Cybersecurity Videos

All News Deals Social Blogs Videos Podcasts Digests

Cybersecurity Telecom Defense

SecTor 2025 | Ghost SIM Attack: Hacking Mobile Network Authentication Policies

•April 25, 2026

Black Hat

Black Hat•Apr 25, 2026

Why It Matters

Weak authentication policies give attackers a low‑cost, high‑impact path to fraud, threatening carrier revenues and customer confidence worldwide.

Key Takeaways

•GOIM attack clones SIM data to exploit weak authentication policies.
•Attack works across 2G‑5G by leveraging insecure time/event triggers.
•Researchers used AT commands, ADB, and hardware readers for extraction.
•Operators with long authentication timers expose larger fraud windows.
•Automated testing reveals varied policy thresholds among global mobile carriers.

Summary

The SecTor 2025 presentation introduced the GOIM attack, a technique that extracts critical SIM card data—such as IMSI and ICCID—and leverages weak mobile‑network authentication policies to commit fraud across 2G, 3G, 4G, and 5G systems.

The speakers detailed multiple extraction methods, from legacy SIM readers and AT‑command interfaces to modern Android Debug Bridge (ADB) interactions. Historical side‑channel attacks and classic SIM‑swap social engineering were contrasted with the newer approach that bypasses complex key‑recovery steps, instead exploiting operator‑defined authentication timers and event‑based triggers.

A live demo showed reading SIM files via the pyim shell and sending repeated SMS messages until an authentication request appeared—16 SMSes for one operator. The researchers highlighted stark policy differences, such as a 24‑hour timer versus a 30‑minute timer, illustrating how longer intervals dramatically enlarge the exploitable window.

The findings urge telecom operators to tighten authentication policies, shorten timer intervals, and restrict AT‑command exposure. Without remediation, carriers risk substantial revenue loss, regulatory penalties, and erosion of consumer trust as attackers can monetize cloned SIM credentials across any network generation.

Original Description

The authentication policy of a mobile operator dictates the frequency and conditions under which an authentication procedure is triggered on the subscriber following a set number of events. A lax or insufficiently robust authentication policy may allow an attacker to perform the Ghost SIM Attack, an attack that results in potential fraud, starting by extracting essential SIM card information.

This presentation unveils a comprehensive overview of the experimental setup and methodology utilized to execute the Ghost SIM Attack, along with an in-depth analysis of the authentication policies implemented by various operators and technologies across multiple countries around the world.

The results reveal that the Ghost SIM Attack is successful across all the selected technologies and operators, highlighting the weak authentication policies configured. Finally, some countermeasures are proposed for the attack while also addressing its limitations.

By:

Pedro Cabrera | Founder, Ethon Shield

Miguel Gallego | Partner, Ethon Shield

Presentation Materials Available at:

https://blackhat.com/sector/2025/briefings/schedule/?#ghost-sim-attack-hacking-mobile-network-authentication-policies-47749

Comments

Want to join the conversation?

Loading comments...