Can a physical SIM card from a previous phone pose a security risk for a Pixel?

leafnose

I guess the first question should be: can a physical SIM card be compromised through an insecure phone?

I’m going to install GOS on a brand new Pixel 9a (not for me). The issue is that I’m supposed to use a nano SIM card that has been used for years with an insecure phone (a 2017 Huawei phone that never received any kind of security updates).

I’m not comfortable with the idea of inserting this kind of chip inside a new Pixel with GOS. Also the SIM card will be used for 2FA, using the Mobile Signature Service (Swiss Mobile ID).
Would it make sense to order a new physical SIM card? (Or simply use an eSIM slot…)

To be clear, I’m not talking about a high threat model, where this SIM card would have been specifically targeted, and maybe even accessed physically. I’m talking about mass indiscriminate threats.

de0u

leafnose Personally I wouldn't worry about it a lot.

On the other hand, lots of carriers are willing to issue a new SIM card whenever requested, and in certain obscure situations older SIM cards can cause trouble.

idealizebush

I mean, theoretically you're safer in a sense using an eSIM, and it prevents a lot of SIM swap attacks based on the fact that it's soldered to the board and requires a few hoops to jump through before you can port the number.

idealizebush

A lot of people and I'm pretty sure I've seen the GrapheneOS account typically recommend Silent link it's an anon eSIM provider you can get using Monero or any Crypto of your choice.

0xC0DED0D0

Looked into this out of curiosity. Seems like the only real known threat of using older SIMs is an attack referred to as "Simjacker": https://www.enea.com/info/simjacker/

Discovered in 2019, I suppose it is possible that a SIM from 2017 might be affected. However, Switzerland is not listed among the countries where the S@T Browser SIM application has been utilized by carriers, according to the info on URL above.

Italy is, though, if that is relevant to your case.

Whatever the specifics, I also find it likely that affected carriers have issued replacement SIMs to customers already by this point.

But I agree with suggestions in this thread that swapping to eSIM is a wise choice. Impossible to remove from phone by any known means, and also killed if utilizing GrapheneOS's duress feature.

eSIMs are typically available from carrier's customer portal, 24/7, so no wait for delivery.

No-brainer.

leafnose

Thanks all for your answers.
I’m going to reuse the old SIM card because the future user of this phone doesn’t want to deal with the hassle of getting a new eSIM in the event that the Pixel is suddenly broken.