3 Ways Your SIM Card Can Be Hacked (And How to Protect It)

 

With new online threats popping up every day, you need to stay in the know on new security loopholes. And since you're reading this, you probably already know that your smartphone's operating system needs regular updating to stay safe from threats.
However, surprisingly, a SIM card can also be a source of security vulnerabilities. Here, we'll show you some ways hackers can use SIM cards to gain access to devices—along with providing advice on how to keep your SIM card safe.
1. Simjacker
In September 2019, security researchers at AdaptiveMobile Security announced they had discovered a new security vulnerability they called Simjacker. This complex attack carries out SIM card hacking by sending a piece of spyware-like code to a target device using an SMS message.
If a user opens the message, hackers can use the code to spy on their calls and messages—and even track their location.
The vulnerability works by using a piece of software called S@T Browser, which is part of the SIM Application Toolkit (STK) that many phone operators use on their SIM cards. The SIMalliance Toolbox Browser is a way of accessing the internet—essentially, it's a basic web browser that lets service providers interact with web applications like email.
However, now that most people use a browser like Chrome or Firefox on their device, the S@T Browser is rarely used. The software is still installed on many devices, though, leaving them vulnerable to the Simjacker attack.
The researchers believe this attack has been used in multiple countries, specifying that the S@T protocol is "used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people," primarily in the Middle East, Asia, North Africa, and Eastern Europe.
They also believed the exploit was developed and used by a specific private company, which was working with various governments to monitor specific demographics—such as journalists and activists.
All kinds of phones are vulnerable, including both iPhones and Android devices. Simjacker even works on embedded SIM cards (eSIMs).
2. SIM Card Swapping
Another SIM card security issue you may have heard of is SIM card swapping. Hackers used a variation of this technique to take over Twitter CEO Jack Dorsey's personal Twitter account in August 2019. This event raised awareness of how these attacks can be destructive. The technique uses trickery and social engineering, rather than technical vulnerabilities.
To perform a SIM card hacking through a SIM card swap, a hacker will first call up your phone provider. They'll pretend to be you and ask for a replacement SIM card. They'll say they want to upgrade to a new device and, therefore, need a new SIM. If they are successful, the phone provider will send them the SIM.
Then, they can steal your phone number and link it to their own device. All without removing your SIM card!
This has two effects. First, your real SIM card will get deactivated and stop working. And secondly, the hacker now has control over phone calls, messages, and two-factor authentication requests sent to your phone number. This means they could have enough information to access your accounts, and could lock you out of those too.
SIM card swapping is hard to protect against as it involves social engineering. Hackers must convince a customer support agent that they are you. Once they have your SIM, they have control over your phone number. And you may not even know you're a target until it's too late.
3. SIM Cloning
Many times, people try to put SIM swapping and SIM cloning under that same umbrella. However, SIM cloning is more hands-on than the other option.
In a SIM clone attack, the hacker first gains physical access to your SIM card and then creates a copy of the original. Naturally, for copying your SIM card, the hacker will first take out your SIM from the smartphone.
They do this with the help of a smart card copying software, which copies the unique identifier number—assigned to you on your SIM card—onto their blank SIM card.
The hacker will then insert the newly copied SIM card into their smartphone. Once this process is complete, consider your unique SIM card identity to be as good as gone.
Now, the hacker can snoop in on all the communications that are sent to your phone—just as they can in SIM swapping. This means they also have access to your two-factor authentication codes, which will let them hack into your social media accounts, email addresses, card and bank accounts, and more.
Hackers can also use your stolen SIM card identity to carry out scams where a unique phone number might be needed.
How to Keep Your SIM Card Safe
If you want to protect your SIM card against attacks like these, thankfully there are some precautions that you can take.
1. Protect Against Socially Engineered Attacks
To protect against SIM card swaps, make it hard for hackers to find information about you. Hackers will use data they find about you online, such as names of friends and family or your address. This information will make it easier to convince a customer support agent that they are you.
Try to lock down this information by setting your Facebook profile to friends-only and limiting the public information you share on other sites. Also, remember to delete old accounts you no longer use, to prevent them being the target of a hack.
Another way to protect against SIM card swaps is to be on the lookout for phishing. Hackers may try to phish out information from you that they can later use to copy your SIM. Be alert for suspicious emails or login pages. Moreover, be careful where you enter your login details for any account you use.
Finally, consider what methods of two-factor authentication you use. Some two-factor authentication services will send an SMS message to your device with an authentication code. This means that if your SIM is compromised, hackers can access your accounts even if you have two-factor authentication on.
Instead, use another authentication method like the Google Authentication app. This way, the authentication is tied to your device and not your phone number—making it more secure against SIM card swaps.
2. Set a SIM Card Lock
To protect against SIM attacks, you should also set up some protections on your SIM card. The most important security measure you can implement is to add a PIN code. This way, if anyone wants to modify your SIM card, they need the PIN code.
Before you set up a SIM card lock, you should ensure you know the PIN given to you by your network provider. To set it up, on an Android device, go to Settings > Lock screen and security > Other security settings > Set up SIM card lock. Then, you can enable the slider for Lock SIM card.
On an iPhone, go to Settings > Cellular > SIM PIN. On an iPad, go to Settings > Mobile Data > SIM PIN. Then enter your existing PIN to confirm, and the SIM lock will be activated.
3. Other Security Tips
As always, you should use strong and individually generated passwords. Don't reuse old passwords or use the same password on multiple accounts.
Also, make sure your answers to password recovery questions aren't publicly available—such as your mother's maiden name.
Protect Your Device From SIM Attacks
Attacks on mobile devices are becoming increasingly sophisticated. There are protections against these types of attack, such as keeping your personal information under wraps and setting up a SIM card lock.
That said, phones are becoming more secure than they used to be, and you can always check if your phone has been hacked. Use the security features at your disposal to protect yourself from malicious activity better.Georgina Torbet(84 Articles Published)
Georgina is a science and technology writer who lives in Berlin and has a PhD in psychology.