[{"data":1,"prerenderedAt":1109},["ShallowReactive",2],{"/sim-cloning-and-sim-swap-attacks/":3,"related-sim-cloning-and-sim-swap-attacks":1108},{"id":4,"title":5,"author":6,"authorName":6,"category":6,"date":6,"description":6,"extension":7,"image":6,"imageAlt":6,"lastModified":6,"meta":8,"readingTime":6,"severity":6,"stem":1106,"__hash__":1107,"body":9},"articles/sim-cloning-and-sim-swap-attacks.md","Sim Cloning And Sim Swap Attacks",null,"md",{"body":9},{"type":10,"value":11,"toc":1093},"minimark",[12,15,20,30,33,40,75,79,82,87,180],[13,14],"hr",{},[16,17,19],"h2",{"id":18},"title-sim-cloning-and-sim-swap-attacksdescription-telcosec-sim-cloning-and-sim-swap-attack-analysis-physical-cloning-simjacker-remote-exploitation-esim-provisioning-risks-and-isim-security-architecturedate-2024-04-22lastmodified-2026-05-15author-ruben-f-silvaauthorname-telcosec-researchcategory-user_land_attacksseverity-criticalimage-imagesarticlessim-card-herowebpimagealt-sim-card-security-analysis-sim-swap-and-cloning-identity-vectorsreadingtime-22","title: \"SIM Cloning and SIM Swap Attacks\"\ndescription: \"TelcoSec SIM cloning and SIM swap attack analysis: physical cloning, SIMjacker remote exploitation, eSIM provisioning risks, and iSIM security architecture.\"\ndate: \"2024-04-22\"\nlastModified: \"2026-05-15\"\nauthor: \"Ruben F. Silva\"\nauthorName: \"TelcoSec Research\"\ncategory: \"USER_LAND_ATTACKS\"\nseverity: \"CRITICAL\"\nimage: \"/images/articles/sim-card-hero.webp\"\nimageAlt: \"SIM Card Security Analysis - SIM Swap and Cloning Identity Vectors\"\nreadingTime: 22",[21,22,23,24,29],"p",{},"The SIM card is the cryptographic anchor of mobile identity. It holds the ",[25,26,28],"a",{"href":27},"/imsi-catchers-and-rogue-base-stations/","IMSI identifier",", the authentication key (Ki), and the algorithms that prove a subscriber's identity to the network. When this identity is compromised — whether through physical cloning, social engineering (SIM swap), or remote exploitation (SIMjacker) — the attacker inherits the victim's entire mobile identity: calls, SMS, data sessions, and critically, all SMS-based two-factor authentication codes.",[21,31,32],{},"This research covers the complete lifecycle of SIM-based attacks, from the legacy COMP128 cryptanalysis of the 1990s to modern eSIM profile hijacking, providing actionable intelligence for both offensive researchers and defensive security teams.",[34,35],"lead-magnet",{"ctaTitle":36,"description":37,"tag":38,"title":39},"GET REFERENCE","Download the technical reference for auditing STK applets (S@T/WIB) for remote execution vulnerabilities (PDF).","sim_lead_magnet","REFERENCE: SIM ToolKit (STK) Security Audit",[41,42,45,48],"article-intel-briefing",{"accent":43,"title":44},"red","CRITICAL RISK",[21,46,47],{},"This research covers the full spectrum of SIM-based attacks: from legacy SIM cloning through Ki extraction, to modern SIM swap fraud exploiting carrier customer service processes, to remote SIM exploitation via SIMjacker and WIBattack vulnerabilities in the SIM Toolkit. Each vector targets the same fundamental asset — the subscriber's cryptographic identity.",[49,50,52],"template",{"v-slot:takeaways":51},"",[53,54,55,59,62,65,72],"ul",{},[56,57,58],"li",{},"SIM swap fraud is the #1 account takeover vector — $68M+ FBI-reported losses in 2021",[56,60,61],{},"SIMjacker exploits S@T Browser to remotely control over 1 billion SIM cards",[56,63,64],{},"eSIM eliminates physical cloning but introduces profile server attack surfaces",[56,66,67,71],{},[25,68,70],{"href":69},"/signaling/ss7/","SS7"," vulnerabilities amplify SIM-based identity theft",[56,73,74],{},"Modern 5G authentication (5G-AKA) is only as strong as the SIM provisioning chain",[16,76,78],{"id":77},"sim-cloning","I. Physical SIM Cloning: Cryptanalysis of the Authentication Key",[21,80,81],{},"Classical SIM cloning involves extracting the Ki (authentication key) from a physical SIM card. The SIM's primary security function is to prove the subscriber's identity to the network through a challenge-response protocol — the network sends a random number (RAND), and the SIM computes a response (SRES) using the Ki and a one-way function. If the Ki can be extracted, a perfect clone can be created.",[83,84,86],"h3",{"id":85},"sim-authentication-evolution","SIM Authentication Evolution",[88,89,90,109],"table",{},[91,92,93],"thead",{},[94,95,96,100,103,106],"tr",{},[97,98,99],"th",{},"Generation",[97,101,102],{},"Algorithm",[97,104,105],{},"Ki Extraction Method",[97,107,108],{},"Feasibility (2024)",[110,111,112,127,140,154,167],"tbody",{},[94,113,114,118,121,124],{},[115,116,117],"td",{},"2G GSM",[115,119,120],{},"COMP128v1",[115,122,123],{},"Side-channel attack, ~150K challenges",[115,125,126],{},"Trivial — 2-4 hours with smart card reader",[94,128,129,131,134,137],{},[115,130,117],{},[115,132,133],{},"COMP128v2/v3",[115,135,136],{},"Improved resistance, longer key",[115,138,139],{},"Difficult — no practical attack published",[94,141,142,145,148,151],{},[115,143,144],{},"3G UMTS",[115,146,147],{},"Milenage (AES-128)",[115,149,150],{},"No known cryptanalytic attack",[115,152,153],{},"Infeasible — requires HLR/AuC database access",[94,155,156,159,162,164],{},[115,157,158],{},"4G LTE",[115,160,161],{},"Milenage or TUAK",[115,163,150],{},[115,165,166],{},"Infeasible — hardware security elements",[94,168,169,172,175,177],{},[115,170,171],{},"5G NR",[115,173,174],{},"Milenage or TUAK + SUPI concealment",[115,176,150],{},[115,178,179],{},"Infeasible — enhanced key hierarchy",[181,182,185,186,190,193,219,223,235,238,241,243,247,250,254,297,300],"info-callout",{"type":183,"title":184},"note","Historical Context","\nCOMP128v1 was broken in 1998. The attack exploits a weakness in the algorithm that leaks Ki bits through carefully chosen RAND values. Modern 3G/4G/5G SIMs use Milenage or TUAK algorithms with significantly stronger protection against Ki extraction. Physical cloning of modern SIMs is considered computationally infeasible without direct access to the operator's HLR/AuC database or [SIM provisioning infrastructure](/setting-up-private-lte-5g-lab/).\n\n",[83,187,189],{"id":188},"comp128v1-attack-methodology","COMP128v1 Attack Methodology",[21,191,192],{},"\u003CCodeBlock\nlanguage=\"python\"\nfilename=\"comp128v1_crack.py\"\ncode=\" # Historical: COMP128v1 Ki extraction via differential analysis\n# Requires: PC/SC smart card reader + target SIM card",[21,194,195,196,200,201,203,204,207,208,211,212,215,216,218],{},"from smartcard.System import readers\nfrom comp128 import crack_ki\n# Connect to SIM via PC/SC reader\nr = readers()\nconnection = r",[197,198,199],"span",{},"0",".createConnection()\nconnection.connect()\n# Phase 1: Send chosen RAND challenges\n# The attack exploits collisions in the compression function\n# ~150,000 challenges needed for full Ki recovery\nki_candidates = ",[197,202],{},"\nfor i in range(150000):\nrand = generate_chosen_rand(i, ki_candidates)\n# SELECT EF_IMSI, then RUN GSM ALGORITHM\napdu = ",[197,205,206],{},"0xA0, 0x88, 0x00, 0x00, 0x10"," + rand\nresponse, sw1, sw2 = connection.transmit(apdu)\nsres = response",[197,209,210],{},":4","\nkc = response",[197,213,214],{},"4:12","\nki_candidates = update_candidates(rand, sres, ki_candidates)\n# Phase 2: Verify recovered Ki\nrecovered_ki = ki_candidates",[197,217,199],{},"\nprint(f'Recovered Ki: {recovered_ki.hex()}')\">",[83,220,222],{"id":221},"sim-cloning-in-the-lab","SIM Cloning in the Lab",[21,224,225,226,230,231,234],{},"For security research, cloning is performed using ",[25,227,229],{"href":228},"/setting-up-private-lte-5g-lab/","programmable SIM cards"," (sysmoISIM-SJA5) where the Ki is already known. This is essential for building a ",[25,232,233],{"href":228},"private LTE/5G lab"," environment where the researcher controls both the SIM and the network.",[21,236,237],{},"\u003CCodeBlock\nlanguage=\"bash\"\nis-terminal\ncode=\" # Programming a research SIM with pySim-shell\n# This is NOT cloning — this is provisioning a blank SIM with known keys",[21,239,240],{},"pySim-shell -p 0\n# Set IMSI and authentication parameters\npySim> select ADF.USIM\npySim> update_binary EF.IMSI 001010123456789\npySim> update_binary EF.Ki 465B5CE8B199B49FAA5F0A2EE238A6BC\npySim> update_binary EF.OPc 69d5c2eb2e2e624750541d3bbc692ba5\n# Verify the programming\npySim> read_binary EF.IMSI\"\n/>",[13,242],{},[16,244,246],{"id":245},"sim-swap","II. SIM Swap Fraud: Social Engineering the Carrier",[21,248,249],{},"SIM swap attacks bypass all cryptographic protections by exploiting the human element — the carrier's customer service process. The attacker convinces a representative to transfer the victim's phone number to a new SIM card controlled by the attacker. Once successful, all incoming calls and SMS (including 2FA codes) are redirected to the attacker.",[83,251,253],{"id":252},"attack-kill-chain","Attack Kill Chain",[255,256,257,264,270,276,282,288],"ol",{},[56,258,259,263],{},[260,261,262],"strong",{},"OSINT Gathering:"," Collect the victim's name, address, date of birth, last four digits of SSN, and account PIN through social media analysis, data breach databases, or dark web markets",[56,265,266,269],{},[260,267,268],{},"Social Engineering:"," Call the carrier impersonating the victim, pass identity verification using gathered data, and request a \"SIM replacement\" due to a \"lost phone\"",[56,271,272,275],{},[260,273,274],{},"Alternative: Insider Recruitment:"," Recruit or bribe a carrier retail employee to process the swap without standard verification — a growing trend documented by the FBI",[56,277,278,281],{},[260,279,280],{},"Number Port:"," Once the number is ported, the victim's phone loses service (first indicator of compromise)",[56,283,284,287],{},[260,285,286],{},"Account Takeover:"," Intercept all incoming SMS including 2FA codes. Reset passwords on banking, cryptocurrency, email, and social media accounts",[56,289,290,293,294,296],{},[260,291,292],{},"Persistence:"," Some attackers combine the SIM swap with ",[25,295,70],{"href":69}," vulnerabilities to maintain persistent SMS interception even after the victim recovers their number",[298,299],"diagrams-sim-swap-sequence-diagram",{},[181,301,304,305,309,412,416,419,445,447,451,454,458,496,499,502,505,509,512,516,592,594,598,601,605,608,693,697,796,798,802,805,809,840,842,846,951,953,957,964,970,976,988,994,1004,1006,1010,1013,1016,1049,1063,1085],{"type":302,"title":303},"hazard","Financial Impact","\nThe FBI's Internet Crime Complaint Center reported over $68 million in SIM swap losses in 2021 alone, rising to over $72 million in 2022. High-profile targets include cryptocurrency holders, executives, journalists, and public figures. Individual losses exceeding $1 million are documented in multiple court cases.\n\n",[83,306,308],{"id":307},"sim-swap-defense-comparison","SIM Swap Defense Comparison",[88,310,311,327],{},[91,312,313],{},[94,314,315,318,321,324],{},[97,316,317],{},"Defense Measure",[97,319,320],{},"Effectiveness",[97,322,323],{},"Carrier Support",[97,325,326],{},"User Action Required",[110,328,329,343,357,371,385,398],{},[94,330,331,334,337,340],{},[115,332,333],{},"SIM Lock PIN (carrier-set)",[115,335,336],{},"High — blocks unauthorized swaps",[115,338,339],{},"Most US carriers",[115,341,342],{},"Call carrier to enable",[94,344,345,348,351,354],{},[115,346,347],{},"Port-Out PIN",[115,349,350],{},"High — prevents number porting",[115,352,353],{},"AT&T, T-Mobile, Verizon",[115,355,356],{},"Set via carrier app/account",[94,358,359,362,365,368],{},[115,360,361],{},"In-Store ID Verification",[115,363,364],{},"High — requires physical presence",[115,366,367],{},"Some carriers (opt-in)",[115,369,370],{},"Request at retail store",[94,372,373,376,379,382],{},[115,374,375],{},"Authenticator Apps (replace SMS 2FA)",[115,377,378],{},"Critical — eliminates SMS dependency",[115,380,381],{},"N/A (app-level)",[115,383,384],{},"Migrate all accounts",[94,386,387,390,393,395],{},[115,388,389],{},"Hardware Security Keys (FIDO2/WebAuthn)",[115,391,392],{},"Critical — phishing-resistant",[115,394,381],{},[115,396,397],{},"Purchase key, enroll accounts",[94,399,400,403,406,409],{},[115,401,402],{},"Number Lock / Freeze",[115,404,405],{},"Medium — temporary protection",[115,407,408],{},"Limited carrier support",[115,410,411],{},"Call carrier",[83,413,415],{"id":414},"regulatory-and-legal-landscape","Regulatory and Legal Landscape",[21,417,418],{},"SIM swap fraud has triggered regulatory responses across multiple jurisdictions:",[53,420,421,427,433,439],{},[56,422,423,426],{},[260,424,425],{},"FCC (USA):"," Proposed rules requiring carriers to implement stronger authentication before processing SIM changes (2023)",[56,428,429,432],{},[260,430,431],{},"GSMA:"," Published FS.22 guidelines for SIM swap fraud prevention, recommending real-time fraud detection and customer notification",[56,434,435,438],{},[260,436,437],{},"EU:"," ETSI ENISO frameworks mandate multi-factor authentication for SIM management operations",[56,440,441,444],{},[260,442,443],{},"Australia:"," ACMA enforced mandatory ID verification for SIM swaps after high-profile cryptocurrency theft cases",[13,446],{},[16,448,450],{"id":449},"simjacker","III. SIMjacker and Remote SIM Exploitation",[21,452,453],{},"Disclosed in 2019 by AdaptiveMobile Security, SIMjacker exploits the S@T Browser (SIMalliance Toolbox Browser) — a legacy Java Card application present on over 1 billion SIM cards worldwide. By sending a specially crafted binary SMS (OTA SMS) to the target, the attacker can silently command the SIM to perform actions without the user's knowledge.",[83,455,457],{"id":456},"simjacker-attack-capabilities","SIMjacker Attack Capabilities",[53,459,460,466,472,478,484,490],{},[56,461,462,465],{},[260,463,464],{},"Retrieve the device's IMEI and location"," (Cell-ID based positioning)",[56,467,468,471],{},[260,469,470],{},"Send SMS messages"," from the victim's number (to premium rate numbers for fraud, or to exfiltrate data)",[56,473,474,477],{},[260,475,476],{},"Initiate phone calls"," (to premium rate numbers or for call forwarding)",[56,479,480,483],{},[260,481,482],{},"Launch a browser"," to a malicious URL (for malware delivery)",[56,485,486,489],{},[260,487,488],{},"Play tones"," (distraction or confirmation signal)",[56,491,492,495],{},[260,493,494],{},"Power off the SIM card"," (denial of service)",[21,497,498],{},"\u003CCodeBlock\nlanguage=\"text\"\nfilename=\"simjacker-sms-structure.bin\"\ncode=\"SMS PDU Structure (SIMjacker):\nTP-PID: 0x7F (SIM Data Download)\nTP-DCS: 0xF6 (Class 2, binary — routed directly to SIM)\nUDH:    0x70 (Security Header - command packet)",[21,500,501],{},"Payload Structure:\n├── CPH (Command Packet Header)\n│   ├── SPI: Security Parameter Indicator (often 0x00 = no security)\n│   ├── KIc/KID: Crypto keys (unused if SPI=0)\n│   └── TAR: 0x534154 ('SAT' — S@T Browser application)\n└── STK Commands:\n├── PROVIDE LOCAL INFO → Cell-ID + IMEI\n├── SEND SHORT MESSAGE → Exfiltrate to attacker MSISDN\n└── SETUP CALL → Dial attacker number (optional)\">",[21,503,504],{},"The attack is completely invisible to the user — no notification appears, and the SMS is not stored in the inbox. The vulnerability was actively exploited by surveillance companies before public disclosure.",[83,506,508],{"id":507},"related-wibattack","Related: WIBattack",[21,510,511],{},"WIBattack targets the Wireless Internet Browser (WIB) — another SIM Toolkit application with similar capabilities to S@T Browser. The attack mechanism is identical (crafted binary SMS), but targets a different application identifier (TAR). Together, SIMjacker and WIBattack affect an estimated 1.5 billion SIM cards globally.",[83,513,515],{"id":514},"ota-sms-security-assessment","OTA SMS Security Assessment",[88,517,518,534],{},[91,519,520],{},[94,521,522,525,528,531],{},[97,523,524],{},"Security Level",[97,526,527],{},"SPI Configuration",[97,529,530],{},"Vulnerability",[97,532,533],{},"Prevalence",[110,535,536,550,564,578],{},[94,537,538,541,544,547],{},[115,539,540],{},"No Security (SPI=0x00)",[115,542,543],{},"No encryption, no integrity",[115,545,546],{},"Critical — fully exploitable",[115,548,549],{},"~30% of SIMs (pre-2019)",[94,551,552,555,558,561],{},[115,553,554],{},"Single DES (SPI=0x01)",[115,556,557],{},"DES encryption only",[115,559,560],{},"High — DES crackable",[115,562,563],{},"~20% of SIMs",[94,565,566,569,572,575],{},[115,567,568],{},"Triple DES + MAC",[115,570,571],{},"3DES + integrity check",[115,573,574],{},"Low — requires key compromise",[115,576,577],{},"~40% of SIMs",[94,579,580,583,586,589],{},[115,581,582],{},"AES + MAC",[115,584,585],{},"AES-128 + integrity",[115,587,588],{},"Minimal — state-of-the-art",[115,590,591],{},"~10% of SIMs (modern)",[13,593],{},[16,595,597],{"id":596},"esim-security","IV. eSIM Security Model",[21,599,600],{},"Embedded SIMs (eSIMs) eliminate the physical SIM card, storing subscriber profiles digitally in a tamper-resistant secure element (eUICC — embedded Universal Integrated Circuit Card) soldered onto the device's motherboard. This fundamentally changes the threat model: physical cloning is eliminated, but new remote attack vectors emerge.",[83,602,604],{"id":603},"esim-architecture","eSIM Architecture",[21,606,607],{},"The GSMA SGP.22 specification defines the Remote SIM Provisioning (RSP) architecture:",[609,610,616,648,663,678],"grid",{"className":611},[612,613,614,615],"grid-cols-1","md:grid-cols-2","gap-6","my-8",[617,618,628,638,645],"div",{"className":619},[620,621,622,623,624,625,626,627],"bg-[#050B14]","p-6","border","border-[var(--border)]","group","hover:border-[var(--primary)]","transition-colors","relative",[629,630],"absolute",{":right-0":631,":top-0":631,"className":632},"true",[633,634,635,636,637],"w-8","h-8","bg-gradient-to-bl","from-[var(--primary)]/20","to-transparent",[83,639,641,644],{"id":640},"sm-dp-subscription-manager-data-preparation",[197,642,643],{},">"," SM-DP+ (Subscription Manager Data Preparation)",[21,646,647],{},"The server that generates and delivers encrypted eSIM profiles to devices. Compromising SM-DP+ enables mass credential theft — the attacker can intercept or duplicate subscriber profiles including Ki/OPc values. SM-DP+ servers are high-value targets for state-level adversaries.",[617,649,651,654,660],{"className":650},[620,621,622,623,624,625,626,627],[629,652],{":right-0":631,":top-0":631,"className":653},[633,634,635,636,637],[83,655,657,659],{"id":656},"sm-ds-subscription-manager-discovery",[197,658,643],{}," SM-DS (Subscription Manager Discovery)",[21,661,662],{},"The discovery service that helps devices find the correct SM-DP+ server. SM-DS compromise enables man-in-the-middle attacks by redirecting devices to attacker-controlled SM-DP+ servers, delivering rogue subscriber profiles.",[617,664,666,669,675],{"className":665},[620,621,622,623,624,625,626,627],[629,667],{":right-0":631,":top-0":631,"className":668},[633,634,635,636,637],[83,670,672,674],{"id":671},"qr-code-provisioning",[197,673,643],{}," QR Code Provisioning",[21,676,677],{},"eSIM activation relies on scanning a QR code containing the SM-DP+ address and activation code. Malicious QR codes can redirect to attacker-controlled servers to provision rogue profiles. QR codes distributed via phishing emails or compromised carrier websites enable remote eSIM hijacking.",[617,679,681,684,690],{"className":680},[620,621,622,623,624,625,626,627],[629,682],{":right-0":631,":top-0":631,"className":683},[633,634,635,636,637],[83,685,687,689],{"id":686},"euicc-secure-element",[197,688,643],{}," eUICC Secure Element",[21,691,692],{},"The tamper-resistant hardware chip that stores and executes eSIM profiles. While physically robust (side-channel resistance, anti-tamper mesh), software vulnerabilities in the ISD-R (Issuer Security Domain Root) or the profile management application can enable unauthorized profile installation or extraction.",[83,694,696],{"id":695},"esim-vs-physical-sim-security-comparison","eSIM vs Physical SIM Security Comparison",[88,698,699,715],{},[91,700,701],{},[94,702,703,706,709,712],{},[97,704,705],{},"Attack Vector",[97,707,708],{},"Physical SIM",[97,710,711],{},"eSIM",[97,713,714],{},"Winner",[110,716,717,730,744,757,770,783],{},[94,718,719,722,725,728],{},[115,720,721],{},"Physical Cloning",[115,723,724],{},"Possible (legacy) / Infeasible (modern)",[115,726,727],{},"Impossible — no removable element",[115,729,711],{},[94,731,732,735,738,741],{},[115,733,734],{},"SIM Swap Fraud",[115,736,737],{},"Vulnerable via carrier social engineering",[115,739,740],{},"Still vulnerable — carrier process unchanged",[115,742,743],{},"Tie",[94,745,746,749,752,755],{},[115,747,748],{},"SIMjacker/WIBattack",[115,750,751],{},"Vulnerable if S@T/WIB present",[115,753,754],{},"Reduced — fewer legacy applets",[115,756,711],{},[94,758,759,762,765,768],{},[115,760,761],{},"Profile Server Compromise",[115,763,764],{},"N/A — Ki stored at manufacturing",[115,766,767],{},"New risk — SM-DP+ as attack target",[115,769,708],{},[94,771,772,775,778,781],{},[115,773,774],{},"Supply Chain Attack",[115,776,777],{},"Ki theft during manufacturing",[115,779,780],{},"Profile interception during provisioning",[115,782,743],{},[94,784,785,788,791,794],{},[115,786,787],{},"Remote Profile Management",[115,789,790],{},"N/A — requires physical swap",[115,792,793],{},"New risk — OTA profile manipulation",[115,795,708],{},[13,797],{},[16,799,801],{"id":800},"_5g-aka","V. The 5G-AKA Authentication Chain",[21,803,804],{},"In 5G networks, the SIM's role extends beyond simple authentication. The 5G-AKA (Authentication and Key Agreement) protocol introduces SUPI concealment (via SUCI), home network authentication, and a stronger key hierarchy. However, the entire chain is only as strong as the SIM provisioning process.",[83,806,808],{"id":807},"_5g-aka-vulnerability-points","5G-AKA Vulnerability Points",[255,810,811,817,823,834],{},[56,812,813,816],{},[260,814,815],{},"SIM Provisioning:"," If Ki/OPc values are compromised during manufacturing or delivery, the entire 5G-AKA chain is broken regardless of protocol strength",[56,818,819,822],{},[260,820,821],{},"SUCI Generation:"," The SIM generates the SUCI (Subscription Concealed Identifier) using ECIES encryption with the home network's public key. If this key is compromised or the SIM's ECIES implementation is flawed, SUPI can be recovered",[56,824,825,828,829,833],{},[260,826,827],{},"Home Network Authentication:"," 5G-AKA requires the home network (AUSF/UDM) to authenticate the subscriber, unlike 4G where the visited network could authenticate independently. This prevents certain ",[25,830,832],{"href":831},"/signaling/diameter/","Diameter"," roaming attack vectors but centralizes trust in the home AUSF",[56,835,836,839],{},[260,837,838],{},"SIM Swap Impact on 5G:"," A successful SIM swap gives the attacker a SIM with valid Ki/OPc for the target's subscription. The 5G-AKA protocol authenticates the SIM, not the person — so a swapped SIM passes all cryptographic checks",[13,841],{},[16,843,845],{"id":844},"references","VI. Authoritative References",[847,848,851],"glass-panel",{"className":849},[621,850],"bg-black/20",[53,852,853,871,887,903,919,935],{},[56,854,855,861,865],{},[260,856,857,860],{},[197,858,859],{},"01"," AdaptiveMobile Security",[862,863,864],"em",{},"SIMjacker Technical Paper (2019)",[25,866,870],{"href":867,"rel":868},"https://www.simjacker.com/",[869],"nofollow","SIMjacker Vulnerability Research Paper →",[56,872,873,879,882],{},[260,874,875,878],{},[197,876,877],{},"02"," GSMA SGP.22",[862,880,881],{},"RSP Technical Specification for Consumer Devices (eSIM)",[25,883,886],{"href":884,"rel":885},"https://www.gsma.com/esim/esim-specification/",[869],"GSMA eSIM Technical Specification →",[56,888,889,895,898],{},[260,890,891,894],{},[197,892,893],{},"03"," FBI IC3 Report",[862,896,897],{},"SIM Swap Fraud Statistics (2021-2022)",[25,899,902],{"href":900,"rel":901},"https://www.ic3.gov/",[869],"FBI IC3 SIM Swap Report →",[56,904,905,911,914],{},[260,906,907,910],{},[197,908,909],{},"04"," 3GPP TS 33.501",[862,912,913],{},"Security architecture and procedures for 5G system",[25,915,918],{"href":916,"rel":917},"https://www.3gpp.org/dynareport?code=33501.htm",[869],"3GPP TS 33.501 – 5G Security Architecture →",[56,920,921,927,930],{},[260,922,923,926],{},[197,924,925],{},"05"," GSMA FS.22",[862,928,929],{},"SIM Swap Fraud Prevention Guidelines",[25,931,934],{"href":932,"rel":933},"https://www.gsma.com/security/resources/",[869],"GSMA Security Resources & Guidelines →",[56,936,937,943,946],{},[260,938,939,942],{},[197,940,941],{},"06"," 3GPP TS 31.102",[862,944,945],{},"USIM application characteristics",[25,947,950],{"href":948,"rel":949},"https://www.3gpp.org/dynareport?code=31102.htm",[869],"3GPP TS 31.102 – USIM Application →",[13,952],{},[16,954,956],{"id":955},"faq","VII. Frequently Asked Questions",[958,959,961],"faq-item",{"title":960},"How do I protect myself from SIM swap attacks?",[21,962,963],{},"Contact your carrier and request a SIM lock PIN or port-out PIN. Migrate all accounts from SMS-based 2FA to authenticator apps (Google Authenticator, Authy) or hardware security keys (YubiKey). Some carriers offer additional protections like requiring in-store verification with government-issued photo ID for SIM changes. Monitor your phone for sudden loss of service — this is the first indicator of a SIM swap in progress.",[958,965,967],{"title":966},"Is my SIM vulnerable to SIMjacker?",[21,968,969],{},"SIMjacker requires the S@T Browser applet on your SIM. Many operators have since removed or disabled this applet through OTA updates. If your SIM was issued before 2019, it may be at higher risk. Contact your carrier to verify. SIM cards from operators who deploy OTA SMS with proper cryptographic protection (AES + MAC) are significantly less vulnerable even if S@T is present.",[958,971,973],{"title":972},"Are eSIMs safer than physical SIMs?",[21,974,975],{},"eSIMs eliminate physical cloning risk and add cryptographic protections during profile provisioning. However, they are still susceptible to social engineering-based SIM swap fraud if the carrier's verification process is weak — the carrier can remotely re-provision an eSIM just as easily as issuing a replacement physical SIM. The profile server (SM-DP+) infrastructure also introduces a new centralized attack surface absent from physical SIM deployments.",[958,977,979],{"title":978},"Can SIM swap be combined with SS7 attacks?",[21,980,981,982,984,985,987],{},"Yes, this is a documented attack chain. An attacker first performs a SIM swap to gain control of the target's phone number. They then use ",[25,983,70],{"href":69}," vulnerabilities (UpdateLocation) to redirect SMS traffic to their own infrastructure, providing persistent SMS interception even after the victim recovers their SIM. The ",[25,986,832],{"href":831}," protocol equivalent uses Cancel-Location-Request to de-register the victim.",[958,989,991],{"title":990},"What is the difference between SIM cloning and SIM swapping?",[21,992,993],{},"SIM cloning is a technical attack that extracts the cryptographic key (Ki) from a physical SIM card to create a duplicate. SIM swapping is a social engineering attack that convinces the carrier to transfer the victim's phone number to a new SIM controlled by the attacker. Cloning requires specialized hardware and is infeasible against modern SIMs. Swapping requires only convincing a customer service representative and remains the dominant attack vector.",[958,995,997],{"title":996},"How does 5G authentication improve SIM security?",[21,998,999,1000,1003],{},"5G introduces the 5G-AKA protocol with SUPI concealment (SUCI), which prevents ",[25,1001,1002],{"href":27},"IMSI catchers"," from capturing the subscriber's permanent identifier over the air. It also requires home network verification of the authentication, preventing visited network fraud. However, 5G-AKA does not protect against SIM swap fraud, because the protocol authenticates the SIM card itself — not the person holding it.",[13,1005],{},[16,1007,1009],{"id":1008},"conclusion-next-steps","Conclusion & Next Steps",[21,1011,1012],{},"SIM-based attacks remain a critical threat vector that bridges social engineering, cryptanalysis, and deep technical exploitation. The attack surface has evolved from physical Ki extraction to carrier process exploitation and remote OTA attacks, but the fundamental target remains the same: the subscriber's cryptographic identity anchored in the SIM.",[21,1014,1015],{},"Key defensive priorities:",[255,1017,1018,1024,1030,1043],{},[56,1019,1020,1023],{},[260,1021,1022],{},"Immediate:"," Enable SIM lock/port-out PIN with your carrier and migrate to authenticator apps for all 2FA",[56,1025,1026,1029],{},[260,1027,1028],{},"For operators:"," Deploy OTA SMS cryptographic protection (AES + MAC), audit STK applets, implement real-time SIM swap fraud detection",[56,1031,1032,1035,1036,1039,1040,1042],{},[260,1033,1034],{},"For researchers:"," Explore ",[25,1037,1038],{"href":228},"SIM provisioning"," in a lab environment and test ",[25,1041,70],{"href":69}," vulnerabilities amplification chains",[56,1044,1045,1048],{},[260,1046,1047],{},"Strategic:"," Migrate toward FIDO2/WebAuthn authentication that is immune to SIM-based interception entirely",[21,1050,1051,1052,1054,1055,1057,1058,1062],{},"Organizations handling sensitive operations should never rely solely on SMS-based authentication, especially with the prevalence of ",[25,1053,70],{"href":69}," location tracking, ",[25,1056,832],{"href":831}," subscriber attacks, and SIM swap fraud. Explore the ",[25,1059,1061],{"href":1060},"/projects/library/","TelcoSec research library"," for related signaling protocol intelligence.",[617,1064,1070,1071,1070,1079],{"className":1065},[1066,1067,1068,1069,615],"flex","flex-col","sm:flex-row","gap-4","\n  ",[1072,1073,1078],"nuxt-link",{"to":1074,"className":1075},"/services/",[1076,1077],"btn-terminal-fill","text-center","REQUEST SIM AUDIT",[1072,1080,1084],{"to":1081,"className":1082},"/telecom-penetration-testing-methodologies/",[1083,1077],"btn-terminal","PENTEST METHODOLOGY →",[1086,1087],"telecom-security-cta",{"title":1088,"description":1089,"ctalink":1090,"ctatext":1091,"context":1092},"MASTER SIM EXPLOITATION?","Deep dive into SIM/eSIM security. Learn to audit SIM applets, understand UICC cryptography, and defend against SIM swap fraud in our Academy. Access SIM exploitation research and private HLR/HSS labs.","https://app.telcosec.net/api/auth/login","LEARN SIM OS EXPLOITATION PATHS [→]","sim_security",{"title":51,"searchDepth":1094,"depth":1094,"links":1095},2,[1096,1097,1103],{"id":18,"depth":1094,"text":19},{"id":77,"depth":1094,"text":78,"children":1098},[1099,1101,1102],{"id":85,"depth":1100,"text":86},3,{"id":188,"depth":1100,"text":189},{"id":221,"depth":1100,"text":222},{"id":245,"depth":1094,"text":246,"children":1104},[1105],{"id":252,"depth":1100,"text":253},"sim-cloning-and-sim-swap-attacks","c0nRNthynwocfszpUTf-CSnA3J7AJLb_P9AbgyE7rHc",[],1782059596569]