So, it finally happened. I got thrown out of my old job, and my SIM card was disabled, so… I stopped using it in my phone altogether. I replaced it with some specific strategies and two SIM cards.

Why two SIMs instead of one?

Well, there is an issue with what I would call an established identity. The number I had in all my old jobs (transferred or not) have been with me since I was 13 years old. All my friends know this number, my family dials it by reflex. It would be a shame to give such an established number to some scammer or someone to just buy and use. That is why I want save and keep it. On the other hand, keeping a number has its downsides. It is established, all my friends know this number, and if they know it, it leaked somewhere and is attached to me.

The issue with a phone number is the fact it’s easy to ping. You can get a private eye to ping your number for a few hundred bucks, giving you the exact location of the phone it’s in. A stalker or jealous ex may have enough motivation to follow you and track you this way, not to speak about motivated criminals, if you work in security.

The issue now becomes: How do you use your phone like a phone without having a SIM card? You need a way for people to call you, get online, and not be tracked by stalkers.

The paradox of a “stranger” SIM card

This problem can be solved, but it takes some doing and it may seem counterintuitive. The simple solution is to have a SIM not even you know the number to and don’t give out to anyone. Why would you use a SIM that you cannot use to receive calls?

Data. In the age of Voice over IP, you don’t need to know your number, you just need a link that can connect you to the Internet. The benefit of this is that you can leech off of any connection that you can get your hands on, WiFi, Starlink, anything. That is why you don’t need to know the number to your SIM, use it when necessary and get yourself a nice data plan. If you want to go extreme, only pay in cash and load the card at one select place that that you don’t live at or go to usually.

But what do you do with your phone number? The one all your friends know? Provided you get your hands on Twilio or Telnyx, you can load your number there and pay a buck or two per month for the privilege of having your phone number usable over the Internet. In my country, this is not an option, so I went another way: I forwarded all my phone calls to VoIP and SMS get processed on my server with the USB modem plugged into it.

The VoIP solution

Whether you have an iPhone or Android, you can get yourself an application like LinPhone or BareSIP to place and receive phone calls on any internet-connected device. I’ll leave the “connecting to VoIP” part as an exercise to the reader, but I want to present your with another issue: What if your country only allows SMS on a physical SIM card? Some VoIP providers don’t give you access to the raw SMS data so you can parse it yourself, so we have to make do, same for phone calls.

No virtual calls on your personal number? No problem

This is quite an easy one to solve, but it will cost you some small amount of cash: Check if the provider you have your number with (if it’s a physical SIM) allows unconditional call forwarding. Usually, this is a special number you call and your phone spits out “Yeah, got it, forwarding all calls now to a VoIP number.” This will allow you to receive calls via somewhat of a proxy. If someone calls your real number (123456), it will get forwarded to something you choose, like 654321. You pay for the call from your physical SIM to the VoIP number, but everywhere you are in the world, this will be the same (VoIP does not know about roaming, you’re either online or not.)

The other issue is SMS text messages. If your SIM card can only receive SMS physically, i.e. to some phone or other device, use a USB modem. Plug it into a Raspberry Pi, store it somewhere and your phone number, if someone pings it and it responds, will always show up in the same place. I will post a script lower down, if you want that, skip ahead.

Once you have calls set up, you only need a SIM card for data. However, do you want it in your phone?

SIM cards go in a modem, not in your phone.

Once you have a data SIM card with a number you don’t have to know, you have to ask yourself: Do I want to have this number accessible to my provider?

The thing is that your provider will know what device the SIM card is in. Thanks to your IMEI, your provider knows what phone type you have. Always. If you turn on airplane mode, your SIM card may still ping out and your IMSI will snitch on you. The only way forward is to use your phone as a WiFi-only device. But how do we get data when we’re driving, so we can doomscroll and crash at the same time?

I personally (with a good friend of mine) use a portable modem. This device has a SIM and when turned on, it presents it as a wireless network. There are, of course, wired options, but if you get a battery-powered one, you can get your Tiktok fix on the go. And if I didn’t sell you on the portable modem yet, if you get a device with a removable battery, you can turn it off and stop all tracking while still having access to your phone’s functions. This also ensures that you don’t get tempted to not abuse the WiFi around you.

The last great benefit is that if a provider gets nosy and wants to check what device you’re using, they’ll only see the modem’s model number… and your browsing data.

The privacy of wireless networks

I am skeptical towards open networks just as much as the next person, but I am also skeptical towards any of my internet providers. An always-on VPN connection ensures that wherever you go online, you’re only seen as connecting to one IP address. My provider does not need to see what I’m browsing, they only see my VPN IP as the connection endpoint. DNS goes through the tunnel, data runs through it, so I don’t even care if the modem is a Chinese piece of shit that uses half my data to send all information to Beijing, it gets metadata at best. Nothing else.

If you want to distrust your provider as well, please consider this method. It will make you immune to silent SMS tracking your make and model of the phone you’re using, so less information for attackers, more privacy for you.

If you want someone to articulate the points better, here’s Naomi Brockwell’s video on the topic: https://www.youtube.com/watch?v=RyirQOCUUK8

The script

You’re still here, huh? You want the SIM card script that much? You make me sick. Okay, here you go! There is one prerequisite, you need ModemManager installed (or any package that gets you the mmcli binary.)

#!/bin/bash

# Check if there are new SMS. If not, exit with code 1.
mmcli -m 0 --messaging-list-sms | grep "No sms messages were" > /dev/null && exit 1

# Collect text ID, sender number and message text from the output
text-id=$(mmcli -m 0 --messaging-list-sms | head -n1 | cut -d'/' -f6 | cut -d' ' -f1) 
sender=$(mmcli -m 0 --messaging-list-sms -K -s $text-id | grep content.number | cut -d':' -f2)
text=$(mmcli -m 0 --messaging-list-sms -K -s $text-id | grep content.text | cut -d':' -f2)

# Sanity check, should show you the sender's number and the text of the message.
echo $sender
echo $text

# Deletes the message it just read so another one can take its place
mmcli -m 0 --messaging-delete-sms=$text-id

# UPTOYOU: consider how you want your messages sent to you. I use ntfy

curl \
    -d "Text: $text" \
    -H "Title: $(date +%H:%M) - From $sender" \
    -H "Priority: high" \
    -H "Tags: envelope" \
    -H "Authorization: Bearer [TOKEN]" \
    https://ntfy.yourserver.tld/topic-for-SMS

I’m not showing you my SMS channel, but it should be per authentication. Never publish this to a short topic (like “text-msgs”) or have it legible without a token. I can also recommend having a self-hosted NTFY server (this can be inside your VPN tunnel so it’s less work and mo’ private.)

In closing

I am paranoid. Too paranoid for my own liking. All this will depend on how much trouble you want to go through, but I can say from my own experience that the first few days are the hardest. You will forget your modem, be offline for hours on end and get angry phone calls from your parents for not picking up the phone (because your SIP setup didn’t work with the encryption you chose in the settings menu).

If you want, I urge you to go in stages:

1. Set up the VoIP: Get a number, set up SIP calls on your phone, test it with a regular setup.
2. Try airplane mode: Put your phone into airplane mode, turn on WiFi only and try it again. You can take out your SIM just to see if you miss any functions or spend loads of time outside of normal phone coverage.
3. Once you think you’re ready, get a portable hotspot and grab a burner SIM. This should have some data available, a few gigs will do at this point. Never put this in your phone, only in the portable hotspot.
4. Try running WiFi-only for a few days, with your real SIM in your phone, so you can still pick up your SMS and receive calls. Try if the process of charging up your modem isn’t too much of a hassle for you (this is a point I can see as an issue for many people, charging a phone and a modem)
5. Once you’re ready, get a cheapo SMS modem (the one we used to connect our laptops to the Internet when phones didn’t have hotspot functionality) and connect it to a Raspberry pi. Set up the script, have it run every minute, and try it with a few SMS from family and loved ones (if applicable).

If this strategy works for you, you could get a lot out of it. If not, you don’t have to do it. This is currently an edge-case, but if I didn’t try it myself, could I really recommend it to anyone? My conscience tells me I couldn’t, as this is a huge lifestyle change.

I hope you enjoyed this rant, it had quite a response on Mastodon. If you need help, hit me up!