Enterprise cellular identity security beyond SIM-based authentication

SIM-Based Identity Isn’t Enough for Enterprise Cellular  

Liron Ben Horin
By Liron Ben Horin, VP System Engineering, OneLayer

In late January 2025, the US Secret Service dismantled a large SIM-card “farm” operating near the United Nations in New York City. The setup contained thousands of SIM cards, antennas, and automation tools capable of generating massive volumes of mobile network traffic.  

 

SIM Farms as a DoS Vector  

A SIM farm is a system designed to house hundreds or even thousands of SIM cards, enabling the automation of calls, SMS messages, and authentication events. These systems can rotate SIM identities at scale and mimic legitimate mobile subscribers, making them highly versatile. SIM farms are often exploited for malicious purposes, including fraud, bypassing SMS verification, sending spam, conducting influence operations, and generating automated bot traffic.  

 

This SIM-card farm was particularly dangerous because of its scale. With more than 300 co-located SIM servers and 100,000 SIM cards spread across multiple sites, it had the capacity to produce a massive volume of network access and signaling traffic. This is enough to overwhelm critical components in a mobile operator’s core network. This would amount to a signaling-layer denial-of-service attack – directly analogous to the internet-based DDoS attacks that the security community is already familiar with.  

 

There is a key difference between this scenario and typical internet based DDoS attacks, and understanding it is crucial for enterprises investing in a private cellular environment. In this case, the attack originated from inside the network. The SIM cards were validated by the network and allowed access. In cellular networks, the SIM is the identity, similar to an employee’s username and password for a corporate network, and attackers were able to exploit this system at scale.  

 

The Risks to Private Cellular 

In the wake of this attack, many business leaders investing in LTE/5G for mission-critical networks are left wondering: What does that mean for our network? While public mobile operators have strong safeguards, private cellular networks are vulnerable because:  

 

  • Smaller core networks are easier to disrupt 

A smaller core has fewer resources and redundancy than a national MNO, so spikes in registration or signaling from a SIM farm can overwhelm it much more quickly. In contrast, an MNO’s massively distributed and scaled core can absorb or reroute that load, making it far harder to meaningfully disrupt.  

 

  • Security and monitoring layers are less mature 

Private cellular networks are relatively new, compared to MNO and IP networks, and are not supported by a decades-old ecosystem of security providers.  

 

  • SIM identity is often trusted without additional validation 

Device onboarding is far more complex, insecure, and time-consuming than most private network owners expect, with many teams still relying on manually recording SIM cards and their associated devices in spreadsheets. Once a SIM is activated, the network automatically treats the device as trusted, with no additional validation to catch errors or changes. This lack of ongoing validation and automated monitoring leaves enterprises with inevitable security gaps and an incomplete view of the devices on their network.  

 

  • Bulk provisioning practices make oversight difficult 

Provisioning devices at scale across regions or multiple sites often involves sending out pre-activated SIM cards to be installed into devices by multiple teams. With no centralized, automated way to verify that a SIM card ends up in the correct device, and with teams and devices dispersed, catching errors and malicious activity becomes more challenging.    

 

SIM-Based Identity Cannot Meet Enterprise Security Standards  

SIM cards leave enterprises at risk of the following:    

  • Identity-Based Intrusion 

SIMs can be stolen and inserted into unauthorized devices, giving attackers direct access to the OT network. 

 

  • Device Masquerading 

A cloned SIM paired with a spoofed IMEI will appear to the network as a trusted device, bypassing native security and identity tools. Without mechanisms that alert based on device identity, this attack can go completely unnoticed. 

 

  • Signaling Storm/Network Overload  

Without the ability to detect cloned devices, attackers can build large numbers of cloned devices on a network. These devices can either unintentionally or intentionally consume massive amounts of network resources, disrupting and bringing down mission-critical operational environments.  

 

SIM Cards Are Not Enough – So What’s Next? 

The NYC incident highlights the fragility of SIM-based identity. Private networks need a layer to trust beyond the SIM.  

If SIM Cards aren’t the answer – what is? In Part Two, coming in two weeks, we’ll explore device-centric security and its role as the new security standard for enterprise cellular networks. You won’t want to miss it.  

To find out more about how North American utility LCRA worked to overcome security challenges in its private cellular deployment, click here to view this on-demand webinar.   

 

BACK TO RESOURCES
Technical Questions Emergency Hotline
open popup