Come October 1, the government plans to test all imported mobile phones, SIM cards, 3G & 4G base stations, customer database servers, among other core network devices for bugs and malicious software before they are used in Indian telephone networks.
The telecom department, in consultation with software firm Wipro, has identified 25 telecom products that will be screened at an authorised test lab in India. Twelve of these items have been classified “high risk items”, which need to be “security checked” from October 1, according to an internal telecom department note seen by ET.
If implemented, all mobile phone companies operating on the GSM or CDMA platforms could be barred from using any imported telecom gear, post-October 1, that is not deemed “safe” by the proposed test lab.
However, with less than 60 days left, the Department of Telecommunications’ (DoT) move has stirred a hornet’s nest since mobile phone companies foresee serious problems in deploying imported telecom gear post-October, which, in turn, threatens to derail their network expansion targets, especially in rural markets where most new customer acquisitions are happening.
Their apprehension stems from two counts – absence of global standards for conducting security tests on handsets, SIMs and telecom network devices, and zero clarity on who will set up the proposed test lab in India.
DoT documents suggest Wipro is keen to invest in a telecom products certification lab, but there is no clarity on whether such a facility will be operational by October. Wipro did not reply to ET’s query on whether it is actually investing in such a facility.
“This is a clear case of draconian policy-making in the name of saving critical infrastructure since there are no established global telecom standards for security testing of core network elements, mobile handsets and SIMs,” said a senior executive at one of India’s biggest GSM telecom operators.
A group of international telecom associations has “just started the process of creating security standards, what it calls, a security assurance mechanism, for telecom devices. So it is senseless to have a test lab before those standards are framed,” the executive added.
A senior executive of a leading European carrier in India claimed that subjecting imported handsets to security checks would hurt growth since smartphone makers would be unable to launch latest devices in India on time. “If every imported smartphone is subject to a security test, India may end up being a generation or two behind since obsolescence is high and foreign handset makers would need fresh security clearances every time they add a feature or load a new app,” said this executive.
An official representing a leading CDMA operator added the proposed inclusion of SIM cards is useless, especially since over 80% of the SIM cards are customised in India. “Though bulk of the SIM card components are imported, the assembling and loading of software applications largely happens in India, so where is the question of a security risk,” said this official.
The home ministry, however, has repeatedly warned that SIM cards pose a security risk, claiming that “the embedded software can be manipulated”.