Your SIM card is a security risk! Here’s how SIM cards can be hacked and what you can do to protect your phone and contacts.
You probably know that your smartphone’s operating system needs to be regularly updated to protect against security vulnerabilities. But your SIM card can be a source of security vulnerabilities too. Here we’ll show you some ways hackers can use SIM cards to gain access to devices, and advice on how you can keep your SIM card safe.
n September 2019, security researchers at AdaptiveMobile Security announced they had discovered a new security vulnerability they named Simjacker. This complex attack targets SIM cards. It does this by sending a piece of spyware-like code to a target device using an SMS message.
If the target opens the message, hackers can use the code to surveil them by spying on their calls and messages and even tracking their location.
The vulnerability works by using a piece of software called S@T Browser, which is part of the SIM Application Toolkit (STK) that many phone operators use on their SIM cards. The SIMalliance Toolbox Browser is a way of accessing the internet—essentially, it’s a basic web browser—which lets service providers interact with web applications like email.
However, now that most people use a browser like Chrome or Firefox on their device, the S@T Browser is rarely used. The software is still installed on a large number of devices though, leaving them vulnerable to the Simjacker attack.
The researchers believe this attack has been used in multiple countries in the last two years, specifying that the S@T protocol is “used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people,” primarily in the Middle East, Asia, North Africa, and Eastern Europe.
They also believe the exploit was developed and used by a specific private company, which is working with various governments to monitor particular people. Currently, between 100 and 150 people are targeted by this attack per day.
As the attack works on SIM cards, all kinds of phones are vulnerable, including both iPhones and Android devices, and it even works on embedded SIM cards (eSIMs).
2. SIM Card Swapping
Another SIM card security issue you may have heard of is SIM card swapping. Hackers used a variation of this technique to take over Twitter CEO Jack Dorsey’s personal Twitter account in August 2019. This event raised awareness of how these attacks can be destructive. The relatively simple technique uses trickery and human engineering rather than technical vulnerabilities.
In order to perform a SIM card swap, a hacker will first call up your phone provider. They’ll pretend to be you and ask for a replacement SIM card. They’ll say they want to upgrade to a new device and therefore need a new SIM. If they are successful, the phone provider will send them the SIM.
Then they can steal your phone number and link it to their own device. All without removing your SIM card!
This has two effects. Firstly, your real SIM card will be deactivated by your provider and will stop working. Secondly, the hacker now has control over phone calls, messages, and two-factor authentication requests sent to your phone number. This means they could have enough information to access your bank accounts, email, and more.
And they may even be able to lock you out of other accounts.
SIM card swapping is hard to protect against. That’s because hackers can convince a customer support agent that they are you. Once they have your SIM, they have control over your phone number. And you may not even know you’re a target until it’s too late.