In April 2019, NIST's Public Safety Communications Research (PSCR) division - in partnership with the First Responder Network Authority (FirstNet), IBM, and Nok Nok Labs - launched a prize challenge program targeted at exploring whether the SIM cards common in many commercial mobile phones could be used as storage containers for public safety application credentials.
Recognizing Public Safety's need for convenient, standards-based, two-factor authentication, PSCR engaged qualified contestants in a three-phase Prize Challenge over the course of six months. PSCR's editorial staff recently interviewed Security Team Lead, John Beltz, to learn more about the goals of the Expanding the SIM Card Use for Public Safety Challenge.
PSCR recently wrapped its Expanding the SIM Card Use for Public Safety Challenge. Can you tell us about the goals of this Challenge?
First Responders transmit sensitive data on mobile applications, so those applications should support hardware based, two factor authentication. Current hardware-based authenticators can be expensive, inconvenient, and easy to lose. We wanted to challenge contestants to use the SIM already included on mobile devices as a hardware authenticator.
What kinds of obstacles were inherent to this Challenge? How did contestants handle these obstacles? What - if any - unexpected obstacles camp up during the Challenge? How were those addressed by contestants?
The biggest obstacle was understood as we initiated the challenge, being able to write credentials to a secure location on the SIM. SIMs are secured by cellular carriers because they store carrier subscriber secret keys, so having the appropriate level of access is challenging. The winning solution used a SIM overlay to simulate writing credentials on the actual SIM. This solution was a good workaround for the prototype, allowing PSCR to demonstrate the benefits of the technology, without affecting the security of the carrier's SIM.
Can you tell us about the winning solution (or the top solutions)? What surprised or impressed you?
Aside from the creative use of the SIM overlay, we were impressed by the competitors' intuitive and robust user interface. The authentication application easily facilitated registering and storing of authentication credentials, the authentication process, and even additional security measure to prevent unauthorized tampering with credentials. The winning solution really took the needs of the user into account.
How does/do the winning solution/s help NIST with its R&D plans? How does/do the solution/s help industry and first responders?
The solution helps our PSCR Security Team demonstrate that first responders have unique authentication needs and current commercial solutions may not be the best fit. We hope to spur further innovation by demonstrating this to industry and first responders as a viable two factor authentication solution