back to article Euro police forces infiltrated encrypted phone biz – and now 'criminal' EncroChat users are being rounded up

French and Dutch police have boasted of infiltrating and killing off encrypted chat service EncroChat, alleging it was used by organised crime gangs to plot murders, sell drugs, launder criminal profits and more. The encrypted chat platform is alleged by British, French and Dutch law enforcement agencies to have been used by …

      1. Cynic_999 Silver badge

        Re: But private ciphers also exist...even if end-to-end encryption is broken.......

        As I stated in a previous message, that's all very well for messages sent between people who already know each other, but is no good for people who wish to advertise their criminal services, or their desire to hire a criminal service.

        No need for expensive hardware to simply securely communicate with a known person. Just send PGP encrypted emails to each other. Use a hidden email (or similar) service if the metadata would be a problem rather than only the message contents.

      2. Claptrap314 Silver badge

        Is alt.binaries still a thing?

        If so, I would assume any criminal organization would be posting there constantly. Which ones are actual messages and not just noise is an exercise for the interested.

        1. John Brown (no body) Silver badge

          Re: Is alt.binaries still a thing?

          Yes, it's still "a thing".

          On my last perusal, most of the TV and movie groups are full of posts using randomised senders, subject lines made up of randomised letters/numbers, may or may not be complete, sometimes are clearly posted in "sets" but often across multiple groups. If you aren't "in the know", then they are just noise. Most likely it's pirate groups passing their wares to their mates/members, but for all I know, even if you manage to get a full set of posts, they may well be encrypted as well, if not just passworded RAR or ZIPs, but getting a full set looks like you need to scan many different groups in the hope of finding related posts. I assume they have some other channel or method of informing the recipients how and where to find the relevant posts.

          On the other hand, there are still live and lively discussion groups going. There's even binary groups that are used as intended.

    1. Grinning Bandicoot

      Re: But private ciphers also exist...even if end-to-end encryption is broken.......

      5005 06010 98080 35803 81481 16513 89340 47876 10153 11063 Here are some letters for the moderator

  1. Anonymous Coward
    Anonymous Coward

    So having 'broken' an encrypted message service and shown it be a hive of scum and villainy, presumably they can point to all end-to-end encrypted messaging systems and say "Well, that one was full of wrong 'uns, so those probably are too - if only we had a way of intercepting the messages there, see what great work we can do in cleaning it up'.

    1. Long John Silver
      Pirate

      The NCA, Mrs May's folly, may well think along those lines. Other agencies, e.g. the real expertise at GCHQ and its like, know better.

    2. Dr Dan Holdsworth
      Pirate

      This is the classic trick for landing someone you don't like in the smelly. Take a list of, say, people banking with a tax haven that you have managed to lift from somewhere and add a few extra names and details to it. Hey presto, guilt by association, and the reason that American courts use a principle that evidence obtained illegally is inadmissible in court.

  2. Long John Silver
    Pirate

    Matters arising

    I may be wrong but my understanding is of encryption when using this device depending upon a dedicated chip. If so, the question arises whether relying upon a pre-configured chip is inherently less secure than when using software running on a generic processor. Among possibilities for insecurity are inclusion of a planned back-door or exploitation of an accidental vulnerability. Either way, an entire batch of devices becomes suspect. Vulnerabilities in solely open source, solely software, implementation of a reliable encryption algorithm can be identified and fixed without need of changing a physical component.

    It would appear that both honest and criminal users of this device placed too much faith in the high cost of the service guaranteeing fitness for purpose.

    The criminal element might have done better by using throwaway phones for each transaction. By not using potentially dodgy encryption they wouldn't draw attention to themselves. Moreover, open communication using, when feasible, agreed code words/phrases (perhaps decided in advance under encrypted email communication) can be made very secure for many purposes.

    Perhaps, law enforcement agencies should offer expensive master-classes for criminals? There again, perhaps not.

    1. jake Silver badge

      Re: Matters arising

      It's actually simpler than that.

      The cops infiltrated EncroChat (the company itself) and snooped on supposedly encrypted data directly off the EncroChat servers. This is a very good example of why using code that has to go through a central server not under the control of the users should never be considered secure.

      If you want security, peer to peer is the way to go. And sometimes not even then, at least in the hands of typical members of the GreatUnwashed.

      We now return you to the usual unfounded bickering and speculation.

      "When three sit down to talk revolution, two are fools and the third is a police spy."

      1. Hubert Cumberdale Silver badge

        Re: Matters arising

        Agreed. As a criminal*, I would be highly suspicious of any such system. And paying four figures for a special phone? Have none of them heard of Signal et al.? Even WhatsApp is end-to-end encrypted these days. I don't geddit.

        (*that is to say, if I were a criminal...)

        1. Anonymous Coward
          Anonymous Coward

          Re: Matters arising

          Wickr is popular amongst dealers

        2. I Am Spartacus

          Re: Matters arising

          Hubert,

          The noise you're hearing is black helicopters circling whilst the boy's kick in your doors.

        3. amanfromMars 1 Silver badge

          Re: Matters arising

          Agreed. As a criminal*, I would be highly suspicious of any such system. And paying four figures for a special phone? Have none of them heard of Signal et al.? Even WhatsApp is end-to-end encrypted these days. I don't geddit. ..... Hubert Cumberdale

          Regarding criminals and why they don't geddit, HC, one might like to realise Albert Einstein sussed it out a long time again with this observation ....... "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe."

          There is very little chat on any media stream about the NCA's recent operation snaring any criminal masterminds, becausealthough one would surely logically expect any mastermind to realise crime is reserved and preserved for the intellectually challenged and fooled and hence their non-appearance.

          Is criminal mastermind oxymoronic like military intelligence?

          1. Chris G Silver badge

            Re: Matters arising

            "Is criminal mastermind oxymoronic like military intelligence?"

            No, the criminal masterminds own the internet and most of everything else.

          2. Anonymous Coward
            Anonymous Coward

            Re: Matters arising

            Some are naive enough to think crime doesn't pay.

          3. Hubert Cumberdale Silver badge

            Re: Matters arising

            Is criminal mastermind oxymoronic like military intelligence?

            Or like Microsoft Works?

    2. Unbelievable!

      Surveillance via small print. Human rights to privacy are gone.

      for as long as 'authorities' have the power to read encrypted or otherwise data transmissions, launch secret satellites for interception reason, issue nsa letters compelling service providers to obey and reveal etc... thats if they obey the law. truth is, if they want badly enough, one worker can be expendable.. just re-employed elsewhere//

      ask yourself, why does any company require so much information when registering for a service? Surely that would put customers off?

      The answer is to consider that you're actually registering onto a spy program.

      If youtube can store and serve so, so very much video hi res content, easily. how much storage space and speed capaility do you think text based data would require?

      1. jake Silver badge

        Re: Surveillance via small print. Human rights to privacy are gone.

        "how much storage space and speed capaility do you think text based data would require?"

        Speaking as a guy who has speced, built and run several Usenet news farms, the answer to that is "probably more than you think".

        1. Anonymous Coward
          Anonymous Coward

          Re: Surveillance via small print. Human rights to privacy are gone.

          Speaking as a usenet user, how much of that text based data is used as text at the end of the day = p

          1. Anonymous Coward
            Anonymous Coward

            Re: Surveillance via small print. Human rights to privacy are gone.

            Indeed. Especially when you consider all the header and/or data to go with each text blob.

            Plain text is way less efficient than other types of data.

          2. jake Silver badge

            Re: Surveillance via small print. Human rights to privacy are gone.

            Even without the bunnies and other copyright infringement Usenet is far harder to do well that it looks on first blush.

    3. Doctor Syntax Silver badge

      Re: Matters arising

      "I may be wrong but my understanding is of encryption when using this device depending upon a dedicated chip."

      The Motherboard article says they didn't, they just added a little something in software to intercept the plain text from the keyboard. Which raises the question of how did that get smuggled out to their own servers without anyone noticing?

      1. Anonymous Coward
        Anonymous Coward

        Re: Matters arising

        I'm speculating but the servers surely do a lot of communication with the clients - the phones. The data could have been smuggled out that way.

      2. Graham Cobb Silver badge

        Re: Matters arising

        I don't suppose many of the purchasers bothered to do network traffic inspection testing of the device in use: the captured data could be sent in an unencrypted http message to a police server without anyone likely to notice!

        The crims who would notice (who are likely to be government-backed if they are really that sophisticated) will not be using commercially-available WhatsappForCrims services.

      3. Roland6 Silver badge

        Re: Matters arising

        > Which raises the question of how did that get smuggled out to their own servers without anyone noticing?

        Through the normal out-of-band MMS service available to operators, normal background auto Android app updates...

        Reading about the phones, I suggest that fundamentally the phone was running a jailbreak Android image, however, I expect that whilst much effort was put into the secure messaging app, the phones network interface was totally normal ie. untouched.

        The laugh would be if the phone used Google Play Store/services for the app updates..

    4. Roland6 Silver badge

      Re: Matters arising

      >I may be wrong but my understanding is of encryption when using this device depending upon a dedicated chip.

      I wonder whether any of these devices get into the hands of white hat researchers...

      I suspect from what little has been published, both about what the police are letting on about EncroChat and what was published on the EncroChat website (see link elsewhere in comments to the WayBack Machine), the encryption actually used was a bulk standard off-the-shelf package and possibly one natively supported by Android. What does make sense, is the attention paid to key management so that the service could guarantee anonymity. I suspect many will now be looking at how you might implement a secure end-to-end secure messaging service that avoids the flaws in PGP, AES et al, namely:

      For example, with PGP a user has only one key. If the private key of a user is exposed, a perpetrator is able to decrypt all previous messages sent. Another serious drawback is non-reputability. Every message is signed with your private key which verifies and exposes the sender's digital identity, proving authorship of the message.

      >The criminal element might have done better by using throwaway phones for each transaction. By not using potentially dodgy encryption they wouldn't draw attention to themselves.

      The use of throwaway phones would of mitigated the worst effects of the "malware" install. I think the 'dodgy' encryption had zero to do with it - with the amount of encrypted traffic flowing these days I doubt the traffic itself drew any attention.

    5. John Savard

      Re: Matters arising

      There was no encryption chip, nor, for that matter, was there any plaintext on the Encrochat servers. The phones were an ordinary phone from a normal Spanish cell phone company.

      There was encryption software which communicated through the Encrochat servers.

      The Encrochat servers got compromised, sent malware out to the users' phones, and then the malware read plaintext on the phones and sent it to the cops.

  3. Anonymous Coward
    Anonymous Coward

    Nothing to Hide, Nothing to Fear

    Let the Heiling Begin.

    First they came for the Journalists and Defence Lawyers ...

    1. Peter2 Silver badge

      Re: Nothing to Hide, Nothing to Fear

      Yes. I'm sure lots of Journalists and Defense Lawyers were spending 3 grand a year on a contract for a phone.

      Twit.

      Spying on defense lawyers is illegal, and even it is done then no details gained via it could be revealed to the prosecution (they'd be obliged to tell the court or end up never, ever being able to practice law again anywhere in the western hemisphere) so that's pointless and won't happen. Working in legal IT I can say that it's not something we are concerned about given that discussions with clients happen in person, not over the phone because that sort of paranoia is cheaper, and evidently more effective.

      Shall we ask if El Reg buys all of their journalists 3k per year phones? I doubt it, somehow since they'd only be good communicating with another person using the same comms channel and a £3k a year bill per user is going to put off pretty much everybody. Even if they did do that, it'd be pointless given that if I wanted to phone them instead of just emailing the tips address then it'd be no more secure than phoning another mobile.

      1. amanfromMars 1 Silver badge

        Re: Nothing to Hide, Nothing to Fear

        Spying on defense lawyers is illegal, and even it is done then no details gained via it could be revealed to the prosecution (they'd be obliged to tell the court or end up never, ever being able to practice law again anywhere in the western hemisphere) so that's pointless and won't happen. ...... Peter2

        As obvious persons of interest, given the vast hundreds of billion of pounds slush funds of fiat money they are responsible for laundering and disbursing to recipients, .... and aint that the sweetest of honey pot temptations to abuse and misuse ...... does GCHQ provide Parliament with all of their security needs and mentor and monitor all of their feeds. ...... you know, not so much spy on them as ensure there is Sterling Blanket Oversight? Surely Cheltenham, and its satellite operations, doesn't keep itself in the dark about any of the actions and thoughts of Parliamentarians?

        That would surely be a gross dereliction of public duty and all too easily give rise to all of manner and matter of abuses and misuse? You know the system has corrupt form as evidenced by many past trials and tribulations.

  4. A. Lewis

    What a disappointing take on this good news. And it is good news. Hundreds of people responsible for great harm to the most vulnerable in our society, potentially under lock and key now. Criminal operations disrupted. Yet this article feels like it wants to suggest it was bad because of some highfalutin ideals of privacy overriding that fact that these people were directly responsible for the deaths of countless victims of the drug trade and organised crime.

    1. sabroni Silver badge

      You don't know who the users of this service were but because some were criminal you think it's ok to tar them all with the same brush.

      Drug smugglers all arrive in the country by boat or plane. Should we apply your tar brush to all travelers too?

      1. Anonymous Coward
        Anonymous Coward

        And some criminals use;

        - guns

        - computers

        - televisions

        - steak knives

        - cheddar cheese slices

        Please don't take my cheese away from me...

        1. Bowlers

          "cheddar cheese slices

          Please don't take my cheese away from me..."

          Except the rubbery ones.

          1. John H Woods

            re: Except the rubbery ones.

            Except Halloumi, which is both rubbery and excellent

            1. Hubert Cumberdale Silver badge

              Re: re: Except the rubbery ones.

              I went to a Chinese restaurant the other day, and I says to the waiter, I says, "this chicken is rubbery". And I got cancelled for attempting to extract humour from outdated stereotypes based on exaggerated accents.

          2. Anonymous Coward
            Anonymous Coward

            Which nulls any American cheese

            1. jake Silver badge

              It may interest you to know that so-called "American" so-called "cheese" is no more American than it is cheese ... The inventor of the narsty artificial plastic cheese substitute was a dude named James Lewis Kraft, who was Canadian.

    2. Doctor Syntax Silver badge

      I suppose you think you have nothing to hide. If so go back and look at the T&Cs of the online services you use. Start with banking. Then come back and tell us all the login credentials you're contractually allowed to share with us.

      Legitimate online commerce depends on being able to maintain security. Anything that compromises that for the sake of attacking criminal operations also attacks legitimate commerce is problematic.

      While one part of me thinks this was a great operation the other side worries. To do this legitimately, with due protection to the innocent, it should have been conducted under appropriate* warrants. Was it?

      *I also have concerns that the framework under which interception is carried out in the UK really is appropriate. There is a history of the Acts which provide this framework being struck down in court and replaced by a new one to provide the same shaky cover. I suspect that somewhere in a Home Office filing cabinet there's a draft of the next Act ready to put before Parliament as soon as the existing one gets successfully challenged.

    3. Cynic_999 Silver badge

      Yes, I'm sure a lot of really bad criminals died in the Nazi concentration camps. Which does not mean they were a good thing.

    4. Inkey
      Big Brother

      You're looking at it wrong

      I'm sure that if you aggregated the blood on hands and damage done to the "most vulnerable" it's not those that want to get high or those that enable them too that have the most to answer for... altough depending on how much kool aid you drank, sniffed or smoked your perception may vary...

      There were probably stoics at the time that felt that the stazi and the nazis had merit...and how about those who dared to proclaim that the earth was a sphere and orbited the sun... highfalutin indeed

      It's a human folly to believe that you can charge other humans to protect humans and that if you did that they actually would

    5. Anonymous Coward
      Anonymous Coward

      @A. Lewis

      You seem to be promoting a belief in "the ends justifies the means".

      Where exactly does that stop? Why would it?

      Absolute power corrupts absolutely.

      :/

  5. Neil Barnes Silver badge
    Big Brother

    It's an interesting dichotomy

    1) very very few people have the skills and knowledge to build an encryption system

    2) you can't trust an encryption system you didn't build yourself

    Oh dear...

    1. LucreLout
      Pint

      Re: It's an interesting dichotomy

      you can't trust an encryption system you didn't build yourself

      I can't trust an encryption system I DID build myself. I mean, why would I? It's not like every bit of code I've ever written has been bug free.....

      Beer, because its Friday and whispering in pubs is relatively low risk for most comms.

      1. John Brown (no body) Silver badge

        Re: It's an interesting dichotomy

        "Beer, because its Friday and whispering in pubs is relatively low risk for most comms."

        Whispering in the pub is a little more risky these days, what with the music turned down and the 2 metre gap :-)

    2. Graham Cobb Silver badge

      Re: It's an interesting dichotomy

      Which is why the answer is Open Source. While not perfect, it is likely a much better system than one you code yourself and you don't have to trust a small number of people.

      The biggest downside is if there is a bug or a weakness, it is easier for your adversary to find. But there is also a large chance someone else will find it and it will be fixed.

  6. Anonymous Coward
    Anonymous Coward

    (journalists, lawyers, academics, domestic and foreign political campaigners – to name just a few)

    Tom, Dick, and Harry, to name a few more.

    1. David Shaw

      Re: journalists, lawyers, academics, domestic and foreign political campaigners – to name...

      Alice, Bob, and ‘evil’ Mallory to name some more relevant characters

      1. Anonymous Coward
        Anonymous Coward

        Re: journalists, lawyers, academics, domestic and foreign political campaigners – to name...

        well, as a law-abiding citizen, I would like to have a phone that would be fully immune from State overwatch. Does that make me an evil Mallory?

        1. Cynic_999 Silver badge

          Re: journalists, lawyers, academics, domestic and foreign political campaigners – to name...

          Even law-abiding citizens are just one new law away from becoming criminals.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022