2 Ways Your SIM Card Can Be Hacked (And How to Protect It)

Georgina Torbet 08-12-2019

You probably know that your smartphone’s operating system needs to be regularly updated to protect against security vulnerabilities. But your SIM card can be a source of security vulnerabilities too. Here we’ll show you some ways hackers can use SIM cards to gain access to devices, and advice on how you can keep your SIM card safe.


1. Simjacker

SIM card vulnerabilities - how Simjacker works
Image Credit: AdaptiveMobile Security

In September 2019, security researchers at AdaptiveMobile Security announced they had discovered a new security vulnerability they named Simjacker. This complex attack targets SIM cards. It does this by sending a piece of spyware-like code to a target device using an SMS message.

If the target opens the message, hackers can use the code to surveil them by spying on their calls and messages and even tracking their location.

The vulnerability works by using a piece of software called S@T Browser, which is part of the SIM Application Toolkit (STK) that many phone operators use on their SIM cards. The SIMalliance Toolbox Browser is a way of accessing the internet—essentially, it’s a basic web browser—which lets service providers interact with web applications like email.

However, now that most people use a browser like Chrome or Firefox on their device, the S@T Browser is rarely used. The software is still installed on a large number of devices though, leaving them vulnerable to the Simjacker attack.


The researchers believe this attack has been used in multiple countries in the last two years, specifying that the S@T protocol is “used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people,” primarily in the Middle East, Asia, North Africa, and Eastern Europe.

They also believe the exploit was developed and used by a specific private company, which is working with various governments to monitor particular people. Currently, between 100 and 150 people are targeted by this attack per day.

As the attack works on SIM cards, all kinds of phones are vulnerable, including both iPhones and Android devices, and it even works on embedded SIM cards (eSIMs).

2. SIM Card Swapping

sim card


Another SIM card security issue you may have heard of is SIM card swapping What Is SIM Card Swapping? 5 Tips to Protect Yourself From This Scam With the rise in mobile account access and 2FA for security, SIM card swapping is a growing security risk. Here's how to stop it. Read More . Hackers used a variation of this technique to take over Twitter CEO Jack Dorsey’s personal Twitter account in August 2019. This event raised awareness of how these attacks can be destructive. The relatively simple technique uses trickery and human engineering rather than technical vulnerabilities.

In order to perform a SIM card swap, a hacker will first call up your phone provider. They’ll pretend to be you and ask for a replacement SIM card. They’ll say they want to upgrade to a new device and therefore need a new SIM. If they are successful, the phone provider will send them the SIM.

Then they can steal your phone number and link it to their own device.

This has two effects. Firstly, your real SIM card will be deactivated by your provider and will stop working. Secondly, the hacker now has control over phone calls, messages, and two-factor authentication requests sent to your phone number. This means they could have enough information to access your bank accounts, email, and more.


And they may even be able to lock you out of other accounts.

SIM card swapping is hard to protect against. That’s because hackers can convince a customer support agent that they are you. Once they have your SIM, they have control over your phone number. And you may not even know you’re a target until it’s too late.

How to Keep Your SIM Card Safe

If you want to protect your SIM card against attacks like these, there are some steps you can take.

Protect Against Socially Engineered Attacks

To protect against SIM card swaps, you should make it hard for hackers to find information about you. Hackers will use data they find about you online, such as names of friends and family or your address. This information will make it easier to convince a customer support agent that they are you.


Try to lock down this information by setting your Facebook profile to friends-only and limiting the public information you share on other sites. Also, remember to delete old accounts you no longer use to prevent them being the target of a hack.

Another way to protect against SIM card swaps is to beware of phishing. Hackers may try to phish you to get more information they can use to copy your SIM. Be on the lookout for suspicious emails or login pages. Be careful where you enter your login details for any account you use.

Finally, consider what methods of two-factor authentication The Pros and Cons of Two-Factor Authentication Types and Methods Here are the pros and cons of two-factor authentication methods to see which is the best for you. Read More you use. Some two-factor authentication services will send an SMS message to your device with an authentication code. This means that if your SIM is compromised, hackers can access your accounts even if you have two-factor authentication on.

Instead, use another authentication method such as the Google Authentication app. This way the authentication is tied to your device, not your phone number, which makes it more secure against SIM card swaps.

Set a SIM Card Lock

To protect against SIM attacks you should also set up some protections on your SIM card. The most important security measure you can implement is to add a PIN code to your SIM card. This way, if anyone wants to make changes to your SIM card, they need the PIN code.

Before you set up a SIM card lock, you should ensure you know the PIN number given to you by your network provider. To set it up, on an Android device go to Settings > Lock screen and security > Other security settings > Set up SIM card lock. Then you can enable the slider for Lock SIM card.

On an iPhone, go to Settings > Cellular > SIM PIN. On an iPad, go to Settings > Mobile Data > SIM PIN. Then enter your existing PIN to confirm, and the SIM lock will be activated.

For more advice and instructions on setting up a SIM PIN, see our article on how to encrypt and set a SIM card lock on any mobile device How to Encrypt and Set a SIM Card Lock on Any Mobile Device Do you encrypt the data on your smartphone? If not, you risk having your data stolen the moment you lose your device. Encrypting your data is easy; all you need is the right software. Read More .

Other Security Tips

As always, you should use strong individually-generated passwords. Don’t reuse old passwords or use the same password on multiple accounts.

Also, make sure your answers to password recovery questions aren’t publicly available, such as your mother’s maiden name.

Protect Your Device From SIM Attacks

Attacks on mobile devices are becoming increasingly sophisticated. Simjacker and SIM swap attacks both target SIM cards, but they do so in different ways. Simjacker is a technical attack which exploits vulnerabilities in software used by phone carrier companies. SIM swap attacks use social engineering to get a copy of your SIM card.

There are protections against these types of attack, such as keeping your personal information under wraps and setting up a SIM card lock.

That said, phones are becoming more secure than they used to be. To learn why, see our article on reasons smartphones are more secure than dumb phones 5 Reasons Why Smartphones Are More Secure Than Dumb Phones Think a dumb phone can make your life more secure? Think again. Here are five ways a smartphone is more secure than a dumb phone. Read More .

Related topics: eSIM, Sim Card, Smartphone Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. er
    February 3, 2020 at 8:57 pm

    sim card locking via pin code does not work. i have a sim pin on my device i have to enter every time i turn on the phone to unlock the card and i also have a 6 digit pin with my phone provider to access my account. they circumvented both and gained access to my crypto account. my phone never leaves my possession or is borrowed. they did this remotely. NOT having authentication sent to your primary phone is a must and have a unique email you dont access for anything except account verificaqtion, set the email to send notifications but dont access it on any device except a single trusted computer. i think these are very basic steps although there may be better ones. if you phone suddenly looses connection to your phone provider but is getting a good signal. call your phone company immediately, you probably wont have much time once this happens. im guessing all the account passwords and info is already gathered and ready to go once the swap is done.

  2. Chad
    January 25, 2020 at 3:50 am

    My phone has been compromised by
    An international E sim
    They are mirrored my phone to another device and have put stuff on my phone
    Can y’all help

  3. Sebastian
    October 3, 2019 at 7:55 am

    Hi Dan! A great guide to read & completely agree with the concept you have stated so the tips...