3

I recently heard that a telephone company (a mobile network operator) was hacked and lots of data was stolen, maybe affecting up to a million customers. It sounds like the leaked data is already available on the dark web, and it includes all personal information (names, addresses, ID numbers, phone numbers, etc.) and also a lot of technical data (including SIM activation date, IMSI, ICCID, PUK, etc.). The company confirmed the attack, and said that they now enabled some new security controls in order to prevent potential frauds (but nobody knows what controls they are talking about). However, if you want, they offer to replace the SIM card for free (but they said you need to go to one of their stores, in person).

The question is: does replacing only the SIM card (and keeping the same phone number) help to mitigate anything in such a situation? I don't know how a SIM swap works exactly in detail, but I suspect it depends on the security practices of the carrier(s) involved, so the amount and type of data required by the attacker may vary. By replacing the SIM card, I suppose you would only invalidate the technical data (IMSI, ICCID, PUK, etc.) but I'm not sure how useful that is in practice. Other kinds of attacks might be facilitated by knowing such technical details, however I'm still not sure about their impact. Even if replacing the SIM card might help, what I'd like to know is how much it would help here, and why.

reed
  • 15,398
  • 6
  • 43
  • 64

2 Answers2

3

A SIM card stores the IMSI and the authentication key Ki which are used to authenticate your SIM card on the GSM network (short description, long explanation). Both numbers are also stored (in cleartext) in the database of your mobile network operator, so they are almost definitely present in the leaked data.

With the SIM authentication data, an attacker can clone your SIM card and receive incoming calls and SMS instead of you, and that might present a serious threat.

Another issue, obviously, is that they can also make outgoing calls.

Even though caller ID spoofing in GSM networks was always there anyway so it seems like the latter isn't a big issue, the attacker can theoretically frame you for a tedious investigation with local law enforcement by committing some crime using your phone number. Typically, when situations like that happen, the local authorities quickly figure out that the call was actually spoofed because it was coming from some VoIP gateway. But in your case the source would be the SIM card on the network so you may have a hard time convincing them that there's a duplicate SIM somewhere.

Replacing a SIM card in your case does make sense (I'd even go as far as to say that, given your description of the breach, voluntarily invalidating and replacing all the affected SIM cards should be the immediate responsibility of the mobile network), the only thing is that it's definitely not enough to protect you against all the possible threats related to personal data disclosure.

ximaera
  • 3,395
  • 8
  • 23
1

Most telecom operators store an encrypted Ki in their databases, but IMSI will most likely be stored as clear text.

However, replacing the SIM is advisable as it will eliminate the possibility of cloning the SIM card.

Indika K
  • 111
  • 2