Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.
You probably know that your smartphone’s operating system needs to be regularly updated to protect against security vulnerabilities. But your SIM card can be a source of security vulnerabilities too. Here we’ll show you some ways hackers can use SIM cards to gain access to devices, and advice on how you can keep your SIM card safe.
In September 2019, security researchers at AdaptiveMobile Security announced they had discovered a new security vulnerability they named Simjacker. This complex attack targets SIM cards. It does this by sending a piece of spyware-like code to a target device using an SMS message.
If the target opens the message, hackers can use the code to surveil them by spying on their calls and messages and even tracking their location.
The vulnerability works by using a piece of software called S@T Browser, which is part of the SIM Application Toolkit (STK) that many phone operators use on their SIM cards. The SIMalliance Toolbox Browser is a way of accessing the internet—essentially, it’s a basic web browser—which lets service providers interact with web applications like email.
However, now that most people use a browser like Chrome or Firefox on their device, the S@T Browser is rarely used. The software is still installed on a large number of devices though, leaving them vulnerable to the Simjacker attack.
The researchers believe this attack has been used in multiple countries in the last two years, specifying that the S@T protocol is “used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people,” primarily in the Middle East, Asia, North Africa, and Eastern Europe.
They also believe the exploit was developed and used by a specific private company, which is working with various governments to monitor particular people. Currently, between 100 and 150 people are targeted by this attack per day.
As the attack works on SIM cards, all kinds of phones are vulnerable, including both iPhones and Android devices, and it even works on embedded SIM cards (eSIMs).
2. SIM Card Swapping
Another SIM card security issue you may have heard of is SIM card swapping. Hackers used a variation of this technique to take over Twitter CEO Jack Dorsey’s personal Twitter account in August 2019. This event raised awareness of how these attacks can be destructive. The relatively simple technique uses trickery and human engineering rather than technical vulnerabilities.
In order to perform a SIM card swap, a hacker will first call up your phone provider. They’ll pretend to be you and ask for a replacement SIM card. They’ll say they want to upgrade to a new device and therefore need a new SIM. If they are successful, the phone provider will send them the SIM.
Then they can steal your phone number and link it to their own device.
This has two effects. Firstly, your real SIM card will be deactivated by your provider and will stop working. Secondly, the hacker now has control over phone calls, messages, and two-factor authentication requests sent to your phone number. This means they could have enough information to access your bank accounts, email, and more.
And they may even be able to lock you out of other accounts.
SIM card swapping is hard to protect against. That’s because hackers can convince a customer support agent that they are you. Once they have your SIM, they have control over your phone number. And you may not even know you’re a target until it’s too late.
How to Keep Your SIM Card Safe
If you want to protect your SIM card against attacks like these, there are some steps you can take.
Protect Against Socially Engineered Attacks
To protect against SIM card swaps, you should make it hard for hackers to find information about you. Hackers will use data they find about you online, such as names of friends and family or your address. This information will make it easier to convince a customer support agent that they are you.
Try to lock down this information by setting your Facebook profile to friends-only and limiting the public information you share on other sites. Also, remember to delete old accounts you no longer use to prevent them being the target of a hack.
Another way to protect against SIM card swaps is to beware of phishing. Hackers may try to phish you to get more information they can use to copy your SIM. Be on the lookout for suspicious emails or login pages. Be careful where you enter your login details for any account you use.
Finally, consider what methods of two-factor authentication you use. Some two-factor authentication services will send an SMS message to your device with an authentication code. This means that if your SIM is compromised, hackers can access your accounts even if you have two-factor authentication on.
Instead, use another authentication method such as the Google Authentication app. This way the authentication is tied to your device, not your phone number, which makes it more secure against SIM card swaps.
Set a SIM Card Lock
To protect against SIM attacks you should also set up some protections on your SIM card. The most important security measure you can implement is to add a PIN code to your SIM card. This way, if anyone wants to make changes to your SIM card, they need the PIN code.
Before you set up a SIM card lock, you should ensure you know the PIN number given to you by your network provider. To set it up, on an Android device go to Settings > Lock screen and security > Other security settings > Set up SIM card lock. Then you can enable the slider for Lock SIM card.
On an iPhone, go to Settings > Cellular > SIM PIN. On an iPad, go to Settings > Mobile Data > SIM PIN. Then enter your existing PIN to confirm, and the SIM lock will be activated.
For more advice and instructions on setting up a SIM PIN, see our article on how to encrypt and set a SIM card lock on any mobile device.
Other Security Tips
As always, you should use strong individually-generated passwords. Don’t reuse old passwords or use the same password on multiple accounts.
Also, make sure your answers to password recovery questions aren’t publicly available, such as your mother’s maiden name.
Protect Your Device From SIM Attacks
Attacks on mobile devices are becoming increasingly sophisticated. Simjacker and SIM swap attacks both target SIM cards, but they do so in different ways. Simjacker is a technical attack which exploits vulnerabilities in software used by phone carrier companies. SIM swap attacks use social engineering to get a copy of your SIM card.
There are protections against these types of attack, such as keeping your personal information under wraps and setting up a SIM card lock.
That said, phones are becoming more secure than they used to be. To learn why, see our article on reasons smartphones are more secure than dumb phones.