknowledged by the telecommunication network by a subsequent message through a layer 2 Urn acknowledge frame, which completes the MM sublayer hand shake. [66] As further shown, and already described above with reference to Figure 3, then an authentication phase is started, initiated by the network, more particularly the MSC. As shown, the Authentication phase is also an MM sublayer set of messages. An incoming Authentication Request message comprising RAND and CKSN is received by the MS and subsequently, as explained in more detail with reference to Figure 3 above, an outgoing message comprising the Authentication Response SRES is sent by the MS thereby providing a Type I set of messages, which involves a corresponding time period TP1 and which, as explained in more detail above with reference to Figure 3, is an embodiment of a particular first set of messages which in general comprise at least one message generated by the ME after making use of a UICC.

[67] In the original location registration request to the telecommunication network, the MS already gave a list of the encryption algorithms it supports. The telecommunication network then issues to the MS a "CIPHer MODe CoMmand" with the encryption algorithm to use. Upon correct reception of this incoming message the MS starts ciphering all its transmissions and deciphering all the messages it receives. From the side of the telecommunication network also the BTS starts deciphering all messages it receives on this channel, but the BTS will only start to encipher its transmission when it receives from the MS the subsequent outgoing message: "CIPHer MODe COMplete". These two latter messages have been referenced as a set of messages of Type IV and involve a time period referenced as TP4. From this moment on all communication between this MS and BTS of the telecommunication network on this channel will be encrypted. This encryption is implemented in the first layer of the Urn protocol.

[68] As shown, and already mentioned above, once encryption has started according to this embodiment the telecommunication network requests specific identifiers for identification of the MS. The incoming "IDENTity REQuest" message for the MS asks for specific identifiers, in this case the IMEI. The MS provides a response in a subsequent outgoing message IDENT_RSP(IMEI). As shown, these two latter messages form a set of messages referenced as Type II and involve a corresponding time period TP2. [69] As further shown the telecommunication network then assigns a new TMSI to the MS with the incoming "TMSI REALIocation CoMmanD" message for the MS. Subsequently the MS signals it has correctly received the new TMSI via the outgoing "TMSI REALIocation COMplete" message. As shown, these two latter messages form a set of messages referenced as Type V and involve a corresponding time period TP5.

[70] As further shown in Figure 4 and already explained with reference to Figure 3, thereafter the telecommunication network ends the location registration procedure by transmitting the "LOCation UPDate ACCept" message to the MS.

[71] It is clear that the Type II set of messages and the involved time period TP2 qualify as an embodiment of a second set of messages, which is clearly distinct from the first set of messages mentioned above. This second set of messages involves a request to and response by the ME concerning its IMEI, which is an identifier that is provided by the ME itself without making use of a UICC. In general, such a second set of messages, which comprises at least one message generated by the ME without making use of a UICC, and the time period involved, such as for example TP2, allows for an assessment of the responsiveness of the ME itself, as for these messages it is clear that there is no involvement of a UICC and therefor no additional delay can be present that is related to the additional propagation delay of a data network when the ME would potentially access a UICC remotely. Therefor such a time period involved in such a second set of messages provides or an alternative way of determining the time period reference range for the first set of messages. The time period reference range could for example be determined as a range between 25% and 400% of TP2. If the corresponding TP1 of during the sign-on operation is outside this time period reference range, then this allows the detection of a ME making use of a remote access to a UICC even before completion of the sign-on operation. Corrective action could thus potentially be initiated even during the initial sign-on operation for a particular UICC that is being remotely accessed.

[72] It should be clear that also the Type IV messages could classify as an embodiment of such a second set of messages, as the Type IV messages are handled by the ME without involving the use of a UICC. [73] The type III and IV messages could either qualify as a first set, when for example the remotely accessed UICC is involved, or as a second set, when for example these messages are processed by the VSIM locally, thereby bypassing a remotely accessed physical UICC or PSIM. Based on for example statistical analysis of the related time periods for identified MS of which the configuration has been asserted, such sets of messages could for example be automatically classified as a first set or second set of messages.

[74] According to still further embodiments the reference time period range could for example be determined in function of the a time period such as for example TP6 involving an overall transaction of messages or at least a predetermined part of this transaction involving both at least one first set and at least one second set of messages, such as for example TP7. The time period reference range could then for example be determined as for example a time period range below 10% of TP6, or a range between 1 % and 5% of TP7.

[75] It should be clear that although the invention has been illustrated with reference to a GSM network, similar messages and signals of the first and second type are available for other embodiments of PLMNs, such as for example other types of 2G mobile networks, or 3G, 4G, 5G, etc. types of mobile networks or satellite telecommunication networks.

[76] It should be clear, that in telecommunications, the round-trip delay time or RTD or round-trip time RTT is generally used as the time period required for an outgoing message to be transmitted plus the time period required for a subsequent incoming message to be received. This round-trip delay time thus comprises the propagation times associated with the interfaces between the respective elements of the telecommunication network along which these messages are exchanged as/well as any potential processing delays introduced by the elements of the telecommunication network processing these messages during such an exchange.

[77] It should further be clear that the monitoring and selection of said messages between the ME and the telecommunication network for use in the method for detecting remote access of a UICC by a mobile equipment can preferably be performed at the level of an interface that allows also to reliably determine the differences in the time period involved in such a first set of messages as caused by the additional round-trip delay time period of the data network in between the ME and the telecommunication network when an ME makes use of remote access of a UlCC or not. It is clear that such that in the embodiments described above, for a GSM type telecommunication network, and for the embodiments of the sets of messages described above, the monitoring and selection of these messages could be performed by a suitable monitoring device at the level of one or more of these interfaces: the Urn interface, the Abis interface, the A interface. [78] It should further also be clear that the method described above allows for the detection of all remotely accessed UlCC. This means both remotely accessed UlCC that are used in for example test systems, as well as remotely accessed UlCC for illegitimate use. In order to prevent from corrective action being applied to the legitimately remotely accessed UlCC of test systems, the telecommunication network operator could for example provide or maintain a whitelist of all UlCC which are in use such test systems or have been provided for legitimate remote access. It is clear that alternative mechanisms for discrimination between legitimate and illegitimate remote access of a UlCC are available, once detected, such as for example based on the geographical location, call behavior patterns, call history, etc.

[79] As already mentioned above still further alternative embodiments are possible in which instead of and/or in addition to the abovementioned embodiments a diverging frequency, pattern, etc. related to location registration operations and/or location update operations is used to detect remote usage of a UlCC. According to the embodiment shown in Figures 1 or 2, each time the SIM MUX makes available a different PSIM for remote use by the MS, this requires a log on to the telecommunication network, and thus a corresponding location registration operation. Additionally each time the SIM MUX makes available a particular PSIM for remote use at a different MS accessing this PSIM remotely from a different location, this will trigger a corresponding location update operation. It is clear that still other scenario's relating to particular usage frequencies or patterns of for example the location registration operations and/or location update operation of MS making use of remote access of a UlCC in this way could be detectable. Particularly the usage of the IMSI or TMSI during such location registration operations and location update operations could provide for detectable patterns in the messages between the MS and the mobile telecommunication network. Such detectable patterns could relate to specific frequencies, shares, averages, means, sequences, timing, delays, etc. related to one or more such messages. These detectable patterns, frequencies, etc. relate to the behaviour of the equipment used by such bypass operations, such as for example SIM BOXes and/or SIM MUXes and how they have been configured to operate in a way diverging from a reference which is indicative for patterns, frequencies, etc. of real subscribers not making use of remote access to a UICC. For example, the location registration operations and location update operations, and the use of the IMSI and/or of the old TMSI and/or new TMSI is determined by the configuration of the specific equipment, such as the SIM BOX, SIM MUX etc. as operated by a bypass operator when making use of remote access to UICCs. Although there are differences among such equipment their vendors and/or their configuration, this typically results in detectable patterns, frequencies, etc. in the messages between the MS and the network, with respect to reference patterns, frequencies, etc. related to a real subscriber MS, such as a mobile phone not making use of remote access to a UICC. One reason is that a mobile phone of a real subscriber which does not make use of remote access to a UICC typically disconnects from the network rather rarely. In such a case the sign on, involving a location registration operation is not considered time critical and can lead to considerable delays. However, ussage of a sim multiplexer to make PSIMs remotely available at SIM BOXes or other suitable MS, will cause a higher frequency of such location registration operations as explained above, and as such bypass operators are inclined to optimize such operations in order to reduce the associated delays as much as possible. An additional reason for diverging patterns, frequencies, etc. is that a bypass operator which makes use of a SIM MUX for remote access of a plurality of PSIMs to one or more SIM BOXes might prefer an increased efficiency for these operations over guaranteeing security, anonymity and avoidance of eavesdropping. [80] According to an embodiment detection of remote access of a UICC by a mobile equipment in a telecommunication network can thus be performed by monitoring a plurality of messages between mobile equipment and the telecommunication network, selecting a plurality of said messages generated by at least one mobile equipment during a plurality of location registration operations and/or location update operations, and detecting remote access of a UlCC by the mobile equipment if the frequency or pattern of said messages of such location registration operation and/or location update operation differs from such a reference as identified above. As already indicated above remote access of a UlCC by the mobile equipment could for example be detected if the frequency or pattern of the usage of said Temporary Mobile Subscriber Identity or TMSI, and/or said International Mobile Subscriber Identity or IMSI during said location registration operations and/or a location update operations differs from such a reference. [81] Typical patterns for such equipment, such as SIM MUX and/or SIM BOX operated by bypass operators which differs from a reference pattern of MS which do not make use remote access to a UlCC, and which thus allow detection of remote access of a UlCC by the MS, are for example one or more of the following: the International Mobile Subscriber Identity or IMSI is always used during the location registration operations and/or a location update operations; the Temporary Mobile Subscriber Identity or TMSI is reused during new location registration operations and/or location update operations; the Temporary Mobile Subscriber Identity or TMSI is reused during location registration operations and/or location update operations for different International Mobile Subscriber Identities or IMSIs; etc. It is clear that still alternative detectable patterns are possible, such as for example a pattern is indicative of storage of the Temporary Mobile Subscriber Identity or TMSI at a location remote from a physical UlCC; a pattern is indicative of reuse of information, stored at a remote location from a physical UlCC, for a plurality of different physical UlCC accessed by the mobile equipment, etc. According to a particular embodiment, the detectable pattern could for example be a pattern exhibited by allocation of the same TMSI to a new IMSI which performs a location registration operation immediately after a previous IMSI was disconnected, or detached from this TMSI, etc. This pattern could for example also result in a high correlation between a particular TMSI and the IMSI of remotely accessed UlCC as for example provided by a SIM MUX. This is particularly the case, when the TMSI allocation algorithm in use in the telecommunication network immediately provides a previously released or detached TMSI to a new IMSI performing a location registration operation. [82] Although according to some embodiments the abovementioned reference could be a static reference value, means, average, range, sequence, timing, delay, etc. representative of patterns, frequencies, etc. correlating to messages or sets or sequences of messages, etc. of MS without remote access to a UICC, in order to provide for a more refined reference and a more reliable detection, the reference could be adapted in function of the type of MS, network, etc. involved. According to an exemplary embodiment the reference could be established in function of one or more International Mobile Equipment Identifiers or IMEI, which uniquely identify a mobile equipment; one or more Type Allocation Codes or TAC, which identify a particular model of a mobile equipment; an average or mean for said messages in said telecommunication network; or any other suitable patterns or frequencies associated with one or more known Mobile Equipments and/or subscribers.

[83] It is further clear that, as already explained above with reference to the authentication part of the location registration operation shown in Figures 3 and 4, the location update operations and/or location registration operations can be handled at least partly by the VSIM at the MS without access to the remotely accessible PSIM in the SIM MUX. The implemented mode of operation of the SIM MUX and such MS making use of remote access of a UICC could thus also lead to detectable patterns, for example in the frequencies, time periods, etc. of the messages exchanged between the MS and the telecommunication network.

[84] Although still further alternative embodiments are possible, it is clear that in general this description supports a method for detecting remote access of a UICC by a mobile equipment in a telecommunication network. According to this method a plurality of messages between mobile equipment and the telecommunication network monitoring, a plurality of these messages generated by at least one mobile equipment involving a UICC is selected. Thereby enabling detection remote access of a UICC by the mobile equipment if said selected messages differ from a reference. This reference relating to a pattern in these messages representative for one or more MS which does not make use of remote access of a UICC.

[85] Although the present invention has been illustrated by reference to specific embodiments, it will be apparent to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied with various changes and modifications without departing from the scope thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes, variations, combinations, ... which come within the scope of the claims are therefore intended to be embraced therein.

[86] It will furthermore be understood by the reader of this patent application that the words "comprising" or "comprise" do not exclude other elements or steps, that the words "a" or "an" do not exclude a plurality, and that a single element, such as a computer system, a processor, or another integrated unit may fulfil the functions of several means recited in the claims. Any reference signs in the claims shall not be construed as limiting the respective claims concerned. The terms "first", "second", third", "a", "b", "c", and the like, when used in the description or in the claims are introduced to distinguish between similar elements or steps and are not necessarily describing a sequential or chronological order. Similarly, the terms "top", "bottom", "over", "under", and the like are introduced for descriptive purposes and not necessarily to denote relative positions. It is to be understood that the terms so used are interchangeable under appropriate circumstances and embodiments of the invention are capable of operating according to the present invention in other sequences, or in orientations different from the one(s) described or illustrated above.

Claims

1 . A method for detecting remote access of a UICC by a mobile equipment in a telecommunication network, comprising the steps of:

- selecting a plurality of said messages generated by said at least one mobile equipment involving a UICC;

- detecting remote access of a UICC by the mobile equipment if said selected messages differ from a reference.

2. A method according to claim 1 , wherein the method comprises the steps of:

- selecting said plurality of said messages generated by said at least one mobile equipment during a plurality of location registration operations and/or location update operations;

- detecting remote access of a UICC by the mobile equipment if the frequency or pattern of said messages of such location registration operation and/or location update operation differs from said reference.

3. A method according to claim 2, wherein the method comprises the step of:

4. A method according to claim 3, wherein, the method comprises the step of:

- detecting remote access of a UICC by the mobile equipment if:

- said Temporary Mobile Subscriber Identity or TMSI is reused during new location registration operations and/or location update operations; - a Temporary Mobile Subscriber Identity or TMSI is reused during location registration operations and/or location update operations for different International Mobile Subscriber Identities or IMSIs;

- a pattern is detected indicative of storage of the Temporary Mobile Subscriber Identity or TMSI at a location remote from a physical UlCC;

- a pattern is detected indicative of reuse of information, stored at a remote location from a physical UlCC, for a plurality of different physical UlCC accessed by the mobile equipment.

5. A method according to any of the preceding claims, wherein, the method comprises the step of establishing said reference in function of:

- an average or mean for said messages in said telecommunication network;

6. A method for detecting remote access of a UlCC by a mobile equipment in a telecommunication network according to any of the preceding caims, comprising the steps of:

7. A method according to claim 6, wherein the method comprises the further step of determining the time period reference range in function of a time period involved in said first set of said messages of at least one further mobile equipment not making use of remote access of a UICC.

8. A method according to claim 7, wherein the method comprises the further step of identifying at least one further mobile equipment not making use of remote access for determining the time period reference range based on one or more of the following:

- an identifier of the further mobile equipment identifying a mobile equipment of which it is known that it does not make use of remote access of a UICC;

- a lower maximum of the distribution of the time periods respectively involved in said first set of said messages of a plurality of further mobile equipments.

9. A method according to claim 6, wherein the method comprises the further step of determining the time period reference range in function of a time period involved in said first set of said messages of at least one further mobile equipment making use of remote access of a UICC.

10. A method according to claim 9, wherein the method comprises the further step of identifying at least one further mobile equipment making use of remote access for determining the time period reference range based on one or more of the following: - an identifier of the further mobile equipment identifying a mobile equipment of which it is known that it does make use of remote access of a UICC;

- a higher maximum of the distribution of the time periods respectively involved in said first set of said messages of a plurality of further mobile equipments.

1 1 . A method according to any of the preceding claims, wherein method comprises the further steps of:

- selecting a second set of said messages, comprising at least one message generated by the mobile equipment or a further mobile equipment without making use of a UICC;

- determining the time period reference range for said first set of said messages in function of a time period range associated with said second set of said messages.

12. A method according to any of the preceding claims, wherein said first set of said messages and/or said second set of said messages comprises at least an incoming message for the mobile equipment from the telecommunication network and a subsequent outgoing message from the mobile equipment to the telecommunication network.

13. A method according to any of the preceding claims, wherein said first set of messages comprises at least a random challenge message for the UlCC from the telecommunication network and a subsequent signed response message from the UlCC to the telecommunication network, the signed response message being determined by the UlCC in function of the random challenge message.

14. A method according to any of the preceding claims, wherein said second set of messages comprises at least an identification message requesting an identifier of the ME from the telecommunication network to the ME; and a subsequent identification response message from the ME to the telecommunication network, the identification response message comprising the identifier of the ME.

15. A method according to any of the preceding claims, wherein said identifier of the ME is its IMEI.