Is Your SIM Card the Next Hacking Target?

You’ve probably heard about phones, computers, or other digital devices getting hacked. But did you know that the very SIM card you use can also be hacked? It might sound strange, but it’s true. If hackers get control of your SIM card, they can misuse it in many ways. Today, we’re going to talk about how hackers access your devices through your SIM card and how you can keep your SIM safe.

The Silent Threat: SIMjacker Attacks

In September 2019, security researchers at ‘AdaptiveMobile Security’ discovered a new weakness called ‘SIMjacker.’ They found that this complex attack hacks your SIM card (known as a SIMjacking attack). It starts by sending a special, spy-like code to your phone via SMS.

This harmful code can instruct your SIM card to take control of your phone. If you open the SMS, hackers can use this code to spy on your calls and messages, and even track your location. The scary part is that hackers can hide very well during this type of attack, giving them more time to misuse your phone. That’s why it was considered a serious security concern.

This vulnerability uses a software called ‘S@T Browser,’ which is part of the ‘SIM Application Toolkit’ used by many mobile operators on their SIM cards. The ‘SIMalliance Toolbox Browser’ is a basic web browser that lets service providers interact with web applications like email.

However, most people today use browsers like Google Chrome, Brave, or Mozilla Firefox on their devices, so the ‘S@T Browser’ is rarely used. Despite this, the software is still pre-installed on many devices, making them vulnerable to SIMjacker attacks.

Researchers found that this attack has already been used in many countries. They stated that the S@T protocol is used by “mobile operators in at least 30 countries, affecting over a billion people,” and is more common in the Middle East, Asia, North Africa, and Eastern Europe. It’s believed that a specific private company developed and used this vulnerability, reportedly working with governments to spy on certain groups, like journalists.

All types of phones, including iPhones and Android devices, are at risk. SIMjacker also works on embedded SIM cards, or e-SIMs.

The Deceptive Play: SIM Card Swapping

Another method hackers use to hijack your SIM card is ‘SIM swapping.’ In August 2019, a group of hackers used this technique to take over the personal Twitter account of Jack Dorsey, the founder and then-CEO of Twitter. This incident really brought attention to how devastating such attacks can be. This method relies on trickery and ‘social engineering’ rather than technical flaws.

To hack your SIM via a SIM swap, hackers first call your mobile service provider. They pretend to be you and claim they need to replace their SIM card. They might convince the provider that they’re upgrading to a new device and need a new SIM for it. If they succeed, the phone provider sends them a new SIM.

Then, they can steal your phone number and link it to their own device. All of this happens without you taking out your actual SIM card. This has two big effects:

1. Your real SIM card becomes inactive and stops working.
2. The hacker now gets all your calls, messages, and two-factor authentication (2FA) codes that come to your phone number. This means they might have enough information to log into your accounts and lock you out.

SIM card swapping is tough to prevent because it uses social engineering. Hackers need to convince a customer service representative that they are you. Once they get your SIM, your phone number is under their control, and you might not even know you’ve been targeted until it’s too late.

The Technical Trick: SIM Cloning

Some people think SIM swapping and SIM cloning are the same, but SIM cloning is more technical. While the direct technical meaning of SIM cloning might not always match what’s widely practiced in Nepal, in a simpler sense, it means making a duplicate of your SIM.

Here’s how ‘SIM cloning’ might happen in Nepal:

1. Physical Access and Misuse: The attacker first gets physical access to your phone, maybe they found it or stole it. They then try to break the phone’s lock. If they can’t, they simply remove your SIM and use it in another phone. They then use your SIM to gain access to your online accounts, banking, and digital wallet accounts. This isn’t true cloning, but it’s a way to gain access using your SIM.
2. Using Your Identity Documents: If an attacker gets hold of your actual citizenship card or a photocopy of it, they might be able to get a clone of your SIM. Although telecom companies have tightened rules on SIM distribution, such incidents have decreased recently. However, scammers can still trick service provider representatives using various methods. After collecting your citizenship and photo, the scammer goes to the service provider’s office, pretends to be you, and claims your SIM is lost to get a new one for your number. As soon as the new SIM is issued, your original SIM becomes inactive. They often do this during public holidays. By the time the victim realizes what’s happened, their bank accounts might be empty, and online accounts hacked.
3. Digital SIM Cloning: There’s also a digital way to clone a SIM. For this, the hacker first needs to physically remove the SIM from your smartphone. This type of attack cannot be done completely remotely. Hackers clone SIMs using software that copies the unique identifier number from your SIM card onto their blank SIM card. Afterward, the hacker inserts the newly copied SIM card into their smartphone. Once this process is complete, your unique SIM card identity is considered stolen. Now, the hacker can spy on all communications sent to your phone. This means they also have access to your two-factor authentication codes, helping them hack your social media accounts, email addresses, credit/debit card details, bank accounts, and many other accounts. Hackers can also use your stolen SIM card identity to commit scams where a unique phone number is required. In short, SIM hijacking can lead to many attacks against you, making it extremely dangerous.

How to Keep Your SIM Card Safe

If you want to protect your SIM card from these kinds of attacks, here are some solutions you can use:

1. Beware of Social Engineering Attacks

To avoid SIM card swaps, make it hard for hackers to get information about you. Try not to put personal or family details online that can be easily found. If scammers get this information, they can convince customer service representatives that they are you. Secure your information by setting your Facebook profile to ‘Friends-Only’ and limiting public information shared on other sites. Don’t add unnecessary or unknown people on social media.

Also, delete old accounts you no longer use. Information in old accounts can be a prime way for hackers to find your details. Another way to prevent SIM card swaps is to be alert to phishing. Hackers might try to get information through ‘phishing’ that they can later use to copy your SIM. Be wary of suspicious emails or login pages. Also, be careful where you enter login details for any account you use. Learn how to spot phishing attacks to stay safe.

Think about the type of two-factor authentication (2FA) you use. Some 2FA services send authentication codes via SMS messages to your device. This means if your SIM falls into the wrong hands, they can take over accounts with 2FA enabled. Instead, use other authentication methods like Google Authenticator. This way, authentication goes to your device, not your phone number, which can help protect some of your accounts even if a SIM card swap happens.

2. Set Up a SIM Card Lock

To protect against SIM attacks, you should also set up some security measures on your SIM card. The most important security measure you can apply is adding a PIN code. This way, if someone wants to tamper with your SIM card, they will need the PIN. Before setting up a SIM card lock, make sure you know the PIN given by your network provider.

• On Android devices: Go to Settings > Biometrics and security > Other security settings > Set up SIM card lock. Then, enable the slider for ‘Lock SIM card’.
• On iPhone or iPad: Go to Settings > Mobile Data > SIM PIN. Then, enter your current PIN to confirm, and the SIM lock will be active.

3. Use Strong Passwords and Security Questions

As always, you should use strong and unique passwords for every account. Do not reuse old passwords or use the same password across many accounts. You can use passwords generated by a ‘password generator’ for online account security, as they create strong, random passwords.

Also, make sure the answers to your password recovery questions are not publicly available. For example, don’t choose questions like your mother’s maiden name or your father’s name as recovery questions. It’s better to use more personal or private words, like your favorite book or your first pet.

4. Protect Your Device from SIM Attacks

Mobile device attacks are becoming more sophisticated every day. You can fight against such attacks by “keeping your personal information private” and “setting up a SIM card lock.” While the phones we use are becoming more secure than before, and you can always check if your phone has been hacked, if you can protect yourself well from malicious activities, the risk of your SIM or device getting hacked is significantly reduced.