The NSA and GCHQ collaborated to steal the encryption keys from the world's biggest SIM card manufacturer Gemalto, according to documents leaked by whistleblower Edward Snowden.
Dubbed "the great SIM card heist" by The Intercept which received the documents from Snowden, the breach of security gave the UK and US spy agencies "the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data".
Netherlands-based Gemalto is one of the largest manufacturers of SIM cards in the world, counting 450 mobile operators in 85 countries around the world as customers, highlighting the potentially huge number of people that could have been impacted by this attack. The company produces about two billion SIM cards each year in its 40 manufacturing plants.
The leaked documents show the attack originated in 2010 and was perpetrated by a joint unit called the Mobile Handset Exploitation Team consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ, and was established in April 2010.
The attack saw the internal computer systems of Gemalto infected with malware, allowing the spies to monitor everything that was happening. One slide boasted: "[We] believe we have their entire network."
To achieve this, The Intercept says the agencies tracked Gemalto's own employees:
"As part of the covert operations against Gemalto, spies from GCHQ — with support from the NSA — mined the private communications of unwitting engineers and other company employees in multiple countries."
By stealing the encryption keys used to secure voice and data transmissions over mobile phone networks, the GCHQ and NSA would have been able to intercept and decrypt communications from hundred of millions of people almost anywhere in the world.
Both the NSA and GCHQ have yet to comment on the latest leaks from Snowden.
While early mobile phone networks were relatively easy to breach, the adoption of more advanced 3G and 4G networks, as well as making them faster and more reliable, has made them much more difficult to monitor for spying agencies.
The privacy of your mobile phone calls depends on an encrypted connection between your phone (or more specifically your phone's SIM card) and the network you are registered on. This is based on an encryption key (known as a Ki) which is burned onto your SIM card at source by companies like Gemalto.
Gemalto then sells the SIM card to a network handing over the Ki to them at the same time, allowing the network to validate your connection with a secret "handshake" which checks the Ki on the SIM matches the Ki held by the network.
Gemalto initially said it was completely unaware of the attack but subsequently a spokeswoman told Reuters that while it was not targeted "per se", there was "an attempt to try and cast the widest net possible to reach as many mobile phones as possible".
"We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such highly sophisticated techniques to try to obtain SIM card data," she said.