Where is a SIM pin stored?

Is it stored in the mobile operating system you are using or can it be extracted from the SIM card itself? Would my carrier have any knowledge of what my SIM PIN is?

On the SIM I think.

So if someone gets physical access to my SIM card they can potentially extract my PIN?

I think its encrypted.

I think I once forgot my SIM pin and was even using a prepaid plan, and I called my carrier from a friend’s phone, and after giving them some identifying information (and for example when and how much did I top up my account) they gave me my PIN. That’s how I remember it, at least, it was 10+ years ago.

Yes, your carrier knows your PIN code, and no, it’s not stored on your devices or a SIM card.

1 Like

You are required to give PUK iirc.

They can change it wirelessly but it is stored in the sim

Source?

I have one sim that has no connection but once I start the mobile, it asks me the pin.

That still doesn’t prove that the PIN is stored on the SIM card.

I was actually in a bus I think, PUK wasn’t at hand and they still gave me the PIN. Not really secure, I guess.

The SIM PIN is stored in the SIM card itself. Depending on the network and what specific SIM cards they are using it may or may not be possible to extract the PIN code from the card. Some use outdated encryption algorithms that can be easily defeated. Others allow OTA updates to the software on the SIM which can be exploited to gain access.

There is also the PUK (Personal Unblocking Key). If the SIM Pin is entered incorrectly 3 times you need this. If the PUK is entered incorrectly 10 times it blocks the SIM. Usually your network will be able to provide you with the PUK over the phone. They often give it to you with the SIM card when you first receive it.

I’ve never heard of a network changing a PIN remotely. I don’t think this is possible within the standards. What they provide is the PUK as mentioned above.

Even with a PIN set most SIM cards can have their network details cloned to be re-used in another device. But cloning doesn’t necessarily copy other data stored on the SIM such as contacts or SMS messages. It depends on the specific SIM and what software/encryption it is using.

EDIT: Just to add, if you never changed the default PIN code (which is very silly) then the network can provide this. Often 0000 or 1234. But sometimes it is set differently on each SIM by the network.

1 Like

This just got me thinking, my provider doesn’t give SIM cards with a PIN anymore, at least on subscription plans, is this regular or?

I think they all have PINs but the standard seems to be to not prompt the user about them by default.

Can you link some spec documents?

It’s been quite a while since I’ve been through any I’m afraid. But things are spread out over a lot of different documents. From the original GSM specs through to 5G ones and with various different bodies (3gpp, ETSI, GSMA etc).

But a lot of the security comes down to the implementation and that’s all proprietary to the SIM card manufacturers and their partners.

1 Like