Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Communications Encryption Government United States

Police Decrypt 258,000 Messages After Breaking Pricey IronChat Crypto App (arstechnica.com) 122

An anonymous reader quotes a report from Ars Technica: Police in the Netherlands said they decrypted more than 258,000 messages sent using IronChat, an app billed as providing end-to-end encryption that was endorsed by National Security Agency leaker Edward Snowden. In a statement published Tuesday, Dutch police said officers achieved a "breakthrough in the interception and decryption of encrypted communication" in an investigation into money laundering. The encrypted messages, according to the statement, were sent by IronChat, an app that runs on a device that cost thousands of dollars and could send only text messages.

"Criminals thought they could safely communicate with so-called crypto phones which used the application IronChat," Tuesday's statement said. "Police experts in the east of the Netherlands have succeeded in gaining access to this communication. As a result, the police have been able to watch live the communication between criminals for some time." Blackbox-security.com, the site selling IronChat and IronPhone, quoted Snowden as saying: "I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation," according to Web archives. Whether the endorsement was authentic or not wasn't immediately known. The site has been seized by Dutch police.

This discussion has been archived. No new comments can be posted.

Police Decrypt 258,000 Messages After Breaking Pricey IronChat Crypto App

Comments Filter:
  • by Camel Pilot ( 78781 ) on Wednesday November 07, 2018 @05:08PM (#57608448) Homepage Journal

    "I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation,"

    Sure sounds like a paid product endorsement....

    • by reanjr ( 588767 ) on Wednesday November 07, 2018 @11:00PM (#57610056) Homepage

      I think what probably happened is Snowden was talking about the OTR protocol, and not a particular product and the marketurds twisted his words with their ignorant/malicious misquotation.

    • by AmiMoJo ( 196126 )

      I'm pretty sure this quite is fake. I can't find an original source for it, and Snowden's writing style would at capitalize the 'I', if not put quotes around "hi" and "hello".

      He has mentioned OTR before, but not in reference to IronChat.

  • by Srin Tuar ( 147269 ) <zeroday26@yahoo.com> on Wednesday November 07, 2018 @05:12PM (#57608480)

    This is likely just a fairly amateurish security protocol implementation sold at inflated prices to people flush with cash.

    Its really not all that hard to do secure communications... if actual criminals used something called "ironchat" they deserve what they got.

    • by fred911 ( 83970 )

      "used something called "ironchat" they deserve what they got."

      Exactly! It would have been much cheaper, and just as secure to use triple ROT13. Cause it's 3x betterer.

      • "used something called "ironchat" they deserve what they got."

        Exactly! It would have been much cheaper, and just as secure to use triple ROT13. Cause it's 3x betterer.

        I prefer the Rotweiller13 encrypted comms: the message is transmitted via a sled pulled by 13 extremely hungry rotweillers.

        *Lag is horrible and distance can become a problem.YMMV (literally).

        • Had I not commented you would be getting my last point. Good work!

        • by dcw3 ( 649211 )

          "used something called "ironchat" they deserve what they got."

          Exactly! It would have been much cheaper, and just as secure to use triple ROT13. Cause it's 3x betterer.

          I prefer the Rotweiller13 encrypted comms: the message is transmitted via a sled pulled by 13 extremely hungry rotweillers.

          Is it's bark worse than it's byte?

    • This is likely just a fairly amateurish security protocol implementation sold at inflated prices to people flush with cash.

      Its really not all that hard to do secure communications... if actual criminals used something called "ironchat" they deserve what they got.

      If secure communications are so easy, why do so many people seem to get it wrong? It only takes one little mistake to compromise secure communications. The mistake may not even be in anything but a library you use or a design flaw in the silicon you run it on. No. Secure communications is very difficult and that is why the NSA spends a lot of time and effort A) Monitoring others communications B) developing and testing secure methods of communication.

      • by jythie ( 914043 )
        Secure communications are a bit like, hrm, the whole meme around how we could build interstellar ships 'right now'. It is 'easy' when one only wants to look at a single, fun part of the problem that you can throw math at, but gets a lot harder when getting into the nitty gritty of implementation and maintenance, then even worse when your entire solution for the human factor is handwaving 'well just use the right kind of people!'
  • by Anonymous Coward

    And siezed the keys, then used those keys to unlock the locks. Or the messages are logged unencrypted on the siezed site.

    I promise you the dutch police have no ability to "hack" anything.

    And IronHorse or whatever has never been secure.

    • by tsqr ( 808554 )

      And siezed [wikipedia.org] the keys.

    • They siezed the site
      And siezed the keys, then used those keys to unlock the locks.

      Then its not really end-to-end encryption as claimed. Its just another service encrypting its traffic so middlemen, other than itself and its masters, can't read it. In true end-to-end the service provider can't read the content even if they want to.

  • by nehumanuscrede ( 624750 ) on Wednesday November 07, 2018 @05:32PM (#57608594)

    If there was any chance of listening to future conversations between parties using Iron Chat, this announcement just blew that right out of the water.

    The folks who wish to talk via encrypted channels will now simply change their method of communication.
    It could be another commercial app, a homebrew one or just go all old school and do things the way it was done before the era of smartphones.

    It could also be complete bullshit on the part of the Police in an attempt to get folks to quit using it :D

    • Re:Brilliant (Score:5, Insightful)

      by AmiMoJo ( 196126 ) on Wednesday November 07, 2018 @05:39PM (#57608640) Homepage Journal

      They couldn't keep it secret for very long because they would have to present the intercepted messages in court eventually.

      It appears that weaknesses in the app are to blame here. It was a poorly designed app, basically snake oil.

    • by Anonymous Coward

      Maybe Iron Chat is working so well, the only way to defeat it is to fake a story that it's been cracked so people switch to something more exploitable.

    • by AHuxley ( 892839 )
      Police had to act fast before criminals suspected and questioned other criminals about helping the police.
      Better to tell everyone that it was "computers" and protect other well placed human informants working for the police.

      The police can then control the results now rather and unexpected results of finding actual decades of well placed human informants.

      Informants who can always find out what the next crypto products is :)
    • It was on the news here: the police announced it at this moment on purpose, because several people getting arrested recently made other criminals suspect someone in their mids was leaking to the police and they were planning violent actions against them.

  • by jelwell ( 2152 ) on Wednesday November 07, 2018 @06:00PM (#57608748)

    Pretty sure that quote is only half true. Snowden has mentioned OTR in the past. I doubt he specified IronChat.
    Joseph Elwell.

  • by ffkom ( 3519199 ) on Wednesday November 07, 2018 @06:26PM (#57608908)
    They just fetched keys from the central service provider, and given that this crappy app never implemented actual end-to-end encryption, that was enough to decrypt the messages.

    Seriously, criminals stupid enough to rely on proprietary, centralized messenger services deserve to get jailed for that alone.
  • We should not be using PKI that depends on a trusted source.

    People have their own private keys. But then how to know that you are using the right one? The SSH problem.

    So use SRP instead. Secure Remote Password. The communication only works if both people use the same password. And no way to brute force the password back. Simple, and intrinsically secure.

  • Much like âidentity theftâ(TM) , âobstructing justice, âresistingâ(TM), and âhuman traffickingâ(TM), itâ(TM)s a made-up boogeyman designed to convince the masses to give up their civil rights voluntarily.

    Sadly, most of them do. Everyone else gets theirs taken away involuntarily. We all clap when we hear that the government nabbed one of those evil money launderers.

    Money laundering is an almost sure-fire conviction as it is impossible to disprove, and that is exac

    • You apparently don't understand what money laundering is. In the simplest sense, let's say you're a drug dealer and you have $20,000 in cash. You want to store it in the bank, but when you do that the IRS finds out about it. So you create a sham business and cook the books, making it look as if the money is really proceeds from your business.

      We sometimes see things listed for exorbitant prices on Amazon. Probably money laundering. A friend of mine talks about car auctions now, where people will buy car

  • I hear the decryption tool was written in Rust.
  • I've never heard of Ironchat but from the sounds of it, it was cryptographic snakeoil. If cops / intelligence services were listening in realtime that would suggest that it wasn't securing messages from man in the middle / spoof attacks or the manner that keys were exchanged was insecure.

An adequate bootstrap is a contradiction in terms.

Working...