SIM Toolkit Attacks Prevention: Protect Against Simjacker

Understanding SIM Toolkit Attacks

SIM Toolkit (STK) attacks exploit applications embedded on SIM cards to remotely control device functions. The most notorious example, Simjacker, was discovered in 2019 and used to track victims in over 30 countries. PrivateSims eSIM profiles are designed with security in mind, minimizing attack surface.

How Simjacker Works

Simjacker exploits the S@T Browser, a legacy application present on many SIM cards. An attacker sends a specially crafted SMS containing STK commands that:

• Retrieve location: Force the device to reveal its Cell-ID and GPS coordinates
• Extract IMEI: Read the device unique hardware identifier
• Send SMS: Silently send messages from the victim device
• Make calls: Initiate calls without user interaction

Protection Strategies

Modern eSIM profiles from PrivateSims do not include vulnerable legacy applications. Using a data-only eSIM eliminates the SMS vector entirely. For more on SIM-based attacks, see our Simjacker prevention guide.

FAQ

Are eSIMs vulnerable to Simjacker?

eSIM profiles from modern privacy-focused providers typically do not include the vulnerable S@T Browser. Data-only eSIMs are additionally protected because Simjacker requires SMS delivery.

How do I know if my SIM has the S@T Browser?

Tools like SIMTester can check physical SIMs. For eSIMs, check with your provider whether their profiles include STK applications.