With new online threats popping up every day, you need to stay in the know on new security loopholes.
You probably already know that your smartphone's operating system needs regular updating to stay safe from threats, but, surprisingly, a SIM card can also be a source of security vulnerabilities. Here's how hackers use SIM cards to gain access to devices, and how to keep your SIM card safe.
1. Simjacker Attacks
In September 2019, security researchers at AdaptiveMobile Security announced they had discovered a new security vulnerability they called Simjacker. This complex attack carries out SIM card hacking (known as SIM jacking attacks) by sending a piece of spyware-like code to a target device using an SMS message.
This malicious code can then tell the SIM to take over the targeted phone. If a user opens the message, hackers can use the code to spy on their calls and messages—and even track their location. What's particularly concerning about this kind of attack is that it can hide itself very well from the victim, giving the malicious actor more time to exploit the phone.
The vulnerability works by using a piece of software called S@T Browser, which is part of the SIM Application Toolkit (STK) that many phone operators use on their SIM cards. The SIMalliance Toolbox Browser is a way of accessing the internet—essentially, it's a basic web browser that lets service providers interact with web applications like email.
However, now that most people use a browser like Google Chrome or Mozilla Firefox on their device, the S@T Browser is rarely used. But the software is still installed on many devices, leaving them vulnerable to the Simjacker attack.
The researchers believe this attack has been used in multiple countries, specifying that the S@T protocol is "used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people," primarily in the Middle East, Asia, North Africa, and Eastern Europe.
They also believed the exploit was developed and used by a specific private company, which was working with various governments to monitor specific demographics, such as journalists and activists.
All kinds of phones are vulnerable, including both iPhones and Android devices. Simjacker even works on embedded SIM cards (eSIMs).
2. SIM Card Swapping
Another SIM card security issue you may have heard of is SIM card swapping. Hackers used a variation of this technique to take over Twitter CEO Jack Dorsey's personal Twitter account in August 2019. This event raised awareness of how these attacks can be destructive. The technique uses trickery and social engineering, rather than technical vulnerabilities.
To perform a SIM card hacking through a SIM card swap, a hacker will first call up your phone provider. They'll pretend to be you and ask for a replacement SIM card. They'll say they want to upgrade to a new device and, therefore, need a new SIM. If they are successful, the phone provider will send them the SIM.
Then, they can steal your phone number and link it to their own device. All without removing your SIM card!
This has two effects. First, your real SIM card will get deactivated and stop working. And secondly, the hacker now has control over phone calls, messages, and two-factor authentication requests sent to your phone number. This means they could have enough information to access your accounts, and could lock you out of those too.
SIM card swapping is hard to protect against as it involves social engineering. Hackers must convince a customer support agent that they are you. Once they have your SIM, they have control over your phone number. And you may not even know you're a target until it's too late.
3. SIM Cloning
Many times, people try to put SIM swapping and SIM cloning under that same umbrella. However, SIM cloning is more hands-on than the other option.
In a SIM clone attack, the hacker first gains physical access to your SIM card and then creates a copy of the original. Naturally, for copying your SIM card, the hacker will first take out your SIM from the smartphone, meaning this attack cannot be carried out entirely remotely.
Hackers clone SIMs with the help of a smart card copying software, which copies the unique identifier number—assigned to you on your SIM card—onto their blank SIM card.
The hacker will then insert the newly copied SIM card into their smartphone. Once this process is complete, consider your unique SIM card identity to be as good as gone.
Now, the hacker can snoop in on all the communications that are sent to your phone—just as they can in SIM swapping. This means they also have access to your two-factor authentication codes, which will let them hack into your social media accounts, email addresses, card and bank accounts, and more.
Hackers can also use your stolen SIM card identity to carry out scams where a unique phone number might be needed. In short, SIM swapping can lead to many more attacks being carried out against you, making it highly dangerous.
Check out our guide on how to tell if your SIM has been cloned so that you know what warning signs to look out for.
How to Keep Your SIM Card Safe
If you want to protect your SIM card against attacks like these, thankfully there are some precautions that you can take.
1. Protect Against Socially Engineered Attacks
To protect against SIM card swaps, make it hard for hackers to find information about you. Hackers will use data they find about you online, such as names of friends and family or your address. This information will make it easier to convince a customer support agent that they are you.
Try to lock down this information by setting your Facebook profile to friends-only and limiting the public information you share on other sites. Also, remember to delete old accounts you no longer use, to prevent them being the target of a hack.
Another way to protect against SIM card swaps is to be on the lookout for phishing. Hackers may try to "phish" out information from you that they can later use to copy your SIM. Be alert for suspicious emails or login pages. Moreover, be careful where you enter your login details for any account you use. Learn how to spot phishing attacks to stay on the safe side.
Finally, consider what methods of two-factor authentication you use. Some two-factor authentication services will send an SMS message to your device with an authentication code. This means that if your SIM is compromised, hackers can access your accounts even if you have two-factor authentication on.
Instead, use another authentication method like the Google Authentication app. This way, the authentication is tied to your device and not your phone number, making it more secure against SIM card swaps.
2. Set a SIM Card Lock
To protect against SIM attacks, you should also set up some protections on your SIM card. The most important security measure you can implement is to add a PIN code. This way, if anyone wants to modify your SIM card, they need the PIN code.
Before you set up a SIM card lock, you should ensure you know the PIN given to you by your network provider. To set it up, on an Android device, go to Settings > Biometrics and security > Other security settings > Set up SIM card lock. Then, you can enable the slider for Lock SIM card.
On an iPhone or iPad, go to Settings > Mobile Data > SIM PIN. Then enter your existing PIN to confirm, and the SIM lock will be activated.
3. Use Strong Passwords and Security Questions
As always, you should use strong and individually generated passwords. Don't reuse old passwords or use the same password on multiple accounts. Password generators can be useful here, as they randomly generate strong passwords that you can use for your online accounts.
Also, make sure your answers to password recovery questions aren't publicly available, such as your mother's maiden name. It's best to use a word more personal or private to you, such as your favorite book or first pet.
Protect Your Device From SIM Attacks
Attacks on mobile devices are becoming increasingly sophisticated. There are protections against these types of attack, such as keeping your personal information under wraps and setting up a SIM card lock. That said, phones are becoming more secure than they used to be, and you can always check if your phone has been hacked. Use the security features at your disposal to better protect yourself from malicious activity.