Identity & SIM Security
criticalSIM cloning · eSIM · IMSI privacy
The SIM card — and its evolution into eSIM and iSIM — is the cryptographic anchor of every subscriber's identity in a telecom network. Every call, message, data session, and authentication event ultimately traces to the integrity of the Ki (authentication key) stored on this chip. If the Ki is known, the subscriber can be impersonated; if the IMSI is exposed, the subscriber can be tracked. These attacks don't require breaking encryption — they target the identity layer that sits beneath it. As SIM functionality migrates to software-defined eSIM profiles managed over-the-air, the attack surface expands from physical tampering to remote exploitation of provisioning protocols.
Threat vectors
SIM cloning via Ki extraction
criticalThe authentication key (Ki) on a SIM card is never transmitted over the network — only challenge/response pairs are exchanged. Extracting Ki requires either physical access to the SIM (side-channel power analysis, fault injection, or probing the EEPROM) or compromise of the operator's HLR/HSS Ki database. Early COMP128-1 algorithm SIMs could be cloned in hours using only challenge/response queries. Modern USIMs use stronger algorithms, but physical attack techniques have advanced in parallel. A cloned SIM receives all calls and SMS intended for the victim and can place calls that appear to originate from the victim's number.
eSIM RSP profile injection
criticaleSIM Remote SIM Provisioning (RSP) enables operator profiles to be downloaded over-the-air via the SM-DP+ (Subscription Manager Data Preparation) server. Vulnerabilities in the RSP protocol (GSMA SGP.02/SGP.22), weak SM-DP+ authentication, or compromise of the provisioning infrastructure can allow a rogue operator profile to be installed on a device without user consent. This effectively transfers subscriber identity to the attacker's control without physical access to the device.
IMSI exposure on the radio interface
highIn 2G, 3G, and 4G networks, the IMSI is transmitted in plaintext in Initial Attach messages before any encryption or authentication is established. A passive radio observer or active IMSI catcher can capture IMSIs simply by monitoring attach procedures. Knowing a subscriber's IMSI allows correlation of radio events to a specific identity, enabling long-term location tracking and correlation with other data sources. This is the primary mechanism behind commercial 'phone tracking' services operating via SS7.
Authentication vector theft and replay
criticalAuthentication vectors (AVs) — the triplets (2G/3G) and quintets (4G) used in the AKA (Authentication and Key Agreement) procedure — are generated by the HLR/HSS and distributed to serving network nodes. If an attacker can obtain AVs via SS7 (MAP SendAuthenticationInfo) or via a compromised network node, they can replay them to authenticate as the victim subscriber without possessing the Ki. This bypasses the primary cryptographic defence in the subscriber identity system.
SUPI/SUCI attacks in 5G
high5G introduced SUCI (Subscription Concealed Identifier), which encrypts the SUPI/IMSI using the home network's public key before transmission. Implementation weaknesses — including use of the null encryption scheme (a standards-permitted but insecure option), incorrect key management, or SUCI stripping by compromised network elements — can expose the SUPI. Additionally, 5G devices roaming onto 4G or 2G networks revert to plaintext IMSI exposure.
Impact
- 01
Complete subscriber impersonation — a cloned SIM or stolen authentication vector allows an attacker to place calls, send SMS, and authenticate to services as the victim, defeating every higher-layer security control that relies on subscriber identity.
- 02
Long-term covert surveillance — persistent IMSI tracking enables detailed mapping of an individual's movements, associations, and behaviour patterns over months or years, with applications in targeted stalking, corporate espionage, and state surveillance.
- 03
Cascading account takeover — mobile number compromise via SIM clone or eSIM attack unlocks every service that uses the phone number as an authentication or recovery channel, including banking, email, and identity verification.
- 04
Undermining network security architecture — authentication vector theft defeats the cryptographic foundation of AKA, meaning that all upstream security assumptions (encryption keys, session integrity) built on that authentication are invalid.
Mitigations & solutions
Protect Ki databases and provisioning infrastructure
Treat the HLR/HSS Ki database and SM-DP+ infrastructure as the most sensitive assets in the network. Enforce strict access controls, hardware security modules (HSMs) for Ki storage, comprehensive audit logging, and anomalous-access alerting. Segregate Ki databases from general core network management planes.
Deploy 5G SUCI and disable null encryption scheme
Ensure all 5G deployments enforce SUCI with a non-null encryption scheme (ECIES profile A or B). Explicitly disable the null SUCI protection scheme in network configuration. Maintain SUCI public keys in a well-managed PKI with regular rotation.
Enforce GSMA SGP.02/SGP.22 for eSIM security
Validate SM-DP+ and SM-DS implementations against GSMA eSIM specifications. Require EAL4+ certification for eSIM chips. Implement mutual authentication between the eSIM and SM-DP+, enforce profile download confirmation with user interaction, and log all RSP operations centrally.
Monitor for duplicate IMSI usage and AV anomalies
Implement detection for SIM cloning indicators: the same IMSI appearing simultaneously in multiple serving networks, authentication failures exceeding normal thresholds for a specific IMSI, and MAP SendAuthenticationInfo queries for subscribers who are not currently roaming. These patterns are strong indicators of cloning or AV theft.
Implement SS7 controls to block AV theft
Configure the SS7 firewall to block or require strong justification for MAP SendAuthenticationInfo requests originating from foreign networks. Legitimate authentication info requests from roaming networks should only occur for subscribers known to be roaming in that network — cross-reference against current VLR registrations to validate.