Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Crime EU Encryption Privacy

Encrypted Messaging Service Cracked by Belgian Police, Followed by Dozens of Arrests (brusselstimes.com) 92

"The cracking of a previously-unbreakable encrypted messaging service popular with criminals involved in drug trafficking and organised crime delivered a major victory for the justice system on Tuesday," writes the Brussels Times, in a story shared by DI4BL0S: The cracking of the expensive messaging app, called "Sky ECC," was what allowed over 1,500 police officers across Belgium to be simultaneously deployed in at least 200 raids, many of which were centred around Antwerp and involved special forces. Investigators succeeded in cracking Sky ECC at the end of last year, according to reporting by De Standaard, and as a result were able to sort through thousands of messages major criminals were sending each other over the course of a month. Information gained from those conversations is what led to Tuesday's historic operation, two years in the making.

Sky ECC became popular with drug criminals after its successor Encrochat was cracked in 2020 by French and Dutch investigators, who were able to intercept over 100 million messages sent via the app. That led to over a hundred suspects being arrested in the Netherlands, uncovering a network of laboratories where crystal meth and other drugs were being produced and allowing police to seize 8,000 kilos of cocaine and almost €20 million....

In a press conference by Belgium's federal public prosector's office on Tuesday afternoon, authorities stated that 17 tonnes of cocaine and €1.2 million were seized, and that 48 suspects were arrested.

Critics of Sky ECC "say more than 90% of its customers are criminals," according to the Brussels Times. Days later America's Justice Department indicted the CEO of Sky Global "for allegedly selling their devices to help international drug traffickers avoid law enforcement," reports Vice. They call it "only the second time the DOJ has filed charges against an encrypted phone company, and signals that the DOJ will continue to prosecute the heads and associates of companies that they say cater deliberately to facilitating criminal acts."

Earlier the Brussels Times had quoted the app's makers statement that they "strongly believe that privacy is a fundamental human right."

The newspaper also reported that Sky ECC calls itself "the world's most secure messaging app" — and "had previously said 'hacking is impossible'" — though in fact investigators have already decrypted almost half a billion messages.
This discussion has been archived. No new comments can be posted.

Encrypted Messaging Service Cracked by Belgian Police, Followed by Dozens of Arrests

Comments Filter:
  • Private Keys (Score:5, Informative)

    by bobbutts ( 927504 ) <bobbutts@gmail.com> on Saturday March 13, 2021 @01:39PM (#61154472)
    It's not private if someone else holds your private key.
    • And even if they don't it might not be.

    • No basis I can find for that wannabe FP about private keys. (But my webpage search might be broken again? What's with Firefox these days? Should I get a "Born to be pwned" tattoo? Or at least a sticker for my smartphone case?)

      My initial reaction to this story is to doubt the claim of cracking. What better way to divert the criminals' attention when the actual breach might be somewhere else? It's just difficult for me to believe that anyone, even a scammer, can sell a high-priced encryption scheme that can b

      • by gweihir ( 88907 )

        I think they just went to engineers that designed that system, showed them some evidence of what they would make them complicit in if they did not help and then gave them some time to install a nice little backdoor.

        The problem is that any for-profit offering is vulnerable to this type of legal attack, because you can always identify the people working for it and go after them.

        • by shanen ( 462549 )

          One of the "human links" in the chain, eh? Sounds quite likely.

          But I'm thinking that approach might blow the "cover story". From the prosecutors' perspective, they always want the criminals to do stupid stuff the produces lots of nice evidence. Not just hope they do stupid things, but even actively encourage them when possible and withoug creating more victims.

        • The old saying: if you have unlimited unmonitored physical access you own it.
          • by gweihir ( 88907 )

            Yes. That is why anything really secure only relies on both endpoints being secure. In that case, as soon as one endpoint is attacked successfully, it does not matter if the tech-side is compromised, the attacker has everything anyways.

    • by gweihir ( 88907 )

      It's not private if someone else holds your private key.

      Indeed. But apparently criminals value ease-of-use over actual security as well, just as anybody else.

    • It's not private if someone else holds your private key.

      Correct, but what isn't clear is if a private key was compromised or if the encryption itself was. You holding on to your only key means nothing if I'm able to pick your lock.

  • While this took place in Belgium, the Spanish police found a blue submarine in a warehouse in Malaga [bbc.com] which was to be used to transport drugs. The BBC article said the find involved five other nations and Europol. It's possible the Belgium police provided information which may have helped track this down as well.

  • Not hard to see where this is going. Anything the police have trouble with is "catering criminal acts."

    • Pretty much so. This is the second scandal by the police. Last year, Encrochat was the first. A dutch police spokeswoman proudly told the press that they arrested "even new actors". This means that people who were not suspected of anything were investigated until the police found something to arrest them for. How many lawyers were investigated? How many journalists? How many doctors? This must be the largest human right violation since the second world war.
  • by John Trumpian ( 6529466 ) on Saturday March 13, 2021 @01:59PM (#61154540)
    Encryption will be banned for the people. Government's want full control over their tax batteries data. Any resistance will be labelled as criminal behavior. Fuck them!!
    • The banning of encryption isn't enforceable, to do that you would have to monitor all communications. Also a growing majority of internet traffic is now encrypted (think https)

      • Keep on dreaming. Soon only "legal", read; decryptable, encryption will be allowed. Approved by the goverment to "protect" its citizens.
        • And all you'll have to do is crack open a laptop and send a key to your friend and start your encryption channel

      • by clodney ( 778910 )

        It is not enforceable in the abstract sense - people can write their own encryption software at any time of course.

        But it is very enforceable in the practical sense for about 99% of the population. First, the number of people who can write secure encryption apps is small. Even using standard algorithms and toolkits it is very difficult to implement securely end to end, especially if you have to assume your adversary has physical access to the device (i.e. a phone confiscated in an arrest). I don't find i

        • It is easily enforable. Any developer or user of encryption that is not approved by the Goverment will be labeled as "criminal". So you still have the right to make and use it but as with driving through a red light, you will be punished.
    • Yeh those evil european governments how dare they stop criminals, give free healthcare, good schools, hospitals and more for citizens. Govs should be more like the USA where they give far less to citizens but expect them to be body bags to help protect the interests of mega corporations.
      • You totally miss the point here. Doing good things doesn't mean you can do bad things. Goverments are there for us. By our grace. Privacy is a human right. So yes! Fuck them!
        • > Privacy is a human right. So yes! Fuck them!

          YOu dont understand there are no absolutes in our world. We can never reach absolute zero temp, you must obey some laws anarchy isnt not perfect freedom.
          Im just saying out of all the aresholes in the world, the world would be a better place if every country was run by any of them as compared to Google or the USA.
  • Though I am glad they nailed these jokers, the fact they apparently got all of their Signal messages is ominous: https://www.buzzfeednews.com/a... [buzzfeednews.com]

  • Hahahahahahahahaha! I love European humor.

    • Human rights are an straight jacket on government power with no justification. Deification of arbitrary rules ... a religion, but without even the excuse of divine inspiration.

  • Why use Sky ECC? (Score:5, Interesting)

    by gr8dude ( 832945 ) on Saturday March 13, 2021 @02:16PM (#61154586) Homepage

    I don't understand their rationale behind choosing this proprietary communication platform, when better choices are available. While Signal and Telegram require phone numbers, they could have used Matrix or Tox.

    • And they will use..or already use. So if all criminals turn to Signal will Signal then be blocked l, taken down and will Moxi go to jail for being a member of a criminal organisation?
    • Im surprised the criminals dont put out a few hits on these app makers for false promises.
    • What always stuns me is why they use expensive off the shelf products at all. hire a few security devs, grab an open source program and customize it a little so that any hack has to be specifically researched and targeted at you, not at a whole community. The cost goes up massively for the authorities while the reward plummets.
  • by ytene ( 4376651 ) on Saturday March 13, 2021 @02:35PM (#61154628)
    The OP title might just lead us to believe that the encryption scheme used by SkyECC was broken.

    However, this article [vice.com] states,

    "The malware that French law enforcement deployed en masse onto Encrochat devices, a large encrypted phone network using Android phones, had the capability to harvest "all data stored within the device," and was expected to include chat messages, geolocation data, usernames, passwords, and more, according to a document obtained by Motherboard."

    This certainly suggests that law enforcement were able to persuade a significant number of users of SkyECC to install some malware that broke the protections of the messaging service. There's more here. [vice.com]

    That last link includes an explanation of how the Encrochat system was compromised by malware: "In May, some Encrochat users noticed a problem: the much lauded wipe feature on their phones wasn't working. An Encrochat associate told Motherboard that at the time they believed perhaps either the user had forgotten their reset PIN number, or that the wipe feature wasn't configured properly. Nothing to be alarmed about; users make mistakes. The next month, Encrochat managed to track down one of its particular X2 model devices which had the panic wipe issue, they explained.

    This wiping problem wasn't user error though. The Encrochat associate told Motherboard they found malware on the device. The phone had been hacked."


    None of which will come as any reassurance to any existing Encrochat customers, be they legitimate or criminal.

    But, lest the cryptographers among us become concerned, it doesn't look as though this was an encryption defeat, more a handset-based work-around.
    • That's interesting information. Thanks for that.

      The danger when reading that is that conciously or subconsciously people think:

      The encryption wasn't broken.
      [
      I'm using an encrypted device.
      Therefore I'm safe.
      ]

      In the end, it doesn't MATTER how they got the messages.
      The criminals bought expensive "ultra secure" phones, used a "secure" messaging app, and the cops read the messages

      Yes, the cops "cheated" - cheating is how this stuff works.
      Hackers cheat. It's what we do.

      On Thursday, my professor gave me

      • On Thursday, my professor gave me a binary I was supposed to hack. It was designed to be an exercise in "advanced ROP" - a very difficult challenge.

        Wow cool, what degree are you getting now?

        • Finishing up my masters in cybersecurity.
          That's my field.

          There's one thing I didn't really think through all the way when Iapplied to one of the top 3 schools in my field. Graduates of this program are considered among the best. Sounds like a great program to do, right?

          Well, it's prestigious not because it's *easy*. Turns out, when take 8000-level postgraduate courses at a top school, the classes are *hard*. Graduates are considered among the best *because* you have to be really good to make it through.

          It

          • Well, it's prestigious not because it's *easy*. Turns out, when take 8000-level postgraduate courses at a top school, the classes are *hard*. Graduates are considered among the best *because* you have to be really good to make it through.

            Yeah, it sounds like you're learning amazing stuff.

            • Kids seem to need to buy them for school.

              But actually, there is an opportunity in that they are not on the internet. Widely available and cheap. Put your crypto in there. Not sure if they could handle public key but symmetric would be no problem at all.

              A bit of double typing, but hey, if you want it to be really secure that is probably the way to do it.

              • I'm not sure what you're saying. I think you might have replied to the wrong post.

              • That's kind of an interesting idea.
                I had thought about using a microcontroller-based device for credential storage, but didn't want anything proprietary or too expensive.

                For maximum functionality, it should have a keyboard and screen, but for safety no network / wireless hardware.

                The right choice of programmable calculator might just be an interesting place to start.

            • It's interesting. And humbling - this stuff is cake for the profs.
              My binary exploitation professor won $750,000 at one CTF, ad he hangs out with the best in the world. Apparently in South Korea some kids start learning hacking in elementary school, so the to top South Koreans some of this is high school shit.

              On one of my cryptography papers I did cite one of the world's top experts, the Prof. I quoted one of her earlier papers. The answer was marked wrong. Challenging the TA who marked it wrong, I got

              • It's super cool. You're developing tons of skills I'd like to have (or improve).

                • Come and join us.

                  https://www.gatech.edu/academi... [gatech.edu]

                  The cost is under $10,000, which is likely to be made up by a single year of increased salary.
                  It does mean trading a lot of Slashdot time for study time.
                  But, you get to talk with fellow cybersecurity students instead of Slashdotters.

          • by Whibla ( 210729 )

            Finishing up my masters in cybersecurity.
            That's my field.

            B) Formerly prove that all such hashes are breakable

            C) Show formerly how many CPU operations are required to break them.

            Good luck. I'll look forward to your informative posts even more now.

            But, unless you're engaged in time travel, you may want to formally prove and / or demonstrate your knowledge. ;-)

          • raymorris [slashdot.org]: "Cryptography was - interesting. One assignment was we had to .. Break MD hashes such as md4, md5, and sha1 (they are all Merkle-Damgard hashes"

            If you mean recovering the original string from the hash then you must be a genius. If you mean, generate collisions then that's already been done. If you mean brute force the hash against a word list, then that isn't breaking MD hashes.
            • There were actually a couple of assignments related to hashes.

              One was finding the hash without knowing the input.
              That was a head scratcher at first.
              That's defeating a scheme like like this:

              Message = k
              Transaction: Transfer to account 303938, amount: 300
              Hash: hash_alg($secret key . $transaction)
              )

              Assignment:
              Given a message (a transaction and it's hash),
              make a valid message for a *different* transaction.
              You must calculate the hash value without knowing the secret key.

              Note your code must work for all md4, md5, a

              • Ps - yes these things have been done before.
                Running 27 mph has been done before too. That doesn't mean it's easy.

                > If you mean recovering the original string from the hash then you must be a genius

                That's actually trivially easy in some important cases.

                It's quite doable, though not trivial, in the very important case of passwords. Technically with passwords what you know for certain is that you found a preimage, and that preimage is almost certainly the original string (because n inputs are evenly mapped

                • > that preimage is almost certainly the original string ..

                  Hashing loses information ..
                  • Hashing loses information *when the input is longer than the hash*.

                    Passwords are not long. They are typically 64-96 bits.
                    The SHA-1 hash is 160 bits.

                    That means there are about 2^96 as many potential hashes than there are passwords.

                    Suppose you have 1 million baskets laid out on the floor.
                    You have a deck of 52 playing cards.
                    You randomly throw each towards the baskets.
                    The queen of hearts lands in basket number 634,884

                    You and I both know that the queen of hearts landed in basket number 634,884. If I take a car

    • So the old rule holds true, if you are a criminal make damn sure you don't associate with idiots.
    • Thats encrochat, this is about Sky ECC, nowhere does it say this was done the same. We don't know the details yet. Although Sky ECC has us believe these phones where not part of their certified supplychain, there where a huge amount of messages captured (1 billion iirc)
    • by bloodhawk ( 813939 ) on Saturday March 13, 2021 @04:20PM (#61154916)
      You are mixing two seperate events. Encrochat IS NOT the same as SKy ECC and the two cracking events are unlikely to be the same.
      • The attacks are almost certainly the same, unless Sky ECC was a trojan horse all along. Sneaking malware onto targeted phones is way easier than cracking a real end-to-end-encrypted chat system.
    • With Encrochat, encryption was never broken. Any message has to be decrypted at some point, and new messages are obviously not encrypted until they get encrypted - and thatâ(TM)s when it was sent to law enforcement.

      You can build encryption that cannot be cracked. Itâ(TM)s not even hard. RSA was explained very nicely in The Art of Computer Programming around 1985. If you have uncrackable encryption attackers will figure out how to get the plaintext without decrypting it.
      • Mod up. Also encrypted messages, unbroken, can be stored, and decrypted years or decades later. The wiki entry claims a fake chat app was in circulation. One hopes they get their hands on a few compromised phones, forensically deconstruct the malware, and sue the living daylights out of the perpetrator - and sell their code on the internet to others. One presumes it will also work on Police/DPP phones just as well. The solution for for Sky EEC going forward is simple. Have a Canary function handshake that t
    • by gweihir ( 88907 )

      Probably a supply-chain attack on the phone update mechanism. Would not surprise me one bit.

    • So they need to sandbox every app on the phone, so a hacked app or malware can't access the data from any other app.
  • the one time I log in and don't have mods points ....
  • Press release from the company: "SKY ECC points out that the SKYECC.EU reseller is an imposter and not authorized to sell SKY ECC phones. We have reason to believe the website www.skyecc.eu is operated by a disgruntled former SKY ECC reseller whose reseller rights were terminated in September 2019 after repeated violations of SKY ECC reseller policies." https://www.skyecc.com/imposte... [skyecc.com]
  • If you want real security, don't connect to the internet.

  • > "America's Justice Department indicted the CEO of Sky Global "for allegedly selling their devices to help international drug traffickers avoid law enforcement,""

    So guns manufacturers should also be indicted?
    • Or somebody wanted a phone immune from push ads when walking into a shopping mall, or their parents tracking them.
  • Apparently the phone that the Dutch authorities showed was produced by SKYECC.EU, which Sky ECC claims is an imposter group selling counterfeit phones. [skyecc.com]. Quoting:

    “This ‘EU’ phone is not one of ours and is not sold by us,” says Jean-François Eap, CEO of SKY ECC. “We know that someone has been passing themselves off as an official reseller of SKY ECC for some time and we have been trying to shut it down through legal channels for almost two years.” SKY ECC points out that the SKYECC.EU reseller is an imposter and not authorized to sell SKY ECC phones. We have reason to believe the website www.skyecc.eu is operated by a disgruntled former SKY ECC reseller whose reseller rights were terminated in September 2019 after repeated violations of SKY ECC reseller policies. SKY ECC recently became aware, through its authorized distributors in Belgium and the Netherlands, of a fake phishing application looking similar to SKY ECC but sold on phones without standard SKY ECC security features. “The Belgian police’s claim that they sent bank accounts details to SKY ECC to claim our “5 Million Dollar Hack” prize is entirely false,” says Eap.

    Note: I'm not sure what to make of this claim, other than that the proof is in whether the Dutch authorities were able to compromise the encryption of actual Sky ECC phones. We'll know that from court filings I suppose.

  • The company claims that fake "Sky ECC" phones were
    distributed containing already-broken security.
    That would actually be a pretty clever way for the cops
    to nap the crooks who wouldn't know any different.

You are always doing something marginal when the boss drops by your desk.

Working...