Method and device for loading profiles in a factory for limited use
By associating an authentication counter with profiles to limit factory loading mode authentications, the security vulnerability of devices is mitigated, ensuring secure and compliant operation.
Patent Information
- Authority / Receiving Office
- FR · FR
- Patent Type
- Applications
- Current Assignee / Owner
- IDEMIA FRANCE SAS
- Filing Date
- 2024-11-29
- Publication Date
- 2026-06-05
AI Technical Summary
The persistence of factory loading mode in devices after leaving the factory poses a security vulnerability, allowing malicious actors to load profiles and control devices to the detriment of legitimate users, especially in complex manufacturing processes involving multiple subcontractors.
An authentication counter is associated with profiles, with a maximum number of authentications set by the operator, triggering countermeasures such as notifications or deactivation when the limit is reached, ensuring the factory loading mode is deactivated.
Ensures secure operation of devices by preventing unauthorized profile loading and ensuring the factory loading mode is deactivated, thereby enhancing security and compliance with intended usage.
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
Title of the invention: Method and device for loading profiles in a factory for limited use
[0001] The invention relates to a mechanism that allows a manufacturer of devices connectable to a cellular communication network to load profiles onto the device in factory loading mode. This mechanism, known in English as In Factory Profile Provisioning, or IFPP, is primarily used by device manufacturers to enable devices to connect to cellular communication networks via the loaded profiles. Furthermore, it also allows for testing the proper functioning, at the factory, of the connectivity characteristics of the manufactured devices.
[0002] A device connectable to a cellular communication network, such as a mobile phone, traditionally includes a secure element used for authentication on the communication network(s), typically mobile telephony. Such secure elements include Universal Integrated Circuit Cards (UICCs), notably SIM cards (Subscriber Identity Modules), and their embedded version known as eUICCs (embedded UICCs), also called eSIMs. An eUICC module is a secure hardware element, generally small in size, that can be integrated into a host mobile terminal to implement the functions of a traditional SIM card.
[0003] eUICCs may include several subscriptions or profiles, each corresponding to a mobile phone operator (or cellular communication network operator), referred to as "operator" in the following text. Each profile includes subscription data, for example an IMSI (International Mobile Subscriber Identity), cryptographic keys, and algorithms, specific to a subscription provided by an operator.
[0004] eUICC cards offer greater flexibility in subscription management, particularly in the provision and remote management of profiles. eUICC cards are reprogrammable and therefore allow, over time, the loading, deletion, and updating of multiple subscriber profiles (or communication profiles, or even connection profiles) within the same eUICC card. Each subscriber profile is contained in a secure container (denoted ISD-P for "Issuer Security Domain Profile," which can only contain one profile) that, like a conventional SIM card, contains the data enabling, when the profile is active, the authenticate with a corresponding mobile phone network to access a service (e.g., voice or data).
[0005] By changing the active subscriber profile in the eUICC card, it is possible to change operators or modify access to associated services.
[0006] The specification "SGP.22 - RSP Technical Specification - Version 2.3 - 30 June 2021", hereinafter "SGP.22", describes in particular a technical solution for the remote provisioning and management of eUICCs in consumer devices. The procedures described are typically initiated by the device (including the eUICC).
[0007] The specification "SGP.02 - Remote Provisioning Architecture for Embedded UICC Technical Specification - Version 4.2 - 07 July 2022", hereinafter "SGP.02", describes a technical solution for the remote provisioning and management of eUICCs embedded in M2M ("machine to machine") terminals. The procedures described are typically initiated by a pair of servers, within the framework of a technical solution for the remote provisioning and management of eUICCs governed by SGP.02, designated SM-DP (for "Subscription Manager Data Preparation") and SM-SR (for "Subscription Manager Data Secure Routing"), and initiated by a single server, within the framework of a technical solution for the remote provisioning and management of eUICCs governed by SGP.22, designated SM-DP+ (for "Subscription Manager Data Preparation enhanced").
[0008] Typical procedures for managing eUICCs as described in these specifications include, among others, profile loading and installation, profile activation, profile deactivation, and profile deletion.
[0009] The profile loading described in these specifications can be carried out according to two distinct loading modes.
[0010] A first mode, referred to as the standard loading mode, is the profile loading mode used by the device user when subscribing to or modifying a subscription with their operator. This standard loading mode includes the generation of keys exchanged between the secure element and the server providing the profiles to secure the loading, and is controlled by the device user.
[0011] A second loading mode, referred to as the factory loading mode, is a profile loading mode used by the device manufacturer within the manufacturing plant. This loading mode is based on pre-calculated keys and is controlled by the manufacturer. This mode allows, for example, the loading of a provisional profile for testing purposes during manufacturing. It can also be used in the context of the Internet of Things (IoT). In this In this context, it is generally desired that the devices be directly operational when leaving the factory and therefore have a factory-loaded profile.
[0012] Once the device has left the factory, i.e., once it has been sold to its end user, or, for example, deployed in the field, only the standard profile loading mode should be operational. The factory loading mode must be deactivated. This deactivation is the responsibility of the device manufacturer.
[0013] Due to the increasing complexity of the manufacturing process, which is now often shared by a number of subcontractors—manufacturer of the components integrated into the device, manufacturer of the secure element, manufacturer of the modem, manufacturer of the motherboard—it is sometimes difficult for the device manufacturer to ensure the deactivation of the factory charging mode. There is also always a risk of theft of a terminal from the factory before the factory charging mode is deactivated.
[0014] This poses a problem. Indeed, the persistence of a profile loading mode alternative to the standard loading mode after the device leaves the factory is a security vulnerability. This profile loading mode (i.e., the factory loading mode) could be used by malicious actors to load profiles designed to take control of the device to the detriment of its legitimate user.
[0015] The invention presented aims to solve this problem. Description of the invention
[0016] To this end, the invention proposes a mechanism for associating an authentication counter with a profile. An operator can set a maximum number of authentications linked to a loaded profile when the factory loading mode is activated. A value indicating this maximum number of authentications is included in the profile, typically in the metadata associated with the profile. When this profile is loaded into a secure element of a device connectable to a cellular communication network, a corresponding counter is created by the operating system of the secure element. This counter is initialized to the value contained in the profile. Then, during each authentication, if this authentication occurs while the profile's factory loading mode is activated, the counter is, for example, decremented by one. When the counter value reaches, for example, zero, a countermeasure is triggered.This countermeasure can take different forms depending on the embodiment of the invention. This countermeasure can take the form of a simple information message to the operator, it can also include the deactivation of the corresponding profile or even the deactivation of the factory loading mode of the secure element.
[0017] According to a first aspect of the invention, a method is proposed for loading a profile into a secure element of a device connectable to a network of cellular communication including an operating system of the secure element: - a step of receiving a connection profile; - a step to install the received connection profile; characterized in that the process further comprises: - a step to determine a value indicating the maximum number of authentications present in the connection profile; and - an initialization step for an authentication counter based on the determined value.
[0018] According to another aspect of the invention, a method of communication is proposed between a device connectable to a cellular communication network and the cellular communication network comprising, by the connectable device: - a step of connecting to the cellular communication network based on a connection profile loaded onto a secure element of the connectable device; characterized in that, the connection profile includes a value indicating a maximum number of authentications, the method further comprising: - a counting step for each authentication performed by the connectable device to the cellular communication network while a profile loading mode in factory load mode is active; and - a step to trigger a countermeasure when the number of authentications counted reaches the value indicating a maximum number of authentications.
[0019] In one embodiment of the invention, the countermeasure includes sending a notification to a cellular communication network operator.
[0020] In one embodiment of the invention, the countermeasure includes sending a notification to a manufacturer of the connectable device and / or to a server in charge of preparing and distributing a profile and / or to a server responsible for remote management operations of a profile state.
[0021] In one embodiment of the invention, the countermeasure includes the deactivation of the connection profile.
[0022] In one embodiment of the invention, the countermeasure includes disabling the profile factory loading mode.
[0023] In one embodiment of the invention, the method further comprises: - a step of resetting the counting when reactivating the factory profile loading mode.
[0024] According to another aspect of the invention, a computer program product is proposed comprising instructions for implementing the process according to the invention, when this program is executed by a processor.
[0025] According to another aspect of the invention, a non-transient recording medium readable by a computer is proposed on which a program is recorded for the implementation of the method according to the invention when this program is executed by a processor.
[0026] According to another aspect of the invention, a device connectable to a cellular communication network is proposed, comprising a secure element, the secure element comprising a processor configured to execute: - a step of receiving a connection profile; - a step to install the received connection profile; characterized in that the processor is further configured to execute: - a step to determine a value indicating the maximum number of authentications present in the connection profile; and - an initialization step for an authentication counter based on the determined value.
[0027] According to another aspect of the invention, a device connectable to a cellular communication network is proposed, comprising a processor configured to execute: - a step of connecting to the cellular communication network based on a connection profile loaded onto a secure element of the connectable device; characterized in that, the connection profile including a value indicating a maximum number of authentications, the processor is further configured to execute: - a counting step for each authentication performed by the connectable device to the cellular communication network while a profile loading mode in factory load mode is active; and - a step to trigger a countermeasure when the number of authentications counted reaches the value indicating a maximum number of authentications. Brief description of the drawings
[0028] Other features, details, and advantages of the invention will become apparent upon reading the detailed description below. This description is purely illustrative and should be read in conjunction with the accompanying drawings, in which: Fig. the
[0029] Fig. 1a illustrates the profile loading architecture in one embodiment of the invention; Fig. 1b
[0030] Fig.lb illustrates the profile loading architecture in another embodiment of the invention; Fig. 2
[0031] Fig. 2 illustrates the main steps of a profile loading process according to one embodiment of the invention; Fig. 3
[0032] Figure 3 illustrates the main steps of an authentication process according to one embodiment of the invention; Fig. 4
[0033] Fig. 4 illustrates the architecture of an information processing device for the implementation of one or more embodiments of the invention. Detailed description
[0034] Fig. 1a illustrates the architecture of the profile loading in the factory in one embodiment of the invention.
[0035] Connection profiles are generated by a server 102 called SM-DP+ (for Subscriber Management - Data Preparation enhanced) following a generation request sent by an operator 101 called MNO (for Mobile Network Operator). The connection profiles are generated by the server 102 based on data files or data provided by the operator 101 as part of the generation request sent by the operator 101.
[0036] The SM-DP+ 102 server is responsible for preparing (or generating) and distributing (or supplying, or provisioning) profiles to devices connectable to a cellular communication network. This server 102 implements security measures and manages the encryption keys used to encrypt the profiles and transmit them to the devices for loading and installation into the secure element integrated into the device.
[0037] The manufacturer 103 manages the manufacture of devices 106 that can be connected to a cellular communication network.
[0038] The SM-DP+ server 102 communicates with an administration server 104 operated by the manufacturer 103 to manage a fleet of devices 106. Each device 106 includes a secure element 108, typically an eUICC.
[0039] It should be noted that device 106 is an information processing device with a processor, memory, and input / output ports. As such, device 106 is controlled by an operating system, for example, "Android" (registered trademark) from "Google" (registered trademark) or "iOS" (registered trademark) from "Apple" (registered trademark), allowing a set of applications to run on the device. Similarly, secure element 108 is also a processing device Information with its own processor and memory, operated by its own operating system, allows applications to run within the secure element. The operating system of device 106 should not be confused with the operating system of secure element 108.
[0040] Among the features of the operating system of device 106 is a module 107 for local assistance for profiles, or LPA for Local Profile Assistant in English.
[0041] When the manufacturer 103 wants to load connection profiles onto the devices 106 being manufactured, the administration server 104 sends its request to the SM-DP+ server 102. This request typically contains the identifiers of the devices 106 and the relevant secure elements 108.
[0042] The SM-DP+ 102 prepares the profiles and makes them available (i.e., provides, distributes or provisiones the profiles) on request to the administration server 104. The LPA module 107 requests the profile intended for it from the administration server 104. In response, the LPA module 107 receives the profile from the administration server 104 and loads it into the secure element 108.
[0043] The profile is encrypted using keys, typically pre-calculated, by the SM-DP+ 102. These encryption keys are specific to each secure element, so as to guarantee that only the secure element for which the profile was created can decrypt this profile.
[0044] Once loaded into the secure element 108, the profile can be decrypted and installed within the secure element. The profile is then ready to be activated so that it can be used to establish a connection of the device 106 to the mobile network operated by the operator 101.
[0045] This profile loading mode is referred to as the factory loading mode. It differs from the standard loading mode, among other things, by using pre-calculated keys for profile encryption. For it to be operational, it requires that secure element 108 has activated its factory profile loading mode.
[0046] Figure [Fig. 1b] illustrates the profile loading architecture in another embodiment of the invention. Elements in the figure with common reference numerals and already described will not be described again for the sake of brevity. This loading method is more specifically dedicated to Internet of Things (IoT) devices. An IoT device is a device typically involved in machine-to-machine communication without human user intervention.
[0047] The method is similar to the method described in relation to [Fig. 1a], except for the use of an elM 105 server (optionally, the elM can also be a module forming part of a server), for eSIM IoT Remote Manager, which is responsible for managing the secure elements 108 deployed in the IoT devices 106. The elM 105 is responsible for remote management operations of profile status (e.g., activation, deactivation, deletion, etc.) on a single IoT device or a fleet of IoT devices. The consumer device's LPA agent 107 is replaced by an IoT Profile Assistant agent 109, IPA (for IoT Profile Assistant), which has the same functionality for installing profiles in the secure element integrated into the IoT device 106 and is also responsible for managing profile status or relaying profile status management instructions (or operations) from the elM server 105 (e.g., activation, deactivation, deletion, etc.). Communication between the elM server 105 and the IPA agent 109 is standardized by the GSMA document SGP.32 "eSIM IoT Technical Specification, Version 1.0.1, 04 July 2023".
[0048] Figure 2 illustrates the main steps of a profile installation method according to an embodiment of the invention. The method in Figure 2 is performed by the secure element's operating system.
[0049] During a 201 reception step, by the secure element, of the profile to be installed, transmitted by the LPA 107 module or the IPA 109 module, the profile is decrypted in the usual way.
[0050] During a verification step 202, it is checked whether the profile includes a value indicating a maximum number of authentications associated with that profile. In one embodiment, this verification may correspond to detecting the presence of said value indicating a maximum number of authentications in a data set belonging to the received profile, and named metadata. Furthermore, countermeasures data associated with said value indicating the maximum number of authentications associated with the received profile may also be included in said data set named metadata belonging to the received profile.
[0051] When the profile includes a value indicating a maximum number of authentications, corresponding to branch O of step 202, a corresponding authentication counter is initialized during a counter initialization step 203 associated with the profile. In the preferred embodiment, the authentication counter is initialized to this maximum value and is then decremented until it reaches zero. Alternatively, the authentication counter is initialized to zero and is then incremented until it reaches the specified maximum value.
[0052] When the profile does not include a value indicating a maximum number of authentications, corresponding to branch N of step 202, or after the initialization of the authentication counter during step 203, the profile is installed within the secure element in the usual way during a profile installation step 204.
[0053] Fig. 3 illustrates the main steps of a communication process between a device connectable to a cellular communication network comprising authentication steps according to an embodiment of the invention.
[0054] During step 301, an authentication step occurs. Authentication is required at least when the device connects to a cellular communication network. It may also be required at other steps while the device is connected to the cellular communication network. The frequency and events triggering an authentication step are determined by the cellular communication network operator when defining its security policy.
[0055] During a verification step 302, the secure element checks whether the profile factory load mode is active. Typically, the operating system maintains a flag indicating whether the profile factory load mode is active or not. Alternatively, it is possible to execute a function specific to this active load mode that returns a specific error code when the profile factory load mode is inactive.
[0056] If the factory profile loading mode is inactive, corresponding to branch N of step 302, the process continues, typically by continuing the connection during a step 307 of connection to the cellular communication network.
[0057] If the factory profile loading mode is active, corresponding to branch O of step 302, during a verification step 303, it is checked whether the current active profile is associated with an authentication counter. If not, corresponding to branch N of step 303, the process continues, typically by continuing the connection during step 307.
[0058] If an authentication counter is associated with the current active profile, corresponding to branch O of step 303, during a counter decrement step 304, the authentication counter is decremented. The goal is to count the authentications related to the current active profile that occur while the profile factory load mode is active. When these two conditions are met, the authentication counter decrement step 304 is executed. It should be noted that if the authentication counter is an incremental counter rather than a decremental one, this step then increments the authentication counter.
[0059] During step 305 of the authentication counter's current value verification, the counter's current value is compared to a limit value. This limit value is zero in the case of a decremental counter, and the maximum value indicated in the profile in the case of an incremental counter.
[0060] As long as the value of the counter has not reached the limit value, corresponding to branch N of step 305, nothing special happens and the process continues, typically by continuing the connection during step 307.
[0061] When the value of the counter has reached the limit value, corresponding to branch O of step 305, a countermeasure is triggered during a countermeasure triggering step 306.
[0062] The countermeasure triggered during step 306 depends on the embodiments of the invention.
[0063] In one embodiment, the countermeasure consists of sending a warning notification to the operator. In practice, the warning notification is sent by the secure element's operating system to a server of the MNO operator 101, which is responsible for processing warning notifications. In one embodiment, the warning notification is sent to the SM-DP+ server 102. In another embodiment, the warning notification received by the SM-DP+ server 102 is forwarded to the MNO operator 101. When the devices 106 are IoT devices, a warning notification can also be sent to the elM server 105. Thus, the MNO operator 101, the SM-DP+ server 102, and the elM server 105 can be notified when this limit is reached.In a particular embodiment, the manufacturer 103 is notified of the reaching of this limit by sending the warning notification to the administration server 104.
[0064] In another embodiment, the associated profile is deactivated. Any new activation request for this profile is also rejected. Thus, it is no longer possible to use this profile to connect to the operator's cellular communication network.
[0065] In another embodiment, the factory profile loading mode is disabled. Thus, in this embodiment, it is no longer possible to load profiles onto the device using the factory loading mode.
[0066] Deactivation of the factory profile loading mode is typically permanent. Once the device leaves the factory, it can no longer activate this loading mode. However, in some embodiments, reactivation of the factory profile loading mode may be permitted. This might be the case, for example, when the device is returned to the manufacturer for repair. As part of this repair, it may be useful for the manufacturer to be able to reactivate the factory profile loading mode to test the device after repair or for diagnostic purposes.
[0067] In one embodiment, when the profile factory load mode is reactivated, if the active profile is associated with an authentication counter, the count of authentications performed resumes from the current value of the authentication counter associated with the profile. In this mode, the maximum number of authentications indicated in the profile is valid for all activations of the profile factory load mode. Alternatively, when the profile factory load mode is reactivated In this mode, the current counters associated with the profiles loaded into the secure element are reset. The maximum number of authentications specified in the profile is valid for activating the factory profile loading mode. Reactivating this mode will again allow this maximum number of authentications.
[0068] These different countermeasures can be freely combined. It is thus possible to send a warning notification to the operator, for example to a server, to the MNO operator 101, in charge of processing warning notifications, and / or to the server in charge of preparing and distributing profiles (for example, the SM-DP+ server 102) and / or to the server responsible for remote management of profile states (for example, the elM server 105) and / or to the manufacturer and to deactivate the associated profile for example.
[0069] It should be noted that the operator defines the security policy and therefore the frequency and events triggering authentication. The operator also defines the profiles and therefore the value indicating a maximum number of authentications. This value can thus be adapted to the authentication frequency required by the operator.
[0070] In some embodiments, two maximum values are associated with the profile. A maximum warning value and a maximum limit value are then included in and associated with the profile. Typically, the maximum limit value is greater than the maximum warning value. When the counter reaches the maximum warning value, a warning notification is sent to the operator, for example, to a server, to the MNO operator 101, which is responsible for processing warning notifications, and / or to the server responsible for preparing and distributing profiles (for example, the SM-DP+ server 102), and / or to the server responsible for remotely managing profile states (for example, the elM server 105), and / or to the manufacturer. When the maximum limit value is reached, the profile and / or the profile factory loading mode are deactivated.
[0071] Thus, an operator can control the use of a profile prepared for factory profile loading and prevent its use outside of its intended scope. It is also possible to be notified when the factory profile loading mode is not deactivated when it should be.
[0072] Figure 4 is a schematic block diagram of an information processing device 400 for implementing one or more embodiments of the invention. The information processing device 400 may be a peripheral device such as a microcomputer, a workstation, or a mobile telecommunications terminal. The device 400 includes a communication bus connected to:
[0073] - a central processing unit 401, such as a microprocessor, denoted CPU;
[0074] - a 402 random access memory, denoted RAM, for storing the executable code of the method for carrying out the invention as well as registers adapted to record variables and parameters necessary for the implementation of the method according to embodiments of the invention; the memory capacity of the device can be supplemented by an optional RAM memory connected to an expansion port, for example;
[0075] - a read-only memory 403, denoted ROM, for storing computer programs for the implementation of the embodiments of the invention;
[0076] - a 404 network interface, denoted NET, normally connected to a network of communication over which digital data to be processed is transmitted or received. The 404 network interface can be a single network interface, or composed of a set of different network interfaces (e.g., wired and wireless, or different types of wired or wireless interfaces). Data packets are sent over the network interface for transmission or are read from the network interface for reception under the control of the software application running in the 401 processor;
[0077] - a 405 user interface, denoted GUI, for receiving input from a user or to display information to a user;
[0078] - a storage device 406 as described in the invention and noted HD;
[0079] - an input / output module 407, denoted I / O, for receiving / sending data to / from external devices such as hard drives, removable storage media or others.
[0080] The executable code can be stored in read-only memory 403, on the storage device 406, or on a removable digital medium such as, for example, a disk. According to one embodiment, the executable code of the programs can be received via a communication network, through the network interface 404, in order to be stored in one of the storage means of the communication device 400, such as the storage device 406, before being executed.
[0081] The central processing unit 401 is adapted to command and direct the execution of instructions or portions of software code of the program or programs according to one of the embodiments of the invention, instructions which are stored in one of the aforementioned storage means. After power-up, the CPU 401 is capable of executing instructions from the main RAM 402, relating to a software application. Such software, when executed by the processor 401, causes the execution of the processes described.
[0082] In this embodiment, the device is a programmable device that uses software to implement the invention. However, alternatively, the present invention can be implemented in hardware (for example, in the form of a specific integrated circuit or ASIC, for Application-Specific Integrated Circuit in English).
[0083] Naturally, to satisfy specific needs, a person competent in the field of the invention may apply modifications to the preceding description.
[0084] Although the present invention has been described above with reference to specific embodiments, the present invention is not limited to specific embodiments, and modifications which fall within the scope of the present invention will be obvious to a person versed in the art.
Claims
Demands
1. A method for loading a profile into a secure element of a device connectable to a cellular communication network, comprising, by means of an operating system of the secure element: - a step of receiving a connection profile; - a step of installing the received connection profile; characterized in that the method further comprises: - a step of determining a value indicating a maximum number of authentications present in the connection profile; and - a step of initializing an authentication counter based on the determined value.
2. A method of communication between a device connectable to a cellular communication network and the cellular communication network, comprising by the connectable device: - a step of connecting to the cellular communication network on the basis of a connection profile loaded onto a secure element of the connectable device; characterized in that, the connection profile comprising a value indicating a maximum number of authentications, the method further comprising: - a step of counting each authentication performed by the connectable device with the cellular communication network while a profile loading mode in factory loading mode is active; and - a step of triggering a countermeasure when the number of authentications counted reaches the value indicating a maximum number of authentications.
3. Method according to claim 2, characterized in that the countermeasure comprises sending a notification to a cellular communication network operator.
4. Method according to claim 2 or 3, characterized in that the countermeasure comprises sending a notification to a manufacturer of the connectable device and / or to a server in charge of preparing and distributing a profile and / or to a server responsible for remote management operations of a profile state.
5. A method according to any one of claims 2 to 4, characterized in that the countermeasure comprises the deactivation of the connection profile.
6. A method according to any one of claims 2 to 5, characterized in that the countermeasure comprises disabling the profile factory loading mode.
7. A method according to any one of claims 2 to 6, characterized in that it further comprises: - a step of resetting the counter when reactivating the factory profile loading mode.
8. Product computer program comprising instructions for carrying out the method according to any one of claims 1 to 7, when this program is executed by a processor.
9. Non-transient computer-readable recording medium on which is recorded a program for implementing the method according to any one of claims 1 to 7 when this program is executed by a processor.
10. A device connectable to a cellular communication network comprising a secure element, the secure element comprising a processor configured to execute: - a step of receiving a connection profile; - a step of installing the received connection profile; characterized in that the processor is further configured to execute: - a step of determining a value indicating a maximum number of authentications present in the connection profile; and - a step of initializing an authentication counter based on the determined value.
11. A device connectable to a cellular communication network comprising a processor configured to perform: - a connection step to the cellular communication network based on a connection profile loaded onto a secure element of the connectable device; characterized in that, the connection profile comprising a value indicating a maximum number of authentications, the processor is further configured to perform: - a step of counting each authentication performed by the connectable device with the cellular communication network while a profile loading mode in factory load mode is active; and - a step to trigger a countermeasure when the number of authentications counted reaches the value indicating a maximum number of authentications.