Type what you’re looking for and press Enter.

The SIM card in your device is a serious vulnerability

December 28th, 2025
No Comments

There are important things that you probably don’t know or realize about the SIM card in your device. Especially if you care about security and privacy, you should know that using a secure device with a secure and privacy-oriented operating system and applications, still make you vulnerable when there’s a SIM card installed in the device. Most of the time the device is probably a (smart)phone that you’re using, but it could be any other device such as a laptop, tablet or IoT device.

A SIM card (Subscriber Identity Module) is actually a small computer that can be activated and work independently of the other software on your device, such as the operating system that’s installed. It’s an integrated circuit (IC) with a CPU and a small amount of memory. The CPU capacity and memory size depend on the SIM card. SIMs are intended to securely store an International Mobile Subscriber Identity (IMSI) number and its related key, which are used to identify and authenticate subscribers on mobile devices (such as mobile phones, tablets, and laptops). Being a small computer with a CPU and memory, they are also able to run apps and to store arbitrary information like address book contact information.

Your SIM card is a vulnerability

This means that when your device is on and the baseband modem (or cellular radio) is activated, the service provider you obtained the SIM card from can run certain commands and software inside the small computer in the SIM card without you even realizing it. This is because a connection is made between the SIM card and the cellular communications infrastructure of your service provider, and that enables them to send updates and commands over the air that get executed inside the SIM card. There are actually applications installed on the computer inside the SIM card that can communicate with the host device and the server on the network using a SIM Application Toolkit (STK) 1. In this way, they can gather information about you such as your subscriber (phone) number 2, obviously, but also your location and information about the device that you’re using, such as the IMEI number (uniquely identifies your phone’s hardware).

Communications between the SIM card and your service provider happens through silent binary SMS messages or Over The Air (OTA) messages that are encrypted. When the encryption algorithm gets broken or the encryption keys get leaked, or the service provider gets compromised in some way (for example, being controlled by the government), this can lead to various kinds of attacks.

A security researcher from SRLabs described vulnerabilities in some SIM cards that supported an old encryption algorithm called DES that can easily be cracked. Here’s from “Rooting SIM cards” (July 2013):

Deploying SIM malware. The cracked DES key enables an attacker to send properly signed binary SMS, which download Java applets onto the SIM. Applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse.

In principle, the Java virtual machine should assure that each Java applet only accesses the predefined interfaces. The Java sandbox implementations of at least two major SIM card vendors, however, are not secure: A Java applet can break out of its realm and access the rest of the card. This allows for remote cloning of possibly millions of SIM cards including their mobile identity (IMSI, Ki) as well as payment credentials stored on the card.

In February 2015, The Intercept reported that the criminal spyware agencies NSA and GCHQ had stolen the encryption keys used by SIM card manufacturer Gemalto, enabling them to monitor voice and data communications without the knowledge or approval of cellular network providers. 3 Like they mentioned, “the manufacturers and wireless carriers don’t make a great effort to secure their supply chain. As a result, the SIM card is an extremely vulnerable component of a mobile phone.”

But there are also other vulnerabilities involving the applications that can run on the SIM card. In September 2019 a security researcher from AdaptiveMobile Security, described how vulnerabilities in some SIM cards that contained the S@T Browser library were being actively exploited. This vulnerability was named Simjacker. Attackers were using the vulnerability to track the location of thousands of mobile phone users in several countries. Here’s from their “Simjacker Technical Paper”:

Simjacker is the name we applied to a vulnerability in a technology used on SIM Cards, which we observed has been exploited by a sophisticated threat actor to primarily track the location and get handset information for thousands of Mexican mobile users without their knowledge.

This particular vulnerable SIM Card technology, is called the S@T Browser, the key issue with the S@T Browser technology is that its default security does not require any authentication, and as a result the attacker is able to execute functionality on the SIM card, unbeknownst to the mobile phone user.

In brief, the Simjacker attack involves a specially formatted binary SMS being sent to a Mobile Handset with a vulnerable SIM Card. This binary SMS, contains a number of instructions, which use an unsecured execution environment resident on the SIM Card to execute logic and perform commands both within the SIM Card and from there to the Handset itself.

The main attack observed involves two stages:

  1. Attack Stage: An SMS ‘Attack Message’ is sent from an attacker to a victim phone number. The Attack Message executable primarily instructs the SIM Card to request Location Information – the current serving Cell-ID of the handset and the IMEI from the Handset, and send the Location and IMEI from the Handset in a 2nd SMS. These instructions are in the form of a series of SIM Toolkit (STK) instructions, which the SIM Card will run to obtain the relevant information.
  2. Exfiltration Stage: An SMS ‘Data Message’ is sent from the Victim Handset to a Recipient Phone Number – i.e. the Exfiltration Address.

This activity is not noticeable by the Victim – there is no indication on the handset.

In the below YouTube video, you can see the Simjacker exploit being used to start the browser on a phone with a specific URL. You can imagine that an attacker could use this to automatically open a website that contains a browser (zero-click) exploit that can be used to gain access to your phone.

In 2020 a new attack similar to Simjacker called WIBattack was disclosed. Here’s from ReadWrite, “WIB Vulnerability: Sim-Card that Allows Hackers to Takeover Phones” (January 2nd 2020):

AdaptiveMobile, a mobile security firm released a report that disclosed details about a company involved in sending rogue commands to the S@T Browser application running on sim-cards. The company had ties with the government and was executing those commands to track individuals.

Recently a report was published by GinnosLab, that disclosed information about the WIB app being vulnerable to similar attacks. Attackers start by sending a specially formatted binary SMS also known as an OTA SMS to target WIB and S@T applets. The SMS executes sim-toolkit instructions on the device, which grants hackers the ultimate access.

The sim-cards that do not have special security features pre-enabled by the telecommunication companies are vulnerable to those malicious instructions. The applets installed on the sim-card supports the execution of the following commands:

  • Get location data
  • Start call
  • Send SMS
  • Transmit SS requests
  • Send USSD requests
  • Launch an internet browser with a specific URL
  • Display text on the device
  • Play a tone

According to GinnosLabs, since the attack is fairly similar to Simjacker, it can be abused to track victims. One of the possibilities of this attack method is that a skilled hacker can start a call and listen to nearby conversations which can get quite scary if you think about it.

If the hacker establishes persistence and exploits the vulnerability, then things go downhill faster. The hacker can execute social engineering attacks using the victim’s vulnerable sim-card. For instance, phishing links can be forwarded to the victim’s contact list causing small-scale personal data breaches unless the victim is an important personality, the effects can be major.

The potential for problems is only getting worse because these days the world is transitioning to using eSIMs (software-based SIMs), which are installed directly into a dedicated area (eUICC) on your device. With the old physical SIM card, you could remove it from your device and be reasonably certain that your device is not affected anymore by it. But with an eSIM, it’s much more difficult to be sure since the eSIM software is installed directly inside your device. It becomes much more difficult to be sure that anything installed by the eSIM and/or the eSIM itself has been completely removed from your device. The best option would be to just get another device if you want to be safe.

So what can we take away from the above?

First of all, never store any data on your SIM card. For example, some phones allow you to store address book contact information on the SIM card. While this can be convenient, that data can be used when the SIM card gets compromised as we’ve seen.

You should never install a SIM card on any device that you want to use in a secure and private manner. Not a physical SIM card and sure as hell not an eSIM. If you need access to the Internet on that device, just use a Wi-Fi connection. For example, you could have a separate small and cheap phone, or better yet a dedicated mobile hotspot device, where you install the SIM card, enable mobile hotspot and then connect to that hotspot with your main phone. You can still install all apps on your main phone that doesn’t have a SIM card in it, by typing any 2-factor SMS codes over from the other phone.

Always use your device in “airplane mode” when possible — even when it has no SIM card installed. Airplane mode disables the baseband modem on your phone (and thus communications between the SIM card and the service provider) and allows you to selectively enable Wi-Fi and Bluetooth when needed (which should also both be off when you’re not using them). This is assuming the operating system on your phone actually does what you want, which is not always the case.

That’s why it’s very important to use devices with physical hardware kill switches for components such as the baseband modem, Wi-Fi/Bluetooth, camera, and microphone. Phones like the Librem 5, for example, provide dedicated hardware switches that physically cut power to these components. This means that even if the phone’s software contains vulnerabilities or is compromised, the hardware switches guarantee that the disabled components cannot work. In practice, this prevents scenarios such as an attacker exploiting the SIM card to initiate a call to listen in on you — if the microphone is physically switched off, nothing can be recorded or heard.

Finally, do not use traditional carrier-based calls and SMS, as these can be intercepted by the service provider or anyone with access to their infrastructure. Instead, use end-to-end encrypted applications like Signal for voice calls and messaging.

Footnotes

  1. The SIM Application Toolkit (STK) consists of a set of commands programmed into the SIM which define how the SIM should interact directly with the outside world and initiates commands independently of the host device and the network. This enables the SIM to build up an interactive exchange between a network application and the end user and access, or control access to, the network. The SIM also gives commands to the device such as displaying menus and/or asking for user input. STK has been deployed by many mobile operators around the world for many applications, often where a menu-based approach is required, such as Mobile Banking and content browsing. The STK can be started during the initial power up of the SIM card and is especially suited to low level applications with simple user interfaces. USIM Application Toolkit (USAT) is the equivalent of STK for 3G networks. ↩︎
  2. A SIM contains a unique serial number, Integrated Circuit Card Identification (ICCID), International Mobile Subscriber Identity (IMSI) number, security authentication and ciphering information, temporary information related to the local network, a list of the services the user has access to, and four passwords: a Personal Identification Number (PIN) for ordinary use, and a Personal Unblocking Key (PUK) for PIN unlocking as well as a second pair (called PIN2 and PUK2 respectively) which are used for managing fixed dialing number and some other functionality. In Europe, the Serial SIM Number (SSN) is also sometimes accompanied by an International Article Number (IAN) or a European Article Number (EAN) required when registering online for the subscription of a prepaid card. ↩︎
  3. Here’s from The Intercept, “The Great SIM Heist” (February 19th 2025):

    AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

    The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

    The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania. […]

    With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

    According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access. We “believe we have their entire network,” the slide’s author boasted about the operation against Gemalto.

    Additionally, the spy agency targeted unnamed cellular companies’ core networks, giving it access to “sales staff machines for customer information and network engineers machines for network maps.” GCHQ also claimed the ability to manipulate the billing servers of cell companies to “suppress” charges in an effort to conceal the spy agency’s secret actions against an individual’s phone. Most significantly, GCHQ also penetrated “authentication servers,” allowing it to decrypt data and voice communications between a targeted individual’s phone and their telecom provider’s network. A note accompanying the slide asserted that the spy agency was “very happy with the data so far and [was] working through the vast quantity of product.”

    The privacy of all mobile communications — voice calls, text messages and Internet access — depends on an encrypted connection between the cell phone and the wireless carrier’s network, using keys stored on the SIM, a tiny chip smaller than a postage stamp which is inserted into the phone. All mobile communications on the phone depend on the SIM, which stores and guards the encryption keys created by companies like Gemalto. SIM cards can be used to store contacts, text messages, and other important data, like one’s phone number. In some countries, SIM cards are used to transfer money. As The Intercept reported last year, having the wrong SIM card can make you the target of a drone strike.

    Because the SIM card wasn’t created with call confidentiality in mind, the manufacturers and wireless carriers don’t make a great effort to secure their supply chain. As a result, the SIM card is an extremely vulnerable component of a mobile phone. “I doubt anyone is treating those things very carefully,” says Green. “Cell companies probably don’t treat them as essential security tokens. They probably just care that nobody is defrauding their networks.” The ACLU’s Soghoian adds, “These keys are so valuable that it makes sense for intel agencies to go after them.”

    THERE ARE TWO basic types of electronic or digital surveillance: passive and active. All intelligence agencies engage in extensive passive surveillance, which means they collect bulk data by intercepting communications sent over fiber optic cables, radio waves or wireless devices.

    Intelligence agencies place high power antennas, known as “spy nests,” on the top of their countries’ embassies and consulates, which are capable of vacuuming up data sent to or from mobile phones in the surrounding area. The joint NSA/CIA Special Collection Service is the lead entity that installs and mans these nests for the United States. An embassy situated near a parliament or government agency could easily intercept the phone calls and data transfers of the mobile phones used by foreign government officials. The U.S. embassy in Berlin, for instance, is located a stone’s throw from the Bundestag. But if the wireless carriers are using stronger encryption, which is built into modern 3G, 4G and LTE networks, then intercepted calls and other data would be more difficult to crack, particularly in bulk. If the intelligence agency wants to actually listen to or read what is being transmitted, they would need to decrypt the encrypted data.

    Active surveillance is another option. This would require government agencies to “jam” a 3G or 4G network, forcing nearby phones onto 2G. Once forced down to the less secure 2G technology, the phone can be tricked into connecting to a fake cell tower operated by an intelligence agency. This method of surveillance, though effective, is risky, as it leaves a digital trace that counter-surveillance experts from foreign governments could detect.

    Stealing the Kis solves all of these problems. This way, intelligence agencies can safely engage in passive, bulk surveillance without having to decrypt data and without leaving any trace whatsoever.

    ↩︎

Meta

This entry was published on Sunday, December 28th, 2025 at 9:29 am by Karel Donk and is filed under Hardware Information Technology Law Programming Software . You can use the permanent link to bookmark and/or share it.

Comments

There are 0 responses. Follow any responses to this post through its comments RSS feed. You can leave a response, or trackback from your own site.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The Eye of Providence

Subscribe to blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email. Note that this subscription is different from my newsletter.