How to Prevent SIM Card Misuse in IoT Devices


Cellular connectivity is a great way to connect your devices to an application in the cloud. The device works right away at the customer site without any additional network hardware and securely connects anywhere in the worldWhat’s more, including connectivity in your service offering also provides an additional customer-perceived value to your service delivery.

The previous blog post in this security series explained which cellular security features exist to prevent common IoT device malware attacks. This post will concentrate on the attacks that require physical access to the device. One concern most IoT solution manufacturers have relates to the SIM card – and the risk that it is taken out of device and misused by free riders to get unlimited cellular internet.

Forum Blog post


As explained in emnify’s IoT device security guide, there are four security features that prevent SIM card misuse.

1. Soldering SIM on the device - embedded SIMs

One way to prevent SIM card misuse is by using embedded SIMs (MFF2). The SIM cards are soldered on the device and will break when removed. Additionally, embedded SIMs also have other desirable characteristics like vibration and shock resistance which is especially relevant for mobile IoT use cases.

2. IMEI lock

The IMEI is the unique device identity number. By activating the IMEI lock feature, a SIM card will only function in the device it is assigned to. Best practice is to automatically lock the SIM card to the first device it connects to the network from, during the manufacturing process or at the customer siteIn the event the SIM card is put into a different device, it will be unable to connect to the network.

3. Cellular Firewall

A cellular firewall can prevent an attacker from misusing the IoT device itself for unwanted services. The firewall limits the IoT device’s communication to a set of whitelisted IP addresses – meaning a device can, for example, only communicate with the IoT application and other services required for proper operation.

4. Service Limit

As a last resort, one can configure a service limit per device to prevent unwanted and unexpected network cost due to SIM misuse. A level of legitimate network traffic is set for each month. If someone tampers with the device, and creates excess traffic to the application, the device will be blocked from service until further action within the service portal.


SIM card misuse can be cause for concern for IoT solution providers. Especially when deploying devices at scale, robust security features should be ensured to prevent SIM cards being moved from one device to another without permission. By using embedded SIM cards, automatic IMEI lockscellular firewalls and service limits, IoT solution providers can guarantee that there are no cost surprises at the end of the month. To find out more about what cellular IoT best practices to consider for your business, download our new whitepaper

Get in touch with our IoT experts

Discover how emnify can help you grow your business and talk to one of our IoT consultants today!