The NSA and Britain's GCHQ hacked the world's biggest SIM card maker to harvest the encryption keys needed to silently and effortlessly eavesdrop on potentially millions of people.

That's according to documents obtained by surveillance whistleblower Edward Snowden and leaked to the web on Thursday.

"Wow. This is huge – it's one of the most significant findings of the Snowden files so far," computer security guru Bruce Schneier told The Register this afternoon.

"We always knew that they would occasionally steal SIM keys. But all of them? The odds that they just attacked this one firm are extraordinarily low and we know the NSA does like to steal keys where it can."

The damning slides, published by Snowden's chums at The Intercept, detail the activities of the as-yet unheard-of Mobile Handset Exploitation Team (MHET), run by the US and UK. The group targeted Gemalto, which churns out about two billion SIM cards each year for use around the world, and targeted it in an operation dubbed DAPINO GAMMA.

These SIMs are used by "AT&T, T-Mobile US, Verizon, Sprint and some 450 wireless network providers" globally, The Intercept notes. "For millions or even billions of users around the world, global cellular communications are about as secure from GCHQ and NSA as an FM radio broadcast," the EFF reckons.

Operation DAPINO GAMMA

Intelligence agents targeted Gemalto staff globally, and used the NSA's spying programs to infiltrate their email and Facebook accounts. Once key individuals were identified and weaknesses found in their systems, the team moved in to compromise their computers, boasting in one slide that they "believe we have their entire network."

The target for the team was the unique Ki encryption keys baked into each of Gemalto's SIM cards. These 128-bit values are hidden away inside the SIM electronics, and are supposed to be kept secret. Every SIM has one regardless of its manufacturer.

Mobile networks keep a copy of a SIM's Ki key before the card is given to a subscriber. This is so that the carrier can identify and authenticate the device containing the SIM when it joins a network.

The Ki keys are also used to generate session keys that encrypt and decrypt voice calls; due to a lack of forward secrecy, obtaining the Ki for a phone means session keys can be recovered and intercepted calls can be decrypted effortlessly – without the need to crack the actual math behind the encryption algorithm, say experts.

Rather than cryptanalysis, it's easier for spies to use kleptanalysis.

Your taxes at work

This affects 2G and GSM calls, and the AKA system used by 4G and 3G, according to an analysis by assistant research professor Matt Green of Johns Hopkins University in Maryland, US. Calls intercepted years ago, and kept on file, can be decrypted once the keys are stolen.

"Both the GSM and AKA protocols lack an important property known as forward secrecy. What this means is that if I can record an encrypted call, and later obtain the long-term key K for that phone, then I can still reliably decrypt the whole communication – even months or years later," he wrote.

"Worse, for cellular conversations I can do it even if I only have one half (the tower side) of the communication channel."

106,000 keys harvested – at least?

The MHET team was highly successful at grabbing these keys and matching them to SIM card deliveries. The group expanded their operations to attack Gemalto offices worldwide to gather more keys as they were sent out: included on the target list were workers at cellphone networks receiving the SIMs.

But all that takes time, so the team set up automated systems to do the job for them. These scanned the communications of people the agencies thought would have access to the keys for data that looked useful.

GCHQ/NSA presumably have access to their own nations' telcos for local Ki keys. Gemalto probably chiefly about international SIGINT. — matt blaze (@mattblaze) February 19, 2015

A 2010 top secret research paper leaked by Snowden showed that this approach was highly successful. Between December 2009 and March 2010 it harvested over 106,000 keys linked to identified SIM cards, and the paper recommended stepping up the harvesting operation.

It's feared the team didn't stop at Gemalto – and that spies working for other countries have also had the bright idea of infiltrating manufacturers supplying the planet's SIMs.

@ageis @mattblaze @csoghoian Because 'phones are too slow'. Say this to an ECC person if you want to make them mad. @hyperelliptic — Matthew Green (@matthew_d_green) February 19, 2015

"In the digital world we all live in, Gemalto is especially vigilant against malicious hackers and of course has detected, logged and mitigated many types of attempts over the years, and at present can make no link between any of those past attempts and what was reported by The Intercept," the SIM card firm told The Register in a statement.

"We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such highly sophisticated technique to try to obtain SIM card data. From what we gathered at this moment, the target was not Gemalto, per se - it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible."

Gemalto's hacking may also bring into question some of its other security products as well. The company supplies chips for electronic passports issued by the US, Singapore, India, and many European states, and is also involved in the NFC and mobile banking sector.

It's important to note that this is useful for tracking the phone activity of a target, but the mobile user can still use encryption on the handset itself to ensure that some communications remain private.

"Ironically one of your best defenses against a hijacked SIM is to use software encryption," Jon Callas, CTO of encrypted chat biz Silent Circle told The Register. "In our case there's a TCP/IP cloud between Alice and Bob and that can deal with compromised routers along the path as well as SIM issues, and the same applies to similar mobile software."

The NSA declined to comment on the story and GCHQ issued the following statement: "It is longstanding policy that we do not comment on intelligence matters. [T]he UK's interception regime is entirely compatible with the European Convention on Human Rights."

On Wednesday the UK government admitted that its intelligence agencies had in fact broken the ECHR when spying on communications between lawyers and those suing the British state, so GCHQ might want to reconsider that statement. ®