Karsten Nohl, head of Security Research Labs in Berlin, said he has found a way to capture some Sims' digital keys by sending them a special text message and the technique could allow a hacker to listen in on calls or even steal cash.
The potential flaw exists in million of older Sim cards using an older encryption standard, he said.
Sim cards -- for Subscriber Identity Module -- serve as a security gateway, authenticating a user's identity on their cellular provider's network.
The also store text messages, contacts, and details used by some mobile applications, including some payment and banking services.
The authentication code of some older Sim cards can be discovered by sending a text message to a phone that masquerades as a communication from the user's cellular provider, Nohl said.
That authentication code is encrypted, but many older Sims used a 1970s-era coding system called Digital Encryption Standard, once thought secure but capable of being cracked "within 2 minutes on a standard computer," he said.
"Sim cards generate all the keys you use to encrypt your calls, your SMS and your Internet traffic," Nohl told the BBC.
"If someone can capture the encrypted data plus have access to your Sim card, they can decrypt it."
About an eighth of all Sim cards may be vulnerable to a hack attack, Nohl said, representing between 500 million to 750 million devices.