Privacy Issues in Global IoT SIM Card Usage

Introduction

The Internet of Things (IoT) SIM card is a subscriber identity module used to connect IoT devices to cellular networks. These SIMs enable global connectivity for smart devices, sensors, and machines. However, they also raise significant privacy concerns. IoT SIMs can generate sensitive data (like device location, usage patterns, or sensor readings) that must be protected. This report provides a comprehensive overview of privacy issues associated with IoT SIM cards, including potential vulnerabilities, data exposure risks, surveillance concerns, and provider practices that may compromise privacy. We also compare major IoT SIM providers and highlight standards and regulations affecting IoT SIM privacy.

Data Handling and Encryption in IoT SIM Communications

IoT SIM cards participate in cellular network communication, which inherently includes several security features. Data in transit over cellular links is typically encrypted at the radio layer. For example, LTE and 5G-based IoT networks (like LTE-M or NB-IoT) inherit strong security features from cellular standards – including mutual authentication, data integrity checks, and encryption of traffic between device and base station . This means that as IoT devices transmit data via cellular, the link-level communications are encrypted and authenticated by design. In addition, many IoT SIM providers offer options for end-to-end encryption at the application layer (e.g. using TLS or VPN tunnels) to further protect data as it travels from the device to cloud services. In fact, some providers implement network-side encryption or private networking so that IoT data never traverses the public internet unencrypted .

On the other hand, data at rest refers to information stored either on the SIM card itself or in backend systems. The SIM cards are typically tamper-resistant hardware designed to securely store cryptographic keys and identifiers. IoT SIMs (including modern eSIM or embedded SIM form factors) use secure elements often certified to high security standards (Common Criteria EAL4+/EAL5+), making extraction of stored keys extremely difficult. As one industry example, Vodafone notes that its IoT SIMs are “designed to be tamper-resistant” and only granted access to necessary services . This secure storage helps protect the IMSI (subscriber ID), authentication keys, and any cached data on the SIM from physical compromise.

In backend systems, IoT connectivity providers handle device metadata, SIM provisioning information, and possibly IoT data if they offer cloud services. Leading providers implement strong database security and encryption for data at rest. For instance, IoT MVNO Hologram states it does not have access to customer device payload data by design – any customer data transmitted is end-to-end encrypted such that Hologram and its partners cannot read it . Additionally, Hologram’s systems conform to strict security standards like the GSMA Security Accreditation Scheme (SAS) for SIM data management . This highlights that best practice is to encrypt sensitive IoT data both in transit and in storage, limiting even the provider’s access to the content.

Despite these protections, gaps can exist. Not all IoT deployments encrypt application-layer data; some rely solely on the built-in cellular encryption. If an IoT device sends unencrypted data (e.g. HTTP instead of HTTPS, or plain MQTT), a breach of the network or a malicious insider could potentially access that information. Data in transit beyond the cellular core (for example, between the mobile core network and an IoT cloud endpoint) may not be encrypted unless measures like VPN or TLS are used. Responsible IoT SIM usage therefore involves using secure APNs or VPN tunnels to keep data flows private. Providers like Emnify and others offer cloud integration (e.g. IPsec tunnels or private APNs) to ensure that device data reaches cloud backends securely .

Common Vulnerabilities and Attack Vectors

While IoT SIM cards leverage the security of cellular networks, they are still vulnerable to certain attacks and misconfigurations that can jeopardize privacy:

• SIM Toolkit Exploits (Simjacker & WIB attacks): In 2019, researchers uncovered SIM-based vulnerabilities affecting potentially “over 1 billion” SIM cards . The Simjacker attack involves sending a malicious SMS containing spyware-like SIM Toolkit commands to the device. This SMS directs the SIM card’s internal S@T Browser (an application on many SIMs) to execute instructions on the device without user knowledge . Through Simjacker, an attacker can quietly retrieve sensitive info such as the device’s location and IMEI (unique device ID) and exfiltrate it via SMS, all while the user remains completely unaware . The attack was not just theoretical – it was actively exploited by a private company in cooperation with government agencies to surveil individuals . A related exploit dubbed WIBattack (targeting the Wireless Internet Browser toolkit on SIMs) was disclosed soon after, using a similar OTA SMS approach. These SIM toolkit attacks illustrate how a silent SMS can turn the SIM into a spying tool, undermining user privacy. Researchers noted “at least two hacking techniques leverage vulnerabilities in SIM cards, potentially exposing billions of mobile users to attacks” . IoT devices with vulnerable SIMs (especially devices that don’t frequently receive SMS or have no user interface) could be targeted to report their location or compromise connected systems.

   

• Over-the-Air (OTA) SIM Updates and Misconfigurations: Mobile operators routinely send OTA updates to SIMs for provisioning. If the OTA mechanisms are not secure (e.g. weak or no encryption/authentication on OTA SMS commands), attackers might spoof them to alter SIM settings or steal data. Misconfiguration of the SIM’s Access Point Name (APN) can also create privacy risks. For example, using a public APN with no IP restrictions or firewall means the IoT device might be reachable from the internet. A poorly secured device could then be probed or compromised by external actors. Best practice is to use private APNs or VPN tunnels, or otherwise ensure devices are not directly exposed. Some IoT connectivity providers automatically isolate devices from each other and the public internet – using network segmentation and firewalls to block unsolicited traffic . Without such isolation, a hacked device could potentially contact other devices on the same network or an internet-based attacker could reach the device if its IP is accessible. Misconfigured firewall rules or open ports on IoT endpoints have historically led to breaches (as seen in the Mirai botnet incident, where many IoT devices were compromised due to open Telnet/SSH ports and default passwords). While that wasn’t a SIM-specific issue, a SIM providing connectivity with no network-level filtering can exacerbate such risks.

   

• Legacy Network Exploits (2G/3G intercept): Many IoT SIMs are used in devices deployed in remote areas or globally, and they may fall back to older networks (2G/GSM or 3G) where available. These legacy networks have weaker encryption. Attackers with the right equipment (like an IMSI catcher or fake base station) can downgrade a device’s connection to 2G and potentially intercept data if the old ciphers are used or if no encryption is enforced (some networks still allow no-encryption mode for compatibility). This is a privacy risk particularly for IoT devices that might be deployed and left unattended – an adversary could exploit their connectivity by forcing them to an insecure connection to eavesdrop. Modern IoT SIM deployments try to mitigate this by disabling 2G/3G on the SIM profile or using LTE-M/NB-IoT only, but not all do so.

   

• SIM Swapping and Cloning: Although IoT devices aren’t the typical target of SIM swap social engineering (which usually targets individuals to seize control of phone numbers), there are scenarios where an attacker could try to clone or swap an IoT SIM to intercept its communications. If an IoT SIM’s credentials were stolen (e.g. via a data breach of keys, as discussed in the next section), an attacker could create a duplicate SIM to receive all data or impersonate the device. Additionally, if an IoT SIM’s phone number is known and it accepts SMS commands (some IoT systems use SMS for remote management), an attacker could perform fraudulent SIM swap via the operator to hijack those commands or send malicious ones. Ensuring strong authentication for any SIM management actions and monitoring unusual usage patterns are important to counter this vector.

   

• Device/SIM Physical Compromise: IoT devices in the field might be physically accessible (e.g. a smart meter on a house, or a sensor in a public area). An attacker with physical access could remove the SIM card and put it into another device to glean information (like reading any SMS stored, or using the SIM to connect and access services). While the SIM’s sensitive data (keys, IMSI) are not readable without proper interfaces, simply moving the SIM could allow misuse of the connectivity (e.g. consuming the data plan to communicate with malicious servers under the legitimate subscription). In sensitive deployments, measures like SIM locks (binding SIM to a device/IMEI) or using soldered embedded SIMs (eSIM) help mitigate this risk. Some IoT SIMs are now integrated as iSIM (integrated SIM on the chipset), which are non-removable and thus less prone to physical tampering, further protecting the credentials stored within .

   

In summary, IoT SIMs introduce an expanded attack surface – not only must the device be secure, but the SIM card and its network configuration must also be secured. SIM-specific attacks like Simjacker demonstrate how privacy can be compromised at the network/SIM level even if the device OS itself isn’t breached. Proper configuration (secure APNs, firewalls, disabling unused SIM toolkit apps) and up-to-date SIM firmware can help reduce these risks. Providers and standards bodies have responded with improved safeguards (for example, the GSMA has issued new SIM protection guidelines post-Simjacker, and many carriers patched or blocked those toolkit commands after 2019).

Notable Breaches and Security Incidents Involving IoT SIM Providers

Despite precautions, there have been several high-profile breaches and incidents that highlight privacy weaknesses in the IoT SIM ecosystem:

• Mass SIM Data Breach (SK Telecom, 2025): In April 2025, South Korea’s largest mobile operator SK Telecom disclosed a massive security incident that had been ongoing for nearly three years. Attackers infiltrated the company’s systems (via malware on servers) and managed to steal USIM (SIM card) data for ~27 million subscribers . The stolen data included unique SIM identifiers (IMSI numbers), authentication keys, and even network usage metadata and SMS/contacts stored on the SIMs . This breach is especially alarming because exposure of SIM authentication keys undermines the core encryption of cellular communications – with those keys, an attacker could potentially clone SIMs or decrypt voice/data traffic, gravely compromising user privacy. The breach also heightened the risk of SIM swap attacks since IMSIs and related info were leaked. In response, SK Telecom had to initiate a mass SIM replacement for all affected users as a precaution . Notably, the 27 million compromised SIM records included not just phone users but also SIMs used in IoT devices (M2M modules, smartwatches, etc.), as the company clarified . This incident underscores how a breach at a provider can have far-reaching privacy implications, effectively affecting a significant portion of a country’s connected devices.

   

• SIM Manufacturer Hack (Gemalto, 2010-2015): A landmark revelation from the Snowden leaks was that the U.S. NSA and UK’s GCHQ conducted a covert operation to hack into Gemalto – one of the world’s largest SIM card manufacturers – and steal millions of SIM encryption keys . Gemalto produces SIMs for hundreds of carriers globally (2 billion SIMs annually at the time) . By obtaining the secret Ki keys that are programmed into SIM cards (and also held by carriers for authentication), intelligence agencies could potentially decrypt cellular communications without needing carrier assistance or user consent . As The Guardian reported, the stolen keys allowed spies to monitor mobile communications covertly, bypassing telecom companies and government oversight . This massive intrusion, termed “a big breach” by cryptography experts , was essentially a bulk privacy compromise affecting potentially billions of SIMs around the world. Although Gemalto (now Thales) later claimed the hackers didn’t get the “crown jewel” keys for modern networks, the incident raised awareness of supply-chain risks – IoT SIMs could be affected just as regular SIMs were. It led to calls for better SIM security practices and auditing. For IoT stakeholders, it’s a reminder that even the fundamental cryptographic protections can be undermined if the key generation and distribution aren’t fully secure.

   

• Location Data Selling by Carriers: Not all privacy incidents are breaches; some are provider business practices that violate user privacy. A notable example came to light in the late 2010s: major U.S. carriers (AT&T, T-Mobile, Sprint, Verizon) were found to be selling customers’ real-time location data to third-party aggregators without proper consent. This data, obtained from the cellular network (e.g. tracking which cell towers a phone/SIM connects to), was passed on and eventually used by bounty hunters and other unrelated parties . In 2020, the FCC investigated and by 2024 it issued fines totaling ~$200 million, noting that carriers “illegally shared access to customers’ location information without consent” . This practice put individuals at risk (e.g., domestic violence victims could be tracked) and demonstrates how IoT SIM data could likewise be abused. An IoT SIM in a vehicle or asset tracker generates similar location info; if a provider were to sell or mishandle that data, it could expose sensitive movements of people or corporate assets. The FCC action sends a strong message about privacy: such data sharing without user approval is unacceptable and unlawful in many jurisdictions. It also highlights the importance of transparency – users (or IoT device owners) often didn’t realize that by using a SIM, their location might be monetized in the background.

   

• IoT SIM Platform and API Breaches: Several IoT connectivity platforms (many run by MVNOs or cloud companies) have faced security issues, albeit less publicized. For example, in 2022 communications provider Twilio, which offers IoT SIM services (among other products), suffered a breach via phishing that allowed attackers to access internal systems and some customer data . Twilio confirmed that data from 125 customer accounts was accessed (potentially including account details, addresses, and even authentication info) . While this incident was not IoT-specific (Twilio also handles messaging and 2FA services), it reflects the broader risk: IoT SIM management portals or APIs are part of the attack surface. If an attacker compromises an IoT provider’s admin console or API keys, they could manipulate SIM profiles, eavesdrop on data, or disrupt connectivity for many devices. In another case, researchers discovered a vulnerability in a Vodafone IoT management portal (for an India joint venture) that could allow unauthorized access to admin functions . Such weaknesses could lead to data leaks or unauthorized monitoring. Although no catastrophic IoT platform breach (aside from the SKT case) has been widely reported, the potential impact is huge, given these platforms often control millions of SIMs globally.

   

In summary, breaches have occurred at multiple levels: the telecom operator level, the SIM manufacturer level, and the IoT service provider level – all with serious privacy implications. They reveal that not only must individual device connections be secure, but the entire supply chain and lifecycle of IoT SIM data (from manufacture to network to cloud platform) must be safeguarded. Even large, well-resourced entities have fallen victim, emphasizing the need for continuous security audits and improved standards.

Provider Practices: Data Logging, Sharing, and Surveillance

IoT SIM providers – whether telecom operators or MVNOs – inherently collect certain data from SIM usage that can raise privacy questions. It’s important to examine what data is logged, how it’s used, and with whom it is shared:

• Metadata Logging: By necessity, cellular providers log metadata for each SIM’s activity. This includes information like which cell towers a device connects to (approximate location), timestamps of connections, data volumes used, and any SMS or voice event records. For IoT SIMs, providers often log device identifiers, the IP addresses assigned, and records of which networks (in roaming scenarios) the device has used. While this metadata is used for billing, troubleshooting, and network management, it is considered personal data when linked to individuals or revealing usage patterns. Under many jurisdictions, such metadata must be protected. In the EU, for example, telecom metadata is subject to the ePrivacy Directive’s confidentiality requirements, meaning it cannot be accessed or shared beyond what’s necessary for service (except under lawful request) . IoT SIM users in the EU thus benefit from strong protections on their communications metadata – providers generally cannot mine or sell this data without consent. In practice, reputable IoT SIM providers implement strict access controls to logs and may anonymize or aggregate data for any analytics.

   

• Data Sharing with Third Parties: The aforementioned U.S. carrier location-data scandal is a prime example of problematic data sharing. It showed that providers may be tempted to monetize IoT data streams (like location or usage stats) by selling them to aggregators or using them for advertising and analytics. Besides location, IoT SIM data could include things like how frequently a device connects or how it moves between countries – information that might be valuable to insurers, marketers or others. Most major providers now explicitly state in their privacy policies that they do not share customer-specific IoT data with third parties without consent, except for service partners or legal purposes. For example, Vodafone’s IoT privacy commitment emphasizes compliance with data protection laws and that personal data will not be shared for marketing without permission . Smaller global IoT MVNOs similarly claim they do not inspect or sell the content of IoT communications. Indeed, Hologram asserts it has “zero access to device data” thanks to end-to-end encryption, implying it cannot mine or share customer payloads even if it wanted to . Despite these assurances, it’s wise for IoT users to vet provider policies. Enterprise IoT agreements often include data handling clauses – for instance, ensuring the provider only uses device data to deliver connectivity and not for unrelated purposes.

   

• Government and Law Enforcement Access: Like any telecom service, IoT SIM providers are subject to lawful interception and data disclosure requests from authorities. This can pose privacy concerns especially when IoT devices are deployed globally. Different countries have different rules on surveillance. In general, providers must comply with local laws: in the U.S., the CALEA law requires carriers to have the capability for wiretaps on request; in the EU, police or intelligence agencies can request data or intercept with a warrant (under strict procedures defined by national laws and overseen by courts or regulators). IoT SIM data (such as location or even the data stream if not encrypted) can thus be made available to governments if due process is followed. Furthermore, some regimes have more sweeping surveillance – for instance, China mandates real-time cooperation with law enforcement and extensive data retention. In fact, reports indicated that the Simjacker exploit was leveraged by a surveillance company working with governments to track individuals via their SIMs (obtaining “location information of thousands of devices… without the knowledge or consent of users” ). This shows that even without provider consent, sophisticated actors may use network vulnerabilities to surveil IoT SIMs. As a countermeasure, many carriers have updated their defenses to detect and block suspicious SIM toolkit messages or other rogue requests.

   

• Data Retention Policies: How long providers keep IoT SIM-related data can affect privacy. In the EU, blanket data retention laws (storing all user metadata for months/years) have been controversial and largely struck down by courts , but some countries still impose targeted retention (e.g. for serious crimes). Providers often retain IoT SIM logs for a certain period (e.g. 6 months or 1 year) for billing disputes or legal compliance. Prolonged retention increases risk of unauthorized access (e.g. if an old log database is hacked). Privacy-conscious providers aim to minimize retention – deleting or anonymizing logs that are no longer needed. IoT customers concerned with this can seek providers that adhere to principles of data minimization and can certify deletion of data upon contract end. Additionally, regions like California have consumer privacy laws that might allow individuals to request deletion of personal data, which could extend to IoT service records if they are personally identifiable.

   

• International Data Transfers: Global IoT SIM services often involve data moving across borders. For example, a connected device in Europe using an IoT SIM from a U.S. provider might send its traffic through servers in the U.S. (or vice versa). This raises compliance issues with laws like GDPR, which restrict export of personal data to jurisdictions without adequate protection. Many IoT connectivity platforms address this by deploying regional data centers or allowing customers to choose where data is processed. For instance, a European IoT deployment might use EU-based core network nodes so that metadata stays in Europe. Providers also use standard contractual clauses or similar legal frameworks to legitimize necessary data transfers. From a privacy standpoint, the path IoT data takes can determine which governments might have access. Data that flows through or is stored in certain countries could be subject to surveillance in those countries. Thus, for highly sensitive applications, some organizations insist on local profiles (SIMs that keep data within certain geographic bounds).

   

In summary, IoT SIM providers hold a powerful position in terms of privacy – they can see and control the network link of IoT devices. Trust and policies are critical. Users should look for transparency reports (some large carriers publish how many government requests they get), clear privacy notices, and technical measures like encryption that limit even the provider’s visibility. The industry is trending toward privacy by design, where providers deliberately architect systems so that even if data is collected for service quality, it’s not easily accessible or shareable. Still, vigilance is needed, as past incidents have shown the potential for abuse or unwarranted surveillance.

Regional Variations in IoT SIM Privacy Protections

Privacy regulations and practices surrounding IoT SIMs vary significantly by region, with stark differences between the European Union, the United States, and parts of Asia:

• European Union (EU): The EU generally offers the strongest privacy protections for IoT SIM users. IoT data that can identify a person (directly or indirectly) is covered by the General Data Protection Regulation (GDPR). This means IoT service providers must handle personal data lawfully, minimize data collection, and honor rights like access and erasure. Even if the IoT SIM is in a vehicle or smart device, data like location or usage could be personal data under GDPR if it links to an individual or household. Additionally, the ePrivacy Directive (and upcoming ePrivacy Regulation) specifically safeguards the confidentiality of communications . Telecom operators in the EU are obligated to keep communications (and associated metadata such as traffic and location data) private, and generally need user consent to use it for anything beyond providing the service. Unauthorized interception or surveillance is prohibited, barring specific legal procedures. Moreover, EU telecom providers face mandatory breach notification rules – if an IoT SIM data breach occurs (like a leak of subscription info or a hack of communications), they must inform regulators (and sometimes users) swiftly. The EU also emphasizes “privacy by design”; for IoT SIMs this could mean giving users control over their data and building networks that, for instance, anonymize IoT metadata when possible. On the flip side, EU member states can require data retention or interception for national security, but the trend in EU law has been to strike down indiscriminate retention. Overall, an IoT SIM deployed under an EU-based provider or in EU territory enjoys a high baseline of privacy rights and oversight. Providers like Vodafone or Orange in Europe often tout their compliance with GDPR and even contribute to EU guidelines on IoT security.

   

• United States: The U.S. lacks a comprehensive federal data privacy law like GDPR, so privacy for IoT SIMs relies on sectoral laws and regulations. Telecom carriers are regulated by the FCC, which enforces rules on Customer Proprietary Network Information (CPNI). CPNI covers sensitive info like whom you called, the duration, and location, and carriers must protect it and generally obtain consent to share it. The aforementioned FCC fines in 2020-2024 against carriers for selling location data show that these rules have teeth . However, beyond CPNI (which primarily applies to traditional voice/SMS services and arguably metadata), IoT data practices are often left to company privacy policies. IoT-specific data (e.g. sensor readings transmitted via SIM) might not clearly fall under telecom rules and could be considered business data. In absence of a broad law, consumer IoT devices do have some protection under the FTC’s authority (unfair or deceptive practices), meaning if an IoT SIM provider misrepresents its privacy/security, the FTC could take action. Some states have stepped in: for instance, California’s IoT Security Law (effective 2020) requires reasonable security in IoT devices, though it doesn’t directly regulate SIM data handling. Also, real-time law enforcement access is a factor: under laws like the Patriot Act or through court orders, U.S. authorities can request IoT SIM records or tap communications, and companies must comply. Unlike the EU, bulk metadata collection has been a contentious issue (e.g., historical NSA programs). There’s currently a push for more IoT cybersecurity frameworks (NIST has IoT guidelines that include data protection). In summary, U.S. IoT SIM users rely on a patchwork of protections: FCC rules for traditional telco data, general corporate accountability, and state initiatives – but they lack the uniform shield that GDPR provides. Users may need to rely more on trusting the provider’s commitments and on technical measures (like using end-to-end encryption, which U.S. companies often encourage as a selling point for IoT solutions).

   

• Asia-Pacific and Other Regions: The Asia region is diverse in privacy stance. Some countries like Japan, South Korea, Singapore have strong personal data protection laws similar to European principles (e.g., Japan’s APPI, Singapore’s PDPA) which would cover IoT data. South Korea, in addition to its Personal Information Protection Act, has strict telecom privacy rules – yet as seen with the SK Telecom breach, enforcement and oversight are continually tested . Japan has a well-developed IoT market and generally good privacy enforcement, though not as strict as EU. On the other end, China and a few others prioritize state control over data. China mandates real-name registration for all SIM cards, including IoT SIMs, meaning every IoT SIM must be tied to an individual or company’s identity. This eliminates anonymity and facilitates government monitoring. China’s cybersecurity laws require that data (especially personal or critical data) collected in China be stored in China, and authorities can demand access for broad reasons. Indeed, permanent roaming (using a foreign SIM in China long-term) is not allowed , precisely to prevent avoidance of local oversight. India similarly has mandated that long-term IoT connections in India use local SIM profiles instead of roaming on a foreign SIM . This trend in Asia and Middle East (e.g., UAE, Saudi Arabia, Turkey also restrict permanent roaming ) is partly about protecting telecom revenue, but also about ensuring IoT data is subject to local laws (including surveillance and data retention requirements). Many Asia-Pacific countries enforce data retention for telecom providers (e.g. India and Pakistan have multi-year retention rules for call data). Therefore, an IoT deployment spanning globally must navigate these differences. For instance, a Europe-based global SIM provider might not be allowed to service devices in China indefinitely; you’d need a Chinese IoT SIM which then falls under Chinese privacy (or lack thereof) regimes. In contrast, Australia and New Zealand have robust privacy laws and cybersecurity strategies for IoT, balancing innovation and user protection.

   

In essence, regional laws dramatically affect IoT SIM privacy: EU users benefit from strict data handling and transparency requirements, U.S. users get some protections but also have seen examples of data misuse, and parts of Asia enforce data localization and government access that can reduce individual privacy. IoT businesses must often tailor their approach regionally – e.g. using EU data centers for EU data, complying with requests in the U.S., and setting up partnerships or local subscriptions in China/India to remain lawful. For users and device makers, understanding these variations is key to evaluating how safe their IoT data is. A device that is private in one country might face monitoring in another due to SIM regulations.

Standards and Certifications for IoT SIM Privacy & Security

To tackle the complex security and privacy challenges, the industry has developed various standards, guidelines, and certification programs relevant to IoT SIM cards and their usage. These initiatives aim to ensure a baseline of security and privacy protection:

• GSMA IoT SAFE: One of the most significant recent standards is GSMA’s IoT SAFE (SIM Applet For Secure End-to-End). IoT SAFE was created to leverage the SIM as a hardware Root of Trust for IoT applications . It defines a common mechanism by which IoT device applications can perform cryptographic operations (like TLS client authentication) using keys stored securely on the SIM. In effect, IoT SAFE enables devices to establish encrypted, authenticated connections from the device to the cloud using SIM-resident credentials. This is crucial for privacy because it means even if the device firmware is compromised, the attacker cannot easily extract the TLS keys stored in the SIM’s tamper-resistant element. By using IoT SAFE, IoT data in transit can be encrypted at the application layer with minimal overhead, and cloud services can trust that data originates from a legitimate device (preventing spoofing). The standard was hailed as a “milestone in IoT security standardisation” by industry groups . IoT SAFE also comes with test specifications to ensure interoperability across different SIM vendors and IoT platforms . As deployments grow, this could become a baseline for secure IoT data encryption practices, directly enhancing privacy (since data can’t be read in transit by intermediaries).

   

• GSMA IoT Security Guidelines and Assessment: The GSMA (the global mobile operators association) has published comprehensive IoT Security Guidelines (latest revision in 2024) which cover best practices for secure IoT product development and deployment . These guidelines include recommendations for mobile network operators, IoT service providers, and manufacturers. Relevant to SIMs, they advise using proven security in connectivity – e.g. using embedded SIM (eSIM) to prevent SIM tampering, enabling network authentication, and using secure channels for OTA provisioning . The guidelines also highlight the importance of protecting data at rest and in transit (e.g. recommending TLS, IPsec, or VPNs for IoT data traffic). To complement the guidelines, GSMA offers an IoT Security Assessment scheme – essentially a self-assessment or certification process that organizations can use to demonstrate adherence to best practices . While voluntary, this provides a trust label of sorts. A company following these guidelines would likely enforce encryption, access control, and privacy-by-design in its IoT SIM connectivity offerings.

   

• Trusted Connectivity Alliance & SIM Security Certification: The Trusted Connectivity Alliance (TCA) (formerly SIMalliance) and SIM manufacturers have long-established programs to certify and secure SIM hardware and the provisioning process. For instance, SIM card production facilities undergo GSMA’s Security Accreditation Scheme (SAS) audits to ensure that SIM personalization and key management are handled in a secure, trusted environment. Many IoT SIM providers (like Hologram) explicitly state they conform to GSMA SAS standards , which indirectly protects privacy by preventing rogue SIMs or key leaks in the supply chain. Additionally, SIM operating systems often achieve Common Criteria certification (e.g., CC EAL4+ or EAL5+ as a tamper-resistant microcontroller system ). This gives assurance that the SIM can defend against attempts to extract its secrets. The Trusted Connectivity Alliance also promotes standardization for new form factors like iSIM and defines profiles to ensure secure interoperability.

   

• IoT Device Security Standards (impacting SIM usage): Broader IoT security standards also contribute to privacy of SIM-based connectivity. For example, ETSI EN 303 645 is a standard for consumer IoT cybersecurity that, among other things, calls for best practices like no universal default passwords and secure data transmission. While it doesn’t mention SIMs explicitly, an IoT device complying with it would likely enforce encryption (so even if the SIM traffic is intercepted, it’s unintelligible). Similarly, in the U.S., NIST’s IoT Cybersecurity Framework and the IoT Cybersecurity Improvement Act (applicable to federal IoT procurements) provide guidelines for network security and encryption that would include cellular modules. CTIA (Cellular Telecommunications Industry Association) has an IoT Cybersecurity Certification Program that tests devices on security criteria – one relevant criterion is the use of industry-standard cryptography for communications. Thus, if a cellular IoT device meets CTIA certification, it presumably uses protocols (like LTE encryption and TLS) properly, aiding privacy.

   

• Regional Certifications and Regulations: In Europe, the EU Cybersecurity Act has led to work on IoT security certification schemes (potentially voluntary labels for IoT products). Privacy is a component of those schemes. Germany, for instance, has a national IT security label that IoT device makers can obtain by meeting certain requirements (like data encryption, local data processing, etc.). While these focus more on the device/application, the choice of a secure IoT SIM and privacy-conscious connectivity provider would help meet such criteria. On the regulatory side, telecom regulators often require mobile operators to implement up-to-date security on their networks (e.g., 5G security features, disabling outdated cipher suites, etc.). Adherence to 3GPP security standards (which dictate encryption algorithms, subscriber identity protection over the air for 5G, etc.) is typically mandatory. In 5G, there are new features like IMSI encryption over the air to prevent eavesdroppers from identifying a user’s SIM – a privacy improvement over older networks.

   

• Privacy Management Standards: Some IoT SIM providers, especially global MVNOs handling customer data, pursue general data security/privacy certifications such as ISO/IEC 27001 (information security management) and ISO/IEC 27701 (privacy information management extension of 27001) or undergo SOC 2 audits. These aren’t IoT-specific, but they ensure that the provider has formal controls for data protection and privacy. For example, Twilio and other cloud-based IoT connectivity services often trumpet their compliance with ISO 27001 and privacy frameworks as a selling point to enterprise customers. While not foolproof, such certifications indicate a commitment to maintaining confidentiality of customer data and continuous risk assessment.

   

In summary, a combination of technological standards (like IoT SAFE, eSIM security), industry best practices (GSMA guidelines), and formal certifications provide a toolkit to enhance IoT SIM privacy and security. Adoption of these is growing. For instance, IoT SAFE is seeing momentum as stakeholders realize the need for consistent end-to-end security at scale . Looking forward, as billions more devices come online, these standards will likely become prerequisites. An IoT SIM solution that is certified or compliant with these frameworks is far less likely to suffer from the glaring vulnerabilities or privacy lapses that have plagued earlier, ad-hoc IoT deployments.

Comparison of Major Global IoT SIM Providers

Different IoT SIM providers implement varying levels of security and privacy measures. The table below compares a few major global IoT SIM providers on key privacy-related features and any known incidents:

Notes: This comparison is not exhaustive, but it illustrates differences. European providers often highlight strict compliance and advanced security layers, while U.S. providers are improving after past lapses. Specialized IoT MVNOs like Hologram focus on technical network protections and transparency. Meanwhile, providers in jurisdictions like China prioritize control and may pose privacy trade-offs despite technical security.

Conclusion

The rapid expansion of IoT deployments globally brings the often-overlooked IoT SIM card into the spotlight of privacy discussions. These tiny chips are the gateway for countless devices to transmit data – from smart meters and connected cars to medical wearables – and thus they mediate a wealth of potentially sensitive information. As we have seen, the privacy issues associated with IoT SIMs are multifaceted:

• Data exposure risks can stem from inadequate encryption or misconfigurations, leaving IoT data vulnerable to interception or unauthorized access.

   

• Vulnerabilities in SIM technology (like Simjacker) have demonstrated how covert attacks can turn SIMs into surveillance tools, exploiting the very connectivity that IoT relies on.

   

• Provider practices in handling IoT data are crucial – whether it’s securing the backend systems (as breaches at SK Telecom and Twilio showed), or ensuring that user data isn’t monetized or shared improperly (as in the carrier location data scandal).

   

• Surveillance and legal compliance present a delicate balance: IoT SIMs can enhance the ability to track and monitor, so strong legal safeguards and corporate ethics are needed to prevent abuse. Regional differences mean an IoT device’s privacy can depend greatly on where and under whose network it operates.

   

• Encouragingly, the industry is responding with improved standards and certifications – from leveraging the SIM as a root of trust (IoT SAFE) to certifying secure SIM manufacturing and IoT device best practices. Adoption of these will be key to maintaining user trust.

   

For stakeholders – be they IoT solution developers, enterprises deploying IoT, or end-consumers – it’s vital to choose IoT connectivity solutions that prioritize privacy and security. This means using providers that implement strong encryption, isolation, and have clear privacy commitments. It also means staying updated with patches (e.g., ensuring SIM firmware is updated if vulnerabilities are found) and using end-to-end encryption on top of SIM connectivity whenever possible for defense in depth.

In conclusion, IoT SIM cards are a double-edged sword: they enable the magic of connected devices but also concentrate risks to privacy. By being aware of these issues and leveraging the evolving landscape of safeguards, we can enjoy the benefits of IoT while keeping our data and devices secure. The global nature of IoT demands a global effort in privacy protection – and as this overview shows, that effort is well underway, even if challenges remain.

Sources:

1. On cellular IoT encryption and security features

    

2. Emnify CTO on network-based encryption and closing cloud gaps

    

3. Hologram on network segmentation & isolating devices

    

4. Hologram’s end-to-end encryption and zero data access claim

    

5. Hologram’s compliance with GSMA SAS and standards

    

6. Vodafone’s tamper-resistant IoT SIM and layered protection

    

7. CERT-EU advisory describing Simjacker attack via spyware SMS

    

8. Enea report: Simjacker exploited by company working with governments (location spying)

    

9. Security research on Simjacker and WIB attacks exposing billions of SIMs

    

10. BleepingComputer on SK Telecom breach exposing IMSI, auth keys, SMS, etc.

     

11. The Guardian on NSA/GCHQ hack of Gemalto SIM keys (global surveillance)

     

12. The Hacker News on NSA stealing SIM encryption keys (privacy of billions at risk)

     

13. KrebsOnSecurity on US carriers fined for selling location data without consent

     

14. TechCrunch on Twilio 2022 breach affecting customer data (phishing incident)

     

15. Trusted Connectivity Alliance on GSMA IoT SAFE enabling SIM as root-of-trust

     

16. Onomondo blog noting LTE-M (IoT) inherits LTE encryption & mutual auth

     

17. Eseye on permanent roaming restrictions (countries like China, India banning foreign IoT SIMs)
    

Top Recommendation:

Hologram Hyper Secure SIM

https://hologram.io

• ✅ IoT SAFE support

• ✅ Zero access to data — all payloads are end-to-end encrypted, even Hologram can’t see it

• ✅ Device isolation — SIMs are firewalled and segmented by default

• ✅ SIM lifecycle & OTA controls with secure provisioning

• ✅ No SIM Toolkit bloatware (minimizing attack surface)

• ✅ Global roaming on Tier 1 networks

• ✅ Compliant with GSMA SAS, SOC 2, ISO 27001

Also worth considering:

• Twilio Super SIM – High-level security and transparency, SOC 2, ISO 27001, secure APIs

• Eseye AnyNet Secure SIM – Offers IoT SAFE, private cloud routes, AWS-native security integration

• 1NCE Lifetime SIM (Europe) – German-based, GDPR-centric with firewalling and closed-loop networks

• Truphone IoT SIM – eUICC, eSIM profiles with secure OTA and GDPR focus