Understanding SIM Swapping and Cloning Attack Techniques

If there’s any ubiquitous device worthy of hacking in today’s times, it’s mobile phones. If the place of residence is your first home and the place of work is second, mobile phones have essentially become the third home. That’s where people live virtually, spending an average of five hours a day, according to research.

Now, there is a concern brimming over Subscriber Identification Module (SIM) swapping and SIM cloning attacks in the security fraternity. Even high-profile people like the Twitter CEO Jack Dorsey himself faced a SIM-swapping incident in August 2019. Also, another Trickbot variant had arrived in the same period with SIM-swap fraud capability.

Do you sometimes ponder why attackers would be interested in using your contact number anyway? Let’s find out.

What is SIM Swapping?

You must be aware of the request people make to call center representatives to port their number to a new device. If an attacker attempts to hijack your SIM using this method and gets successful, it may transfer the control of your activities to the attacker’s phone. An attacker need not have detailed information for this mission; sometimes just a name, number, and birthdate does the job on the carrier’s side.

In cases where porting happens on a large scale, there are high chances that cybercriminals would have exploited insiders (telecom employees). In May 2019, nine people were charged in the U.S. with theft via SIM swapping. Three of the nine were employed with two major mobile providers, resulting in a $224 million lawsuit.

What is SIM Cloning?

While the goal remains the same as in SIM swapping cases, the attack method is more technically sophisticated. Cloning, in simple words, means duplicating from the original. Attackers use smart card copying software to create a copy of the real SIM card, thereby getting access to the victim’s international mobile subscriber identity (IMSI) and master encryption key.

In the process, the information is burnt onto the SIM card. Yes, physical access to SIM is a must here. That SIM card has to be placed into a card reader from where the data will be copied. In another scenario, SIM cards can be hacked remotely using over-the-air (OTA) communication to breach the encryption protecting the updates sent to the SIM via SMS.

Next, the attacker reaches out to the victim via phone or SMS asks to restart the phone within a given time. Once the victim’s phone gets off, the attacker starts its phone before the victim does. The activity initiates a successful clone followed by an account takeover. But, the hack is completed only after the victim restarts their phone.

However, in the past, attackers have cloned SIM cards using a surveillance toolkit known as SIMJacker. The tool uses instructions to the SIM Application Toolkit (STK) and SIM Alliance Toolkit (S@T) browser technologies which are installed on SIM cards. It helps attackers to covertly obtain confidential information about the device and its location. Read more here.

What Attackers Want from Your SIM?

Your hacked SIM card can consequently reveal account information, financial information and personally identifiable information (PII), which can be exploited further. Nowadays, many large service providers prefer sending SMS messages to their customers as a second factor of authentication for their online accounts. With a hacked SIM card, your online accounts can thus be compromised easily. Moreover, on the dark web, threat actors frequently post requests for SIM cloning services to gain access to a targeted bank account, as per X-Force IRIS research.

Prevention Tips

• If you are an organization, add a PIN to all corporate mobile accounts for added security.
• Educate users on handling calls or texts from unknown but seemingly reputable sources.
• In a BYOD environment, you can either install company security software on users’ devices or watch for intrusions entering through BYOD vectors, or both.
• Avoid syncing your mobile phone with company-owned computer systems. In case syncing is required, monitor data traffic from data stores for any unusual activity.
• To speak with new prospects, use a VoIP phone number if possible to limit the number of people possessing your mobile number. It reduces the overall risk of takeover.