Why YSK:

Because this scenario:

I know what some people are thinking:

My eSIM is tied to my phone, phones these days have encryption, so all I need to do is set a lockscreen password then a thief cannot access any of my data.

WRONG

At least in Android: You can just use some button combo (just look up “[Phone model] hard reset”) to get into the recovery menu and wipe all data, then reboot, and the eSIM is still there!

(Caveat to this: If you happen to have a Google account, it would force a FRP lock, and that would stop access, but most of fediverse does not like those type of online accounts, so: without a SIM PIN and without FRP locks, the eSIM is accessible to a thief)

Now the thief has your bank 2FA Codes!

TLDR: Set a pin on your SIM cards, even if it’s an eSIM (but especially if you use physical SIM cards)

(Curious: Does anyone actually use SIM PINs or do I just have a lot of paranoid regarding tech and potential hacks/exploits)

  • Onno (VK6FLAB)@lemmy.radio
    11·
    6 hours ago

    I’m sure I’m not alone in asking:

    1. How do you set a SIM PIN on a modern smartphone?
    2. Can it be more than four digits?
    3. What’s to stop it being brute forced?
    • 「黃家駒 Wong Ka Kui」@piefed.caOPEnglish
      9·
      5 hours ago

      SIM PINs are 4-8 digits

      The SIM Chip itself is supposed to limit entry attempts to 3, idk if anyone managed to bypass it

      After that, it required a PUK Code, 8 digits I believe. Its sometimes found on the big plastic card thing (its like the size of a credit card, and you pop off a physical sim from it). 10 Attempts.

      I think the carrier also has it.

      So an attacker needs to either:

      1. Guess the SIM PIN in 3 tries
      2. Somehow hack the chip to bypass the limits
      3. (a) Obtain the plastic card thing or (b) Social engineering to get customer support to provide PUK (I mean if they can manage to trick customer support, they could probably just get a new eSIM (which is immediately issued to their phone through the internet) anyways
        or
      4. Somehow guess a 8 digit code in 10 tries

      The thing is, I as a kid/teen messed with tech stuff a lot (got my parents SIM cards locked a few times 👀, they got so mad at me lol) and I found that sometimes I can reboot a phone and the 10 attempts on the PUK code would reset… idk how, maybe the SIM card had issues… or maybe it’s a T-Mobile issue.

    • MentalEdge@sopuli.xyz
      8·
      5 hours ago

      1. On android, the setting is in Settings>Security>More Security

      2. Yes

      3. The fact that it can only be attempted three times, after which a much longer PUK code you from your service provider must be used to restore funtionality to the SIM. It also has limited attempts, after which the SIM is locked forever.

      Not sure how that works cryptographically, or how robust a physical SIM is against tampering.

      • Natanael@slrpnk.net
        8·
        4 hours ago

        The eSIM uses the TPM and the physical SIM uses smartcards running Java applets. The SIM type smart cards generally make use of tamper resistant circuits and are set to not allow key extraction, similar to the TPM.

        It’s not undefeatable, but both require really expensive hardware and you can only target devices you physically have in your hand so it’s not worth the investment. If you’re law enforcement you don’t even care about unlocking the SIM, you’re just going to the carrier directly instead. If you’re not using that equipment for stealing hardware wallets from rich cryptocurrency owners, you don’t have a chance of return of investment. Also it will fail a lot (destroy the chip)