Updated 8 December 2017.
Copyright: European Union Public License, version 1.2 (EUPL-1.2).
How-to protect your phone against attacks from state-sponsored criminals: in this article, what you need to know to protect yourself from SIM backdoors.
Disclaimer : we are not affiliated to any of these Companies, this article is 100 % our own findings and there is no affiliate marketing in place through the links provided below for your convenience.
How we write our reviews: To ensure an unbiased and thorough review all apps are tested:
• In real time, i.e. we use it on real projects.
• By different team members located in different countries.
• With different devices and operating systems.
• For a minimum of two weeks, four on average.
• Article is peer reviewed by other team members then sent to the app’s publisher for final review.
1. This is an informational guide for:
- Security concerns with SIM cards within your mobile device.
- What SIM attacks are and how they happen.
- How your SIM card can be a gateway to spy on you or steal your information.
- What you can do to prevent state-sponsored criminals from obtaining your data.
2. Reviewing SIM security concerns and attacks
SIM cards have been proven to be vulnerable to attacks from both your phone carrier and outside sources. With your SIM’s access in the wrong hands there could be much of your information put at risk.
- Your billing information could be obtained or tampered with.
- Malware or malicious apps could be uploaded onto your mobile device from an outside source.
- State-sponsored criminals have access to your SIM and use it to track you, your data, or even place unwanted advertisements and apps on your device.
- Likewise, information and apps can be removed from your device without your knowledge or consent.
- SIMs typically have a predictable default PIN, making them susceptible to hackers.
Your phone’s lock does not keep criminals from being able to access your SIM and tamper with your mobile device.
- The frequency of robocalls and spam calls has increased dramatically in the past year with little sign of slowing down. This means your device is more vulnerable than ever with a flood of computerized calls that could be attempting to access your data and personal information.
3. How your SIM can also be compromised
- Your SIM can also be compromised through text messages and missed calls. Even on a dumb phone (not Android or iOS), this is done through Flash SMS or silent SMS (note 1).
- If you miss a phone call from an unknown number with a different country code, do not call the number back.
- Criminals in other countries can clone your phone’s SIM if you call them from your phone.
- A cloned SIM could utilize your data plan, increasing your plan cost and illegally using it for other purposes.
- The text message SIM concern has been revisited since the loophole was exposed in 2013, but regardless you should not answer a text message from a user claiming to be your service provider.
- Changing wireless providers can also compromise your information. Many years ago, mobile devices were only capable of being used with a specific provider. Now, SIM cards are configured with the original provider but APN (note 3) can be changed through the new carrier by using OTA (note 2).
- Even when your SIM is switched to the new carrier, your SIM’s information is retained by the original carrier, meaning the company still has access to your SIM even if you do not have a contract or service plan with them.
- A previous carrier can then track your current data plan and send you marketing and advertisements to attempt to lure you back to using them as a carrier. They can even call you directly and ask why you have switched providers.
- This also means the previous carrier could tamper with the applications on your device or upload software without your knowledge or permission (note 3).
4. Protecting your SIM card
4.1 Replace your SIM card.
- Use burner phones: Read our article about GSM burner phones GSM burner phones .
- It can take months for your information to reach the SIM card registry.
- You can purchase many SIM cards cheaply online.
- In the US only some carriers use removable SIM cards, so this method will not work for everyone.
- Replacing your SIM card every few months will make it harder for state-sponsored criminals to associate you with your mobile device.
- You will have to contact your carrier to get your phone number transferred to the new SIM card, but it preferable to get a new number.
4.2 Do not click on anything suspicious.
- The advancement of mobile technology has turned phones into pocket computers.
- Cellphones have become easy targets for hackers, because users do not take the same precautions as they would on their computers.
- Do not click on pop-ups on your phone or any alert that says your phone has been compromised.
- Do not respond to unknown text messages or phone calls that seem suspicious or claim to be from a company.
4.3 Pay attention to the apps you download.
- Be sure to download apps only from reputable developers. Unknown developers or developers who have just appeared are not worth the risk.
- If an app is requesting permission to access something on your phone that does not make logical sense, that is an alarm for the security of your phone. If a photo app is asking for access of your pictures that makes sense. If a photo app asks for access to your contacts, that is concerning.
- If an unknown app suddenly appears on your device, contact your carrier to see if it was an update from your service (note 2). If it wasn’t, your SIM may have been compromised.
- Google and Android devices are more at risk due to the open nature of their app stores. – Apple has more limited app accessibility, which limits a perpetrator’s ability to fool users into willingly download their malware.
- You also need to be wary of pop-ups or downloads on your mobile device as you are wary of any suspicious pop-ups on your standard PC or laptop.
4.4 Watch out for public Wi-Fi.
- Logging onto public Wi-Fi opens your mobile device up to potential hackers.
- As your phone has a GPS signal on where you are at any given moment, state-sponsored criminals, including your current or previous mobile provider can ascertain your location.
- Public Wi-Fi, even if it is password protected, means several strangers are using the Wi-Fi at the same time.
- Even inexperienced hackers can view who is using the same network, putting your device and information at risk.
4.5 Update your device.
- Carriers will update security information as new malware is brought to their attention.
- Security updates from your provider will increase the security of your device.
- Do not ignore security updates or put them off in order to help prevent your device from being attacked.
- As new devices are released, they come with the latest protections against criminals.
- Criminals often keep pace with the latest security updates as well, finding new ways to target mobile device users.
4.6. Lock your SIM card.
- Locking your phone is not the same as locking down your SIM card.
- Your SIM card contains your phone number, billing information, security data, and other information about you and your phone activity.
- Simply taking out your SIM card will not help you as your phone will not function without one.
- There is a way of locking down your SIM card, see below.
4.6.1 How you can lock your SIM Card.
Depending on your provider, you need to locate your PIN Unlock Key (PUK).
For AT&T users:
- Login to your At&T account in a browser.
- Go to the myAT&T tab.
- Click on your mobile device.
- Select “Unblock SIM Card.”
- You will be directed to a new page where your PUK is listed.
For Verizon users:
- Login to your Verizon account in a browser.
- Select the “I Want To” section.
- Select the “More Actions” button.
- Under devices, click on “Phone Details.”
- Select “Unlock SIM” and your PUK as well as your card’s default PIN should be displayed.
If you have another carrier, you can look through your account or call them to find your PUK as well as the default PIN for your SIM. Most default PINs are either 0000 or 1111, but not always. The PUK will not be needed unless you incorrectly enter the PIN three times.
You can now lock your SIM.
- In your mobile device’s settings, you should have a security option. Click on that.
- Locate the “Setup SIM card lock” option.
- Select Lock SIM card.
- Enter the default PIN.
- Select Change SIM PIN.
- Reenter the default PIN and hit “ok.”
- Enter a new 4-digit PIN that you will remember.
- Confirm the new PIN.
- Restart your mobile device and enter the SIM PIN when prompted.
4.6.2 Locking a SIM on an iPhone.
SIM cards on iPhones appear differently than other types of mobile devices, but can still be locked down.
Step 1: Open the Settings app and go to Phone.
Step 2: Scroll down to SIM PIN.
Step 3: Enter the default SIM PIN that you received from your carrier.
Now you have made your SIM’s identity inaccessible for anyone trying to either steal your SIM or your phone’s information. This would mean that a previous carrier you may have used should not be able to access your SIM and see which carrier you have moved to or take any other personal information from you. This does not, however, protect you from your own carrier. They will still have access to your information. The only way of avoiding this is to use a dumb phone with your SIM locked down so a previous carrier cannot get inside of your phone from the outside.Caution: If you inaccurately enter your SIM card’s PIN three times or put in the incorrect PUK, you do run the risk of locking your SIM permanently. Your mobile device cannot operate if it does not have a functional SIM as the carrier will not be able to verify a service plan in order to operate. If your carrier has sensed the breach, they may shut down your SIM to protect your information from hackers, even if it was you who was trying to access it. Take your phone into the nearest carrier location and have your SIM replaced. Then you can also find out your SIM’s PIN and PUK in order to prevent the same problem from happening again in the future.
(1) A Flash SMS is a type of SMS that appears directly on the main screen without user interaction and is not automatically stored in the inbox. It can be useful in emergencies, such as a fire alarm or cases of confidentiality, as in delivering one-time passwords.
(2) OTA :On modern mobile devices such as smartphones, an over-the-air update may refer simply to a software update that is distributed over Wi-Fi or mobile broadband using a function built into the operating system, with the “over-the-air” aspect referring to its use of wireless internet instead of requiring the user to connect the device to a computer via USB to perform the update.
(3) An Access Point Name (APN) is the name of a gateway between a GSM, GPRS, 3G or 4G mobile network and another computer network, frequently the public Internet. A mobile device making a data connection must be configured with an APN to present to the carrier. The carrier will then examine this identifier to determine what type of network connection should be created, for example: which IP addresses should be assigned to the wireless device, which security methods should be used, and how or if, it should be connected to some private customer network.