Sim Swaps and the eSIM

What is a SIM card?

A SIM card stands for "Subscriber Identity Module." It is essentially a key that provides you with cellular access. The SIM card itself holds an important encryption key known only to the SIM and the telecommunication carrier. SIM cards have evolved rapidly over the years, with changes in sizing as well. A standard SIM is 25mm x 15mm, a micro-SIM is 15mm x 12mm, a nano-SIM is 12.3mm x 8.8mm, and the smallest and newest of all, eSIMs, measures 2.5mm x 2.4mm.

What is an eSIM?

Unlike traditional SIM cards, which are modular and removable, eSIMs are not removable. The name can be quite confusing. We traditionally think of "e" as a substitution for "electronic," but in this scenario, the "e" in eSIM refers to it being embedded. It is a part of the internal hardware within a cellular device. Today, eSIM compatibility has become relatively standard. Some devices will have both a physical SIM tray and eSIM capability, while others will only have eSIM or physical SIM capability. Unlike physical SIM cards, eSIMs are mainly activated using a cellular device's IMEI or "International Mobile Equipment Identity."

If you check your device's "About" section within settings, you can see various long serial numbers such as EID, MEID, IMEI, MAC address, Bluetooth address, and so on. IMEI is a unique serial number often referred to as a "fingerprint" of a cellular-compatible device. If you compare a Wi-Fi/Bluetooth-only smartwatch, you will not find an IMEI, but a cellular smartwatch will have one. The big difference between the two is the inclusion of an eSIM.

To make things more confusing, some devices have two IMEIs, IMEI1 and IMEI2. This gives a device the ability to have two operating MDNs or "Mobile Directory Numbers" concurrently. You can have a personal phone number and a business phone number operating on a single device at any given time. Many operating systems have organizational measures in place to help partition each phone line. Many devices will allow users to select which MDN to make calls from, notify users of which MDN is being used to contact them, and even create different voicemail greetings depending on the MDN that is being contacted.

What is SIM Swapping?

Your phone number holds more value than you probably believe. Most users are quite attached to their MDNs for various reasons. "All my friends and family have this number!" and "I have had it for so long" are common reasons for wanting to keep an MDN. One significant reason why phone numbers are so important is how many account credentials they are associated with.

Today, knowing one's password is not enough to fully validate themselves for whatever web application or operating system they are using. Thanks to many password attacks, such as brute force, cracking a password is quite easy. To circumvent this, many cybersecurity professionals have implemented MFA (Multi-factor authentication). MFA standards usually require the authentication using two or more of the following: something you know (passwords or pins), something you have (external tokens or proximity cards), something you are (biometrics like facial recognition and fingerprint), or somewhere you are (GPS location).

A very common secondary authentication protocol is the use of SMS single-use pins. For example, you sign into a web application using both the correct username and password. The application may also prompt you to enter a temporary PIN sent to an MDN on file to confirm your identity. Using SMS has some severe disadvantages. A phone number is only as safe as your carrier's security protocols.

You are ultimately at the mercy of your carrier's infrastructure and policies to ensure the integrity of this MFA method. Using tactics such as social engineering, many attackers will impersonate subscribers when calling support and use fake IDs when visiting stores. To the employees of any given carrier, SIM card replacements are not uncommon and are, in fact, a valuable resource for troubleshooting network connectivity issues. If a subscriber loses their device, they can easily request a new SIM card to be activated and used in a replacement device. This scenario is a common pretexting method used by many attackers in social engineering attempts when dealing with a carrier's support team.

Carriers are quite aware of SIM swapping methods and the damage that can be done to both a subscriber's finances and reputation if successful. Telecommunication employees take extensive precautions when a SIM replacement is requested. However, social engineering attempts have become more complex. It can be quite difficult for employees to mitigate risks within their business. Many attack methods are used, such as harvesting employees' credentials, phishing attempts, and even offering large sums of money for SIM swaps.

From personal experience, I have seen the crippling impact that can be caused when a subscriber is a victim of SIM swapping. Bank accounts are drained, and social media accounts are hacked. Using account notes, I can see that SIM replacements were still authorized even after an impostor failed multiple authentication protocols.

So how do eSIMS help?

There are many sectors where eSIMs help circumvent SIM swapping. Because of the "embedded" nature of eSIMs, a fraudulent actor cannot claim that they have lost their SIM card or that it is malfunctioning and needs to be replaced. In the latter scenario, troubleshooting eSIMs requires different methods than physical SIMs, such as network resets, pings, reprovisions, and sometimes full warranty replacements for the device. A social engineer claiming that they have "lost their SIM card" will be an automatic red flag, as support can clearly see that the current device is active using an eSIM.

Physical theft of a device is highly feared for many reasons. Cellular devices are not inexpensive and often hold very crucial information. Operating systems have their methods for authenticating the owner of the device through the "lock screen." Biometrics and pins are commonly used. Unfortunately, there is no authentication needed to remove a physical SIM card and insert it into a new device, effectively stealing the number. As stated earlier, some carriers have different limitations that require the replacement device's IMEI to be on file before a SIM is usable, but many others do not. eSIMs require this functionality. Theft of a device is never an easy situation to be in, but you can be reassured that your MDN is well guarded between the time of theft and suspension.

eSIM Implementation

Apple has played a significant role in driving the widespread adoption of eSIMs, with the past two generations in the US no longer supporting physical SIM cards. However, other manufacturers and carriers have been slow to follow suit. This is particularly true for phone carriers operating outside the US. Apple products sold internationally still feature physical SIM trays, as many foreign carriers have not yet updated their infrastructure to support widespread eSIM use.

While eSIMs can provide assistance, they do not entirely eliminate the risk of SMS verification theft. Attackers will inevitably devise new methods to bypass the removal of physical SIM cards, and many vulnerabilities still exist. Techniques like SMS/voice forwarding, packet capturing, and syncing attacks can still be effective. In light of these risks, many web applications have disabled SMS verification altogether or have implemented more stringent MFA (Multi-Factor Authentication) standards. Safer alternatives, such as hardware or software tokens, are available, but in cases where SMS is deemed necessary, an eSIM can help mitigate some of the most glaring security weaknesses.