Your Subscriber Identity Module, or SIM Card, opens up a few unknown security vulnerabilities on your phone.
Equally devastating, the SIM card allows you to easily be tracked.
As long as your phone has a valid SIM card in it, it will always try to connect to various base stations. Once connected, it will continue to send signals to base stations around you to ensure a good connection in case you receive a message or a phone call.
Using the information of what base station you connected to, plus the strength of the signal, your mobile phone provider is able to triangulate your location with varying precision.
As long as your phone is turned on with a SIM card inserted, your mobile phone provider will know which area you are roughly in, and from your speed and location have the ability to deduce whether you are in a car or a train, and maybe even if you are high up in a skyscraper.
This information is often not protected adequately, and a number of providers fail to secure their systems against intruders, making geo-location almost public knowledge. In fact, some providers have even gone so far as selling their users’ location to advertisers.
They can and often do share this information with law enforcement. But in order to track you more precisely, law enforcement will need a device similar to a Stingray.
Stingrays are a popular kind of IMSI-catcher (International Mobile Subscriber Identity). These devices are about the size of a shoe box and can be attached to any vehicle, such as a car or airplane, or even carried in a backpack.
Stingrays work for all devices connected to the GSM network. While the Stingrays are not as effective on 3G or 4G networks, they can always retrieve a subject’s cell phone number and location. By tricking the subject into connecting to a less secure 2G connection, they might also be able to intercept phone calls or SMS.
While each phone has to authenticate itself to the base station of the cell phone provider, this is not the case for the other way around. As a result of this commonly known vulnerability in the GSM network, anybody with the resources (Stingrays cost about 16,000 to 125,000 USD per piece) can imitate a base station, and every phone nearby will connect to it unknowingly.
This allows the operator of a Stingray to get a list of all the identifiers of mobile phones nearby. In some cases it can also allow them to listen to all phone conversations and text messages made by the victim in what is called a man-in-the-middle Attack.
We do not know if spy agencies or even law enforcement can easily apply similar functionality to read and intercept mobile data as well, but it is certainly within the possibilities of the technology.
Cracking the encryption on the fly is very difficult, but it’s not unreasonable to believe that a large enough spy agency has already stolen the keys, or requested them through a national security letter.
Stingrays are used covertly and their use is so secretive it’s often not even uncovered in court, damaging the principle of due process. As their use has become more widespread, the public has become increasingly aware of Stingrays and how they work. These devices are tools of mass surveillance, and as such are rarely authorized by courts in investigations.
When a law enforcement agency, criminal or spy has multiple such devices at their disposal, they can use them simultaneously to calculate the locations of their suspects’ phones. A similar result can be achieved by moving the devices around, like in a small airplane. Many such spy planes regularly fly above mosques and neighborhoods populated by ethnic minorities in the United States.
Evading location tracking through your SIM
The only way to completely evade tracking through these devices is to put your phone in flight mode. For advanced users, there is the possibility to run special software on your phone that detects Stingrays and shuts your phone down if you so choose.
However, this software is experimental and not thoroughly tested. Using public Wi-Fi, VPNs and VoIP services paid with Bitcoin are a good alternative for outgoing calls. Incoming calls over VoIP are less private due to the need to subscribe, but can still be an effective tool if the main goal is to hide your location. It’s important to note that such calls are never encrypted, and therefore may be easily wiretapped.
Encrypted calls are possible with software like Signal and Facetime, but in order to work they require both parties to use the software.
While frequently switching SIM cards does not technically make tracking impossible, it reduces the amount of information trackers are able to gather. It is important, however, that SIM cards aren’t switched too quickly. It might be possible to link two numbers together simply by the fact that they are never turned on at the same time.
Another barrier is that the SIM cards need to be purchased independently from each other, at separate stores, and paid with cash. If they are inserted into the same phone there might be other serial numbers and identifiers that allow the mobile phone company or an agency to link them together.
Ideally, your SIM cards are purchased from separate providers with cash, are unregistered or registered with separate fake names, and used with separate devices. They are also never used in the same area, and both devices are switched off when traveling between locations.
Possibly the biggest hole from a security perspective is your SIM card itself. Essentially, its module is a small computer that comes out of the box, runs and responds to code even unknown to the phone manufacturer, and is remotely accessible.
The largest known hack that exploited this problematic architecture was uncovered in 2013, when IT analysts discovered that 750 million cell phones were using obsolete cyphers that could easily be figured out by an attacker.
With this key, the attacker could download new software onto the SIM module, send text messages to contacts in the contact book, or change the user’s voicemail password.
If you have a SIM card issued before 2013, there is about a 10% chance it is still affected by this problem.
But these encryption keys can be compromised in other ways too, especially by well-funded state actors.
As part of the Snowden revelations, the online magazine The Intercept revealed how American and British intelligence agencies stole the encryption keys of billions of SIM cards produced by Gemalto, a Dutch company that produces the SIM cards for 450 phone providers all over the world. These keys would allow the intelligence agencies to decrypt intercepted traffic through a more advanced and undetectable version of a Stingray.
SMS messages and contacts
Even if you have full disk encryption set up, your phone might still store text messages and contact details on the SIM card itself, leaving your info unencrypted and accessible to anyone who obtains the SIM.
It is difficult to clone your SIM card. If an attacker has extended physical access to your SIM card, they might be able to extract the private key from it. This could also be done by placing a reader between your SIM card and your phone, although this could be easily detected by the user by checking the SIM slot, as an example.
The easiest way to clone your SIM card would be to impersonate the user and approach the service provider directly by asking them for a copy. Some service providers easily provide secondary or replacement SIMs on the spot or via mail with little identification.
This means that you put a lot of trust in your mobile service provider. If someone is able to impersonate you to your service provider and get access to a secondary SIM, they are able to receive text messages and phone calls intended for you, and make phone calls and text messages in your name (and your bill).
This can have important security ramifications, especially if your two-factor authentication solution delivers such codes over text message.
Learn more about the dangers of mobile Wi-Fi with these articles: