this post was submitted on 23 Sep 2023
7 points (73.3% liked)

Cybersecurity

5722 readers
107 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago
MODERATORS
 

I know it's an odd question, but where I live phones get stolen often. My phone doesn't have the option for an eSim, which is a problem because 90% of the time when a thief steals a phone they take out the SIM card immediately, meaning I wouldn't be able to remotely lock or wipe my phone.

Should I consider glueing the SIM tray shut? Or are there alternative less permanent measures I can take to keep my device secure?

all 15 comments
sorted by: hot top controversial new old
[–] InEnduringGrowStrong 16 points 1 year ago (1 children)

If I was stealing phones, I'd probably ditch the SIM first too.
Wouldn't want connectivity that will follow me around.
If removing the SIM fails, they'll either:

  • panic and scrap it on the spot / throw it as far as they can
  • calmly sigh and dump it in a metal can or mesh bag for later

Either way, you're probably never seeing this phone again after it gets stolen.
As such, I'm assuming the main focus is on protecting the data on it, more than the thing itself.

First thing to do is to encrypt it.
Remote lock? Your phone should already be locked if it's not in your hand.
Disable all the features that unlock your phone when at home and other shenanigans.

Encrypted and locked means someone who gets their hands on it is much less likely to log into everything and make your life hell.
A thief probably won't bother breaking encryption.
A lettered gov agency probably maybe might, but that's a whole different topic.
Remote wipe is never guaranteed anyway.
Faraday cages are utterly simple.

A phone thief wants money.
Your saved passwords, accounts, bank app, stuff like that are prime targets.
After that they could sell the phone or its parts.

There's honestly very little advantage to gluing your SIM tray and it's gonna suck for you when you change providers or they issue you a new SIM for some reason.

Don't leave your phone unlocked.
Don't leave your phone unattended.
Encrypt it.
Lock it.
Keep it updated.

I honestly wish traditional SIMs would die already, along with SMS-based and email-based 2FA.
TOTP 2FA is fine the others are mostly smoke and mirror.

[–] [email protected] 2 points 1 year ago (1 children)

Or just... turn it off until they can swap out the sim?

[–] InEnduringGrowStrong 2 points 1 year ago

Yea that too.
Aside from phones, there are enough airtags or similar trackers around these days, I'd imagine thieves might use signal blocking bags.

Either way, gluing your SIM slot is mostly useless.

[–] [email protected] 4 points 1 year ago (1 children)

to keep my device secure?

I assume in your case the vast majority of phone thefts are to resell the device, not to obtain any information of the device.

I wouldn't see this as keeping it secure, It will not prevent theft. It may prevent the resale of the phone but that just means they will destroy it in short order.

If theft of data is the issue, they still have physical possession of the device...

[–] darkstar 2 points 1 year ago (1 children)

True, the vast majority are to resell or sell for parts, but there are data breaches occasionally as well. My idea is to keep the phone online with the SIM inside long enough for me to login to find my remotely and wipe the phone, that way it'll be wiped and locked down, only useful for parts in that scenario

[–] [email protected] 3 points 1 year ago

I am still not sure that it will help.

If they are smart enough to know to pull the sim immediately, caring a faraday bag would be my go to as a thief. Lift phone, immediately place in bag. Open while inside a shielded space. Strip phone for parts.

Job done.

If it is a data breach you are worrying about, the only real solution (and it is a terrible, incredibly limiting one) is to store nothing sensitive locally on the phone that is not encrypted.

[–] [email protected] 2 points 1 year ago (2 children)

No. It’s the Apple or Android account that is logged into the phone and whether it is connected to a mobile or WiFi network that will determine if you are able to remotely wipe it or not. They could remove/replace the sim but the next time it connects to one of those networks and has an internet connection, the remote wipe command will activate.

Your phone should always be locked with a pin, Face ID etc. if it isn’t the person can just log in to it and access all of your data or factory reset it.

[–] darkstar 1 points 1 year ago (3 children)

See I'm worried they'll keep the device offline and try to access it before it can be wiped remotely with find my.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Depending on how old the phone is, this is less of an issue than you or others here think it is. Starting a few years ago, android at least can't simply be wiped and set back up from scratch. Manufacturers/Android did this in response to the increase in phone thefts. Iirc, this had a significant impact on the number of phones being stolen as an opportunity theft. If someone targets you, that's a different story.

As others have said. Make sure encryption is turned on and that it's setup with a pin. If you really are concerned then make sure the time out to lock is set to as low as possible and never have it unlocked if it's not in your hands.

[–] darkstar 1 points 1 year ago

It's a Samsung A34, so not old at all. Thank you for your response!

[–] InEnduringGrowStrong 1 points 1 year ago (1 children)

A Faraday cage is a pretty low tech and ubiquitous way to keep anything offline regardless.
They come in convenient travel bag formats these days, but an old metal can will do.

[–] [email protected] 2 points 1 year ago

Chip bags work a treat as well.

[–] [email protected] 1 points 1 year ago

That’s a possibility, but if it’s locked they won’t be able to log into it to access your data or factory reset it, which will make it essentially worthless to them.

Gluing the SIM card tray will add to that worthlessness but will also prevent you from being able to legitimately sell, trade or give away the phone.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Newer phones aren't worth stealing anymore (for the most part). New features at the bootloader level (pm android at least) prevent you from simply wiping the phone and using it. When you wipe it, you still need to have the pin that the last owner/user setup or else it's just a paper weight.

I dealt with this myself not long ago. I gave my step daughter my pixel 5a when I upgraded to a 7pro and she still needed my pin to set it up.