back to article Australian cops, FBI created backdoored chat app, told crims it was secure – then snooped on 9,000 users' plots

The Australian Federal Police (AFP) has revealed it was able to decrypt messages sent on a supposedly secure messaging app that was seeded into the criminal underworld and promoted as providing snoop-proof comms. The app was in fact secretly built by the FBI, and designed to allow law enforcement to tune into conversations …

  1. VTAMguy

    Mobile phones that can't make calls?

    "The app could only run on mobile phones that could not make calls"

    What kinds of mobile phones would these be then?

    1. W.S.Gosset Silver badge

      Re: Mobile phones that can't make calls?

      Answer: the fully-restricted handsets which have been standard in security-sensitive circles for many years now.

    2. diodesign (Written by Reg staff) Silver badge

      'What kinds of mobile phones would these be then?'

      Mobile phones that can't make calls. There's a demand among drug traffickers for handhelds that have had their voice call capabilities, and other functions, removed for security and privacy reasons -- preferably physically removed, if possible. See Sky ECC, which was bundled on devices that had their microphones, cameras, and GPS receivers removed.

      From the AFP announcement:

      "The app AN0M was installed on mobile phones that were stripped of other capability. The mobile phones, which were bought on the black market, could not make calls or send emails. It could only send messages to another device that had the organised crime app. Criminals needed to know a criminal to get a device."

      C.

      1. W.S.Gosset Silver badge

        Re: 'What kinds of mobile phones would these be then?'

        SMS is typically also disabled.

      2. Unbelievable!

        Re: 'What kinds of mobile phones would these be then?'

        But surely they connect to a cellular network. I'm pleased if this is the way forward rather than mass snooping EVERY individual. But methinks thats not going to be the case.

        I think this 'success' will just empower the agencies further to do what they hecking want in terms of backdooring anything and everything they desire, alongside the sneaky entrapment methods that they eventually come clean about. utilising a method of 10% overt, 90% covert.

        1. JetSetJim

          Re: 'What kinds of mobile phones would these be then?'

          Presumably one of three possibilities:

          a) remove mic, speaker and headphone jack, build custom ROM that doesn't have a dialler app, or "contacts" as we know it. Phone can still connect to a phone network for data purposes, and this is basically a WhatsApp-like device, with an app-specific contacts list. Relies on some form of IMS mobility via a server so that messages can be routed properly. Still needs a SIM - but PAYG is easy enough to manage for this.

          b) remove entire SoC for network connectivity, can only use Wifi for data

          c) build the device around a USB data dongle - a bit like (a), not sure which would be easier

          In (a), the device is still trackable in the network - probably useful for the police to have this info to locate the devices, and therefore the criminals

          In (b), tracking very difficult as WiFi SSID shouldn't make it into higher layer communication with network infrastructure.

          Bonus points to make the device small enough to fit in a cosy orifice for smuggling into prisons

        2. juice

          Re: 'What kinds of mobile phones would these be then?'

          > But surely they connect to a cellular network. I'm pleased if this is the way forward rather than mass snooping EVERY individual. But methinks thats not going to be the case.

          I think you might be missing the point a little here. The criminals aren't directly worried about the fact that the phone connects to a celluar network.

          They're worried about the fact that - as popularised by decades of sensationality TV shows - that little device they're carrying around has a microphone and a video camera built into it. Which means they can potentially be used as wiretap devices by any authorities who happen to have a suitable exploit handy to install such things, and which will then let them listen to the criminal's activities 24/7.

          So they've opted for a brute-force solution: they disable the device's audio and video capabilities, preferably by physically removing them. And then they stick to text-based messages sent via encrypted channels and which are either kept in encrypted storage, or deleted after reading.

          And that vastly reduces the risk of accidental/unaware leaks.

          > I think this 'success' will just empower the agencies further to do what they hecking want in terms of backdooring anything and everything they desire, alongside the sneaky entrapment methods that they eventually come clean about. utilising a method of 10% overt, 90% covert.

          This particular "exploit" only worked because of the authorities both built the hack directly into the hardware for this specific device and then managed to persuade people that it was a secure device.

          As a double-whammy physical/social engineering hack, it's superb. But it's not something they can do on an ad-hoc basis, not least because both Apple and Google are fully aware that any such backdooring mechanisms can be used for both good and evil. After all, if an exploit appeared which lets black-hat hackers remotely steal data from a phone, you can pretty much guarantee that millions of people would wake up the next day to find their bank accounts emptied.

          As such, they will continue to actively limit such things, at least until/unless the NSA comes knocking with another Clipper chip proposal and the legal backing needed to force them both to comply.

          Equally, for all their strong words, this probably isn't something the authorities are likely to be able to repeat - they've only gone public with this as they're losing their legal cover and therefore had to either "use it or lose it".

          Even if they are in the process of rolling out a repeat of this sting, I suspect the top-tiers of criminal organisations - or at least their very well-paid security consultants - will be taking a good, long and hard look at any future devices - or possibly maybe even commissioning their own customised hardware.

          1. Graham Cobb Silver badge

            Re: 'What kinds of mobile phones would these be then?'

            or possibly maybe even commissioning their own customised hardware.

            They will probably fairly quickly end up with the same question of "which country do they want to allow to read their messages" that every country's diplomats also have. There are only a small number of organisations which can provide almost-completely secure messaging, and each one is either linked to or compromised by at least one country's spies.

            You probably have to decide whether you would prefer to link your criminal enterprise to (i.e. pay substantial bribes to) Russia, USA, Israel or China.

            1. JetSetJim

              Re: 'What kinds of mobile phones would these be then?'

              How hard would it be to roll-your-own: Ras-PI, mobile network device, small usb keyboard, small screen, box to stick it all in/on. Insert some encrypted messaging app, of which there are myriad. Insert PAYG SIM and off you go

              1. Michael Wojcik Silver badge

                Re: 'What kinds of mobile phones would these be then?'

                It's not hard, if you're so inclined and have access to the appropriate resources.

                But then it hasn't been hard to use encryption at least since PGP arrived on the scene (and arguably before that, depending on how high you set the "hard" bar); yet many, many people who ought to be using encryption (at least under their own value systems) haven't been. Most people are cheap1 and don't want to take on even the cognitive load of figuring out how difficult it would be to encrypt their communications, not to mention the inconvenience and opportunity costs of doing so.

                1This is a gloss and not really a useful observation. A better one would be a behavioral-economics analysis which concludes that most human actors make an economic decision to employ only a small set of the security controls necessary to realize their (generally underdeveloped) threat models, influence to a great extent by intangible costs such as cognitive load and miscalculation of relative threats.

                1. JetSetJim
                  Holmes

                  Re: 'What kinds of mobile phones would these be then?'

                  > Most people are cheap1 and don't want to take on even the cognitive load of figuring out how difficult it would be to encrypt their communications,

                  Agreed, and the greedy/stupid crims leapt on the "here's a box that does what you need for minor numbers of currency per month" solution offered to them. It's just surprising that no-one's done it yet with the open-source solution - the BOM is probably ~£200, and they could probably contract an IT outfit to make it without raising eyebrows if they were really lazy.

                  Unless they're the ones that haven't been caught (yet).....

    3. Nafesy

      Re: Mobile phones that can't make calls?

      It's a secret code phrase for a tablet....

    4. Tempest
      Happy

      Re: Mobile phones that can't make calls?

      iThings after a software upgrade!

      1. The Oncoming Scorn Silver badge
        Big Brother

        Re: Mobile phones that can't make calls?

        I've seen a couple of companies here, offering cellphone plans based off of using data to virtual numbers rather than an actual cellphone plan with data.

        Wondering now if someone span off, from marketing to just criminals to the wider populace, or a similar adoption of the concept for legitimate users.

  2. redpawn

    Pay to Crim

    Genius! So who gets the payments for the AN0M app? How may non-free cousins of AN0M for regular phones exist and does Apple and Google get their cut of the monthly payments?

    1. W.S.Gosset Silver badge
      Thumb Up

      Re: Pay to Crim

      > Genius! So who gets the payments for the AN0M app?

      The crims, actually :D . The police were quite smart about applying the social-infection tools used by network-driven movements like social media and MLM.

      From social meeja they ran the Influencer route, and in fact directly planted only FIVE handsets in Australia (1,650 eventually purchased via network effects), all to identified Crimfluencers. (The core one, Hakan Ayik/Hakan Reis, was actually on the run offshore; still is; no idea how they got jurisdiction for that.)

      But the really genius one they took from MLM (eg, Amway). Each crimfluencer got a cut from every handset they sold and its ongoing licence fees. And then from every handset+licencestream that _those_ guys sold, who also got _their_ cut. And so on and so on, standard pyramid marketing scheme stylee.

      Nice.

      1. Press any key

        Re: Pay to Crim

        Until reading this comment I had been pondering if the agencies involved had been committing fraud or conspiring to commit fraud by taking money for something that they were deliberately misrepresenting as secure.

        1. Anonymous Coward
          Anonymous Coward

          Re: Pay to Crim

          Committed fraud in the sense they were taking money for a service about which they had lied through their teeth about. But, that's what having a signed warranty allowing such activity is all about - rendering something that would ordinarily be illegal legal for a very specific and, in this case, large scale and overwhelmingly beneficial purpose. As was mentioned in the article, some of these warrants were about to expire, so they acted.

          The difference between a well adjusted democracy and a totalitarian state like China or Russia is that in the democracy a warrant is required, whereas in the totalitarian state it's taken as a given that the state can and will do this kind of thing with every comms platform all the time anyway. It's not just walls that have ears.

          1. Michael Wojcik Silver badge

            Re: Pay to Crim

            I assume you mean "signed warrant". And, yes, law enforcement engages in prima facie fraud with criminals all the time: undercover operatives, lying in interrogation, sting operations, etc. Obviously this will vary by jurisdiction but in the US, certainly, the law makes considerable latitude for this, due to a compelling state interest.

            1. Anonymous Coward
              Anonymous Coward

              Re: Pay to Crim

              Yes I did indeed mean "signed warrant". Bloody autocorrect...

              I wonder if they did give a warranty? Perhaps not, given that such a thing would be unprecedented, and therefore a warning sign.

              The thing that the US permits that most countries find objectionable is entrapment. Putting people in situations where they may feel threatened, thus pressurising them into agreeing to something they normally never would just to get out of the room alive, and then charging them with an offence is immoral. In the UK people doing that sort of sting get sent to jail for perverting the course of justice.

              Though I'm happy to point out that nothing like that has happened in this case; it's been a creative and commendable form of covert wire tapping,

        2. doublelayer Silver badge

          Re: Pay to Crim

          Yes, technically, but who cares? The investigator who agrees to supply someone with explosives to see if they're really willing to blow up people but provides inert blocks is also failing to provide the agreed goods, but fraud doesn't matter when the buyer is a criminal. When investigating a crime, the police aren't responsible for fraud.

  3. Anonymous Coward
    Anonymous Coward

    snoop-proof comms

    But who shall guard the guards?

    Nothing to Heil, nothing to Fear. Let the Heiling begin.

    1. Arctic fox
      Headmaster

      Re: snoop-proof comms

      Now let me see if I can explain this in a way adapted to your apparently limited understanding. On this occasion the cops stopped howling that they need to be allowed to back-door every messaging/media app used by world+wife+dog and cooked up their own app, persuaded the crims themselves to buy it and sell it onwards to other crims. In other words they used their brains for once instead of trying to listen in on the whole of society on the off-chance they might actually find something to prosecute. That is pretty much the opposite of anything that would justifiably provoke comments about "heiling". Top tip: Think before you post.

      1. The Oncoming Scorn Silver badge
        Coat

        Re: snoop-proof comms

        I'm reminded of the time Sky TV, positioned a " high placed ex employee" with full details of the Videocrypt cards & encryption system currently in use having recently issued new cards to the public to a (Consortium of) clone card & other pirate devices producer.

        A meeting was made (Holland IIRC), the technical details & a very large bankers draft &\or cash exchanged hands or dropped into pockets (Icon).

        In the meantime, while the enterprising gentlemen were hard at work investing in exploiting the info, Sky were busy prepping the series 013 next generation cards to pop in the post, ready to start posting them once the pirates were offering their wares, leaving them with a lot of useless hardware on their shelves or in the hands of angry customers with little to no recourse of reclaiming their money.

        I knew one guy who came running to me for help after buying one of these activators (I didn't sell it to him) as he had rashly promised people left right & centre in his local pub he would support them ad infinitum.

        Also reminded of the Irish cable TV sting, when they sent out a advert to sports channel subscribers to ring in for for a free t-shirt that was only viewable to those using pirate decoders.

      2. Michael Wojcik Silver badge

        Re: snoop-proof comms

        Exactly. This is good for privacy, broadly speaking, because it's highly targeted; it's transparent to users (in the sense that the devices were distributed only within criminal networks, so you wouldn't acquire one unless you were a criminal); it didn't affect legal equivalents used by non-criminals (such as Signal); and it was a practical example of a major law-enforcement success which did not require backdoors in generally-available secure-communications systems, undermining the all-too-frequent calls for such backdoors.

  4. Winkypop Silver badge
    Thumb Up

    Rozzers: 1, Ne'er-do-wells: 0

    Own goals all around too!

    1. Doctor Syntax Silver badge

      Re: Rozzers: 1, Ne'er-do-wells: 0

      One own goal was scored by whoever decided a self-back-pat was needed and blew the whole thing with a press conference.

      1. W.S.Gosset Silver badge

        Re: Rozzers: 1, Ne'er-do-wells: 0

        No. Their hand was forced by a coupla exogenous things which drew a practicality line under the whole operation, not least that some core authorising legislation had imminent sunset dates.

        The hard deadline meant mobilising & coordinating over 4,000 Aussie cops alone, for the sudden wrap-up's multitudinous simultaneous home invasions, some requiring explosives.

        2 of the crimfluencers are likely to die shortly. Because the police took the opportunity at the press conference to identify them. One by name. The other by honest job & criminal role: he's big in the horticultural industry (including appearing in trade journals); he's also the main man in the crim world for all their comms tech and security, including recommending and supplying AN0M widely.

        I suspect both will shortly have new job descriptions : "Toast".

        1. imanidiot Silver badge

          Re: Rozzers: 1, Ne'er-do-wells: 0

          Probably encouragement for the rapscallions to turn themselves in to the police for "protective" custody.

          1. The Oncoming Scorn Silver badge
            Joke

            Re: Rozzers: 1, Ne'er-do-wells: 0

            & fall up the stairs, while doing so.

        2. MacroRodent

          Re: Rozzers: 1, Ne'er-do-wells: 0

          Seems they managed to co-ordinate cops globally, a major achievement. Media here in Finland today also reported about ANOM-related busts.

  5. Potemkine! Silver badge

    Well done chaps.

    Making this info public will also inject fears in criminals networks whose members may be more reluctant to use electronic devices. This may have a bad effect on their 'productivity'.

    required payment of a monthly fee.

    So the criminals paid for being watched by the cops... that's almost evil ^^

    1. Anonymous Coward
      Anonymous Coward

      This sort of monitoring has been going on for years, locally in the US we see cars stopped on the interstate for failing to signal when they change lanes and drugs found in the car by the local police even though the vehicle was only passing through and had never had any local contacts.

      1. W.S.Gosset Silver badge

        Opposite happened coupla times in this operation. Eg, routine traffic stop; later messages via AN0M alerted cops to fact that that car had weapons in it; car & ppl (& weapons) seized subsequently.

    2. bazza Silver badge

      Perhaps though it may push them towards using WhatsApp, Signal, etc, where the providers are publicly dead set against giving the police any assistance whatsoever.

  6. Alan1kiwi

    Five Eyes

    NZ cops had a field day as a part of their exposure to this crim scam.

    As did Interpol, and other Euro cops.

    Imagine it as a clever exercise by the FBI, whose scam may not have been legal in the US (entrapment etc.), but Aussie information passed back to the USA would have met the threshold of international information.

    This how 5 eyes works in the spook area.

    I love it :-)

    1. Eric Olson

      Re: Five Eyes

      It's not entrapment.

      Entrapment requires the cops to induce an otherwise law-abiding person into committing a crime.

      So, it would be like handing a random person a brick of cocaine, telling them it was cocaine, then saying, "Hey, I know a place and person to sell this to. Go here at this time," and then arresting them for possession and intent to distribute when they leave.

      They just created a product using their knowledge of in-demand specs, advertised it to some criminals, who then word-of-mouthed it to other criminals, who then used it exactly as they would have similar products.

    2. Yes Me Silver badge
      Headmaster

      Not Five Eyes

      This is nothing to do with Five Eyes. For a start, FVEY is not about intercepting criminal communications subject to a warrant, but about sharing military/diplomatic signals intelligence (as it has been since 1946). Also, it only involve five countries.

      1. The Oncoming Scorn Silver badge
        Joke

        Re: Not Five Eyes

        Is it fair to assume one of those countries was Greece with the identifier of Cyclops.

        CYCLOPS: Five across...U.S. state in the Western United States, in the Pacific Ocean..Hey Medusa how do u spell Hawaii?

        WIFE [biting lip] well..u need 2 i's.

        CYCLOPS [​puts pen down] my life is just a fucking joke to you isn't it Medusa!

  7. Jonathon Green

    So Priti, tell us again about how end-to-end encryption on services like Facebook Messenger will pose a danger to the public by making it impossible for law enforcement services to intercept communication between evil-doers and ne’er do wells….

    1. Howard Sway Silver badge

      It's also actual proof that intelligently targeted operations are much more successful than needle-in-a-haystack trawling of everbody's communications - not least because it proves that the crims aren't using bog-stndard communication channels.

      1. JetSetJim

        Priti will just reply that they haven't looked in enough haystacks yet - if they look hard enough at enough stuff they're bound to find something

        1. The Oncoming Scorn Silver badge
          Joke

          Haystacks!

          They could start with Boris's hair for starters.

    2. Jamie Jones Silver badge
      Childcatcher

      She'll mutter something about how real police work costs money. Money that could be better spent on harassing immigrants.

      By the way, it's completely untrue that she has a secret trapdoor in her office that she can open to drop someone into an underground lake of hungry piranhas. That's someone else.

    3. Cav Bronze badge

      The two subjects are totally unconnected. Why do you think they are? Are the police going to be getting criminals to install fake Facebook Messenger apps? If not then the cops will not be to intercept such messages as they were able to in this case.

  8. W.S.Gosset Silver badge

    Further notes from Aussie hard-copy:

    * FBI built the hardware and managed the final multi-country operation; Australian Federal Police thought it up, built the software, designed the social/infiltration strategy+tactics, and ran the server/decryption. Phone app's icon was of a Calculator. 11,000 handsets globally in over 20 countries, 1,650 in AU.

    * User traffic: first msgs seen on server 2018.10.31. 6mths later, 2019.04.last2weeks: 42,000 messages. 18mths later 2020.04.last2weeks: 2.67 million messages.

    * 2 "Reality" TV "stars" busted. (We used to just call them Gameshows.)

    1 Bachelorette contestant Mr Samuel Minkin (166kg cannabis (+ 7 mobile phones));

    1 Ninja Warrior contestant Ms Sopiea Kong (revolver with no serial number (filed off?), 154g of meth, fake ID incl. fake passport, fake drivers licence, & multiple fake medicare cards (+ multiple phones + A$2,030 cash)).

    ["Where's the IT angle?!" Nuttin -- it's just amusing.]

    1. W.S.Gosset Silver badge
      Go

      * Project Timeline:

      April 2018: an Aussie tech & Aussie investigator visiting US FBI counterparts debriefing/celebrating the successful takedown of Phantom Secure. Tech has idea; pitches it over beers+dinners.

      May 2018: the Tech builds Prototype on his couch at home late at night, as Proof Of Concept. Sends 96second video of it working. Laptop is on his lap, video includes his bare feet...

      > "one of the most exciting times for me was when we proved the concept that we could collect encrypted messages and decrypt them from the platform."

      > "Phone here, phone there, my laptop here. I sent a message to that phone and I could see the encrypted messages come up on the computer."

      > He videoed the moment with yet another phone, showing the messages pinging backwards and forwards between the two phones and scrolling down, unencrypted, on the laptop.

      > The Tech sent it off to his colleagues.

      > The 96-second clip, which would later be shown to the AFP top brass, inadvertently also captured The Tech's bare feet.

      > "I had to sell this to the executive -- like, this is possible, we can do this," The Tech says, defending his feet cameo on the basis "it was like 10pm at night".

      > His colleagues were thrilled with the development -- and grateful that at least he had his pants on ["trousers" for Brits].

      > "And he sent us the video and it's like, 'yeah, we like your bare feet, it's a nice touch'," Rob Nelson, head of Digital Surveillance Collection, says.

      May-Sept 2018: much pitching internally, discussions, then finally formal thumbs-up.

      3 hardcore devs from the Digital Surveillance Collection team (60ish ppl, described as the AFP's "Q Branch" whose boss says they "happily wear the terms 'geek' and 'nerd' like a badge of honour") take the Prototype, throw away the code, wash their hands, create Production-ready app+server which are real, scalable, stable/unbuggy, "secure", and also professional in appearance.

      25 Sept 2018: Go! Operation Ironside (after Viking Bjorn Ironside, chosen by The Investigator) signed off ("Major Controlled Operation" auth'n)

      31 Oct 2018: first messages...

      1. W.S.Gosset Silver badge
        Linux

        * The Man:

        > Despite his technical wizardry, The Tech is not a formally trained computer engineer.

        > "My whole law enforcement agency career [16yrs, 5 with the AFP] has been around legally accessing criminal communications. I would not call myself a tech compared to the people I work with in Digital Surveillance, but ... to the operational members of the AFP, I am a tech."

        1. Peter2 Silver badge

          Re: * The Man:

          > Despite his technical wizardry, The Tech is not a formally trained computer engineer.

          In a large IT department, I once had to go around and get what qualifications and certifications everybody had.

          If we ignore qualifications in obsolete technology, the honest answer was "practically none", by which I mean 2 qualifications in something like 70 staff, one of which was a CCNA and one person with a degree in IT. The person with the degree was (and I say this as the line manager whom was allocating jobs) arguably the least productive person in the department.

          There is a crying need in the modern economy for certifying self taught people have particular skills at an affordable price, without doing an irrelevant training course with a several thousand pound bill.

          1. Adelio

            Re: * The Man:

            MY own opinion is that certification is ONLY useful at the start of someone's career. Once they have spent a few (> 5 years) in job then the skills that they have from their past jobs are more important than certification. If you are 40 years old and have college or university degrees, these are not very useful in gauging a persons current skillset.

            1. Martin-R
              Happy

              Re: * The Man:

              Oi, I'm sure the Ada, Fortran and Pascal we covered in my degree will come in useful sometime :-) The C I taught myself for the final year project on the other hand has kept me happily employed for the last 30 something years...

              1. jake Silver badge

                Re: * The Man:

                I'm still making more money yearly just from COBOL than the average newbie graduate's entire yearly salary for more modern, popular languages.

                I've been recommending people buck whatever the current trendy fad language is and learn COBOL and Fortran since they started dropping the two in favo(u)r of C (and then Pascal) back in the '80s. Not a month goes by without a former student/mentee dropping me an email thanking me for the advice ... I know lots of Java, Ruby, Python, C++, C# etc. coders who are out of work, but the COBOL and Fortran folks are all gainfully employed.

                Personally, I still prefer coding in good old C.

              2. Anonymous Coward
                Anonymous Coward

                Re: * The Man:

                The Ada, FORTRAN, and Pascal not so much….

                The basic underlying concepts we picked up alongside them, which the Ada, FORTRAN, Pascal etc were used to illustrate, and which we built on when we taught ourselves C (or whatever) and have applied pretty much every day of the succeeding 30 years (40-something in my case) of employment much more so.

                Education isn’t (or at least shouldn’t be) about specific technologies, it’s about the fundamentals…

    2. jake Silver badge

      Re: Further notes from Aussie hard-copy:

      "(We used to just call them Gameshows.)"

      Nah. Gameshows are typically not heavily scripted and massively over-produced.

  9. Anonymous Coward
    Anonymous Coward

    Ah......backdoors again...........

    Quote: "....the idea of creating a backdoored app....."

    *

    Have I mentioned this before.....but since we all know about "backdoors" (you know....Cisco, NSA, Snowden, etc., etc.).....why are sensible people not encrypting their messaging BEFORE their messages enter ANY public channel?

    *

    Of course, it's not an absolute guarantee of privacy, but it might help just a bit. To give you an idea of what is possible, here's a sample of Blowfish encryption, relatively easy to implement in less than a thousand lines of vanilla C. Is it a thumbnail picture of my cat? Is it part of an international conspiracy? Jeremy Fleming's creatures should take a while to find out!!!

    *

    KUTktHLwrCNGmD2/gUDz8dqm0fNyVWbHjLE6oCl7UJEVBEUWFmHAm3qhzEK+B9juexE5aZHBFfh4

    7qyZm4ABQ0T+13gzTh8cg4KlAwdDK5VNyDR23XuKsbG27cvVr0wQZR37AaBeRrSeG4Pe5KMY0aI3

    D2mEcRXEk0JQ8ImpeEMJ1XtLEz7ey0dnarktOemDWSaaa4iG2mQ0GmltYQ0puneMmaWnfBaCP8m0

    RShGRkkW05hCiXHga6qg2k0pF13kHUqApeoUPj55rrJOOWAfcXhlv75bd0KfKhkdc6weCvwKyoyx

    JjcPe3EhDy0yZdyufuNakKho8JcBiMrpbFBxmmbl1rHpwhnnNRegf7oOGpVP+3iaN2RzryS9qAD+

    iB7kZIUZ6Yn+g8G23xMmHkXLs2Kiseq9/ry5vraz0wITznmlnOLZM2brr/J174i0oLkwje0ppg/w

    55HfHRDXtL8bAvR2ecFia9z9wdZW0/RYqHLhOoWMIbzUBBaEl3VMCbsJT2N2xhWgKwi3iBybYRrE

    b9vDOSroeN6bbp640FDEoCIPJeIUCTi2O6DjftXImZvQ0MoKxOwlfpc388vb6vumjLoFcbOPpXa4

    OABh7Nq2nCX3A24ySiTBjofGwufxaOaorxFHLGFCjFGH0FnQH4KaLkHVTnfwkrcdJHRl5SBWF/W1

    /YwV3skJJl9YNEQ503e4awnc3GVwyo+WE0jM/imgslt6W2WvT8MHWElHwcBxw01pqz1OGwWvaBsk

    14bwjivum/bS7+8nso+MYKESbPVRz1K+GQP8aeJAww6dpisq6cJSMph2jxAyb6ke1P4gDChkVRTw

    VN3Qx/7OkippTDSLtbpYyqpPcRxRowxibfXzGuUqZca25CAplhpKCsCM9DRKzUIvkIEVfYFF0Llu

    Rl4JtVU/OUrHIXBtLY8lPW3cjKZ1M2ajVP1YCN80fkwx4PZuKXXYmmfEYi6HapPJ2rE3o5kGaXYY

    OrBefEw0529xzJ8R5ddFyYHffBlYDnJr092tzAFIfch//T/s3ljslQ2V+K73EQ8n8LKiUZZpERZz

    hgyfCQfT7s7ATkiTfwIIeFi4Elynea5esT9LBlk1lkNjjNXHXZKdxGSGl/uTt9xV/PlWaHOkFhOI

    BDMQRKzED0MJmuwVb5bS/vJGu37xaeyYG9PU7rVGiSfGFsWHrklpLkFFWIxYpQtUKom2oTekV2XP

    4+dmsieXEjXt3H7jN6PCFG1CFm6IUFS4Ok8zRhxDvXn7c1FR2Nd+v+fwO5oU4MjTZpg/dvpAUzIl

    HnJp9dWGotkGqLPL9dg76vm9he+Emc0mybM9JyNO88jfcYXQcg3qM0GFlDEkMe7cDUtczNcFzSDz

    YDV8Y0Lj4bJNjpPvhv4KeZ8De6L1eOy5wPjF2rh53F8DBhQ8bdFPm6qNjYaQ4fO/lpK1Rv0iGXWc

    XA6KMypW4zYoDlVekt1y7lKIwk6yMJhlTRiYzCW1hn15Wou9BCtX4eYIJwOhSshOQKMbDzKRZSYv

    ToGWMolwKvHVOEUJ1QvjoGS6rOQS45c+71wC45luYyj3zqB2zl4fgl9hDgkg5r12E9y63pbfYmeN

    4SLTil1Y3PYVm41fbEH7cq9BVSB0hGl5nh+Xg0N7TePCkPF8RZeKU7w0/GZ39Sm63AGIYUlnZCyY

    RcLEZYn1MGUB+WQOZnJT0AhdbeXBrglC2Cr9kSBZCCKNrQbxFy8GDeH69oV31x57ayl5mjqEQGuR

    SV1DXpaz2CGW32m/mfMDLMSC3PAvOJYj8qZ8dp5ELsUZKJ6o5P2prA0T9ckNI+b7gTaK5K7kyDPd

    xlZKD9z5Z/c=

    *

    1. Anonymous Coward
      Anonymous Coward

      Re: Ah......backdoors again...........

      Thanks AC.

      *

      CHsLixuz4ZaHSv6dMzw5Y7az0DahaFY3cTYxAH01

      stqV6b0foHK1GT05mpI1GR2p47Wjk56xMduv6ROF

      6F8FMHixy3GRung1uPaHOTS1ClQl0rGXUjIVEhMZ

      M7EpgBKb8Bare1M3cvKTOneHqfihIxwt4du3khAz

      UpgzezGBKVeHcXuxQP2BY7IdmB8D8R0zaFG5QxEr

      wBafKbiXs5ElYBYbQVKXQTMN4Xo9GXmPYbi18ZGN

      mfcnQhqLiPm1Iz2jgJMJYVeBEFeZ0xyNwzQJebqj

      6pcbEFMbmv0NAFif8VuZiBgtkhGxuB6tUjozi30h

      U1wPqdaZ6pqfENg1C78nOHeNOJYf2lQloj2vy9YZ

      GH4HW3cNCHMZYP2xAxw5Y3ap874xGBqjuLSbEDI1

      CDANGjChQNmbenqp4XWH8hIdkt4BUtUrs5sJwrwz

      mHMLmHOBMfq7ezeLGhQTo7GVsdEX4baLc3u9EPYd

      khmN6vKrYJqbQZgDodWz0hC9EPQ9spm7y5S5idEB

      urkNeJ0xmjgLeB4refopwd85qHkRM3cNELOzcPuN

      wByT

      *

    2. Anonymous Coward
      Anonymous Coward

      Re: Ah......backdoors again...........

      This just shifts the problem to one of key distribution.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ah......backdoors again...........

        @AC

        *

        True.................but which problem do you want -- if privacy is a goal?

        *

        And then there's the problem which the snoopers are faced with......what algorithm? what key? how long will it take to read this?

    3. John Sturdy
      Joke

      Re: Ah......backdoors again...........

      From the look of that, I'm going to have to read between the lines.

    4. John Brown (no body) Silver badge

      Re: Ah......backdoors again...........

      "Have I mentioned this before.....but since we all know about "backdoors" (you know....Cisco, NSA, Snowden, etc., etc.).....why are sensible people not encrypting their messaging BEFORE their messages enter ANY public channel?"

      For exactly the same reason no one else does. Convenience and lack of knowledge/skills. Crims, like the rest of the \Joe Average world, are not techies. They just want it work and will trust the higher ups/suppliers to have made it easy to use and secure. They make assumptions because they don't have the tech knowledge to know what questions to ask. They assume their criminal techs have done their jobs properly and rely on the fact nothing untoward seems to have happened to other users, therefore it must be safe to use.

    5. jake Silver badge

      Re: Ah......backdoors again...........

      Still talking to yourself, I see.

  10. Criminny Rickets

    I am wondering if Australia jumped the gun on this disclosure, by announcing this before the FBI and Interpol were ready.

    1. stiine Silver badge

      I hope so because that would be funny.

      1. Lucy in the Sky (with Diamonds)

        Tank of sharks with friggin’ lasers

        This is a wonderful endorsement of open sourcing. When I start my world conquering criminal enterprise, I will insist on seeing the source code to the communication software, and have it verified by independent experts to make sure there are no back doors.

        And there will be a tank of sharks with friggin’ lasers, just to put the vendors at ease while we wait for the results.

        Yes, I said friggin’ lasers…

        1. jake Silver badge

          Re: Tank of sharks with friggin’ lasers

          "I will insist on seeing the source code to the communication software"

          Have you read ken's old ACM talk "Reflections on Trusting Trust"?

    2. Anonymous Coward
      Anonymous Coward

      From what I read

      They were forced to disclose as there was a likelihood of some people being contract killed.

    3. Manolo
      Holmes

      If you had actually *read* the article:

      "However, some of those authorities were set to expire. That, and an operational decision to end the operation due to the opportunity to act on intelligence gathered using AN0M, led to today’s disclosures."

      1. Anonymous Coward
        Anonymous Coward

        RE: "If you had actually *read* the article"

        There have been many articles about this today....

        1. Manolo

          Re: RE: "If you had actually *read* the article"

          So? There's only one where I saw and replied to this question, innit?

          Completely moot point.

  11. W.S.Gosset Silver badge
    Happy

    * the Customer Support

    I forgot above one of the best bits:

    The police improved market penetration by swift Agile responsiveness to their customers' needs.

    They noticed in the monitored traffic that people were saying they wanted smaller, newer phones. So they immediately built & supplied smaller, newer phones. They then observed from messages that their customers were very pleased, and this then turned into improved referrals and sales.

    Beats the crap out of any IT company/startup! *Genuine* customer responsiveness and speed!

    The AFP and FBI should set up a commercial Computer arm. They'll drive Microsoft, Apple, Facebook, etc out of business in no time. Those companies are already surveilling us just as hard anyway -- might as well be honest about it AND provide outstanding products and service! :D

    1. Claptrap314 Silver badge

      Re: * the Customer Support

      On the one hand, you have government officials demonstrating care & concern for customer experience. On the other, you have the world's most wealthy companies demonstrating...

      Yeah, kind of mind blowing. The one time that the lack of market discipline (in this case, the cost of doing business) works to create great customer service, and who gets it? Violent criminals.

      I think Scott Adams just had his scripts written for the rest of his natural life...

  12. Shak

    Didn't realise WhatsApp started whiteboxing

    I suspect this will lead to a layman argument suggesting how backdoors do actually work.

    1. The Oncoming Scorn Silver badge
      Childcatcher

      Re: Didn't realise WhatsApp started whiteboxing

      I think they got it in War Games, then promptly forgot about it as it was only a movie.

  13. Danny 2

    One bad Apple

    iOS15 has a 'private relay' feature that strips out IP addresses from web browsing. Whether it is secure or not it'll be a popular feature. Except in China, Belarus, Colombia, Kazakhstan, Turkmenistan, Saudi Arabia, South Africa, Egypt, Uganda and the Philippines. Exactly the nations where activists require most protection from state surveillance.

    US tech companies doing Beijing's bidding in exchange for market share is at least as big a risk as using Chinese tech domestically.

  14. Anonymous Coward
    Anonymous Coward

    Results:

    "500 warrants executed, 200-plus arrests, the seizure of AU$45m and 3.7 tonnes of drugs, and the prevention of a credible threat to murder a family of five"

    A massive dent of maybe 0.5 to 1% of the illicit drug market in Australia.

    "Over 4,000 AFP officers were involved in raids overnight, Australian time."

    Anyone got any idea what % of the annual policing budget got spent over the course of the operation?

    1. DevOpsTimothyC
      Holmes

      Re: Results:

      Anyone got any idea what % of the annual policing budget got spent over the course of the operation?

      The article suggested that the crims had to buy the handset and then subscribe to the service. There's every chance it was self funded or even turned a profit. If it didn't then someone needs to hang their head in shame.

      If they sold these in the US I'd be surprised if some of the crims don't sue the cops for breach of contract, They sold a secure system that wasn't after all.

      1. John H Woods Silver badge

        Re: Results:

        I don't think there's "every chance" it was self funding, let alone turned a profit. Remember, you've only just started the spend with the arrests.

        The war on drugs is hideously stupid and counterproductive. These big flashy busts always turn out to have near zero impact on the supply --- example) It's a great tech story, and awesome cyber security work, but the global annual trade in illicit drugs is well into 12 digits USD and the ”war” is just making criminals richer and more violent. Not the same criminals, perhaps, but to ordinary law-abiding folk the effect is the same (or temporarily worse as the inevitable turf war breaks out).

        In the UK the police have effectively recruited loads of children into drugs gangs ... dealers have got so used to undercover cops infiltrating their networks that they have now have a deliberate policy of using minors, the only people who can't be cops.

        In short, 50 years after their stupid moral panic about alcohol elevated Cosa Nostra to a global organized crime power, the USA started an entirely new moral panic over drugs, repeating exactly the same mistake, and this time spreading their apparently inadvertent sponsorship of international crime all over the world. And 50 years after that, a century after prohibition, just how well is this strategy working?

        How much longer are we going to give it?

    2. W.S.Gosset Silver badge

      Re: Results:

      > Anyone got any idea what % of the annual policing budget got spent over the course of the operation?

      3 people for 2.5yrs. 1 small server (presumably VM on existing kit/capacity).

      Plus the very brief involvements of ordinary police when executing arrests. All of which, using IT industry (sales) language, were "pre-qualified" as guaranteed certainties.

      So, percentage-wise, approximately half-past fuck-all.

      1. John H Woods Silver badge

        re: "percentage-wise half-past fuck-all"

        At under 10 man years of Australian law enforcement effort I reckon you and your upvoters must belong to the 'how hard can it be?' school of IT sales and project management :-D Intelligence gathering isn't done by some little algorithm on your "VM server" you know, spitting out a list of "go get these guys and lock them up, job done"

        Also, if the arrests involved only 'very brief involvement of ordinary police' they haven't nicked anyone remotely senior/dangerous in the entire operation. And even police work doesn't stop with the arrest, let alone the rest of the cost to the justice system, where the work only just starts up on arrest.

        You don't need to have worked in or with the police or other investigative bodies to see that your thumb-in-the-air estimate is nonsense - you don't even need to have watched Line of Duty or the Wire --- you just need to be comfortable with back-of-the-envelope estimation work.

        Indulge me whilst I explain why this annoys me: I am a great believer in back-of-the-envelope calculation - but it has to have reasonable inputs and not be a thoughtless hand-wave to shut someone down.

        I clearly remember some of the scorn from those to whom I used to report when I told them (a) the paperwork they were proposing to scan was about 5,000 tonnes and (b) no it could not be stored in an unused second floor office space.

        One of the twats seriously asked me whether I "thought I was some sort of building expert" when I told him there was no way a second floor office would take 10kPa loading --- laughing with his public-school 'educated' friends "John's got carried away because his job description says architect!"

        Yes, I do know that systems and enterprise architect is no sort of architect - and I hate the term for that reason - but I do know how to: (a) make sensible estimates; (b) multiply numbers together; and (c) the value of the 'engineering eye' to oversee the whole process and judge whether it's reasonable.

        OP might well be wrong in the implication that a 1% dent in the AUS drug market wasn't worth it because it cost at least 1% in the law enforcement budget. But I suspect they are wrong because it isn't nearly a 1% dent in the drug market. Yes it's 1% of the product. But drugs are cheap. That 1% will be easily made up by (a) importing or manufacturing more drugs and (b) by dealers increasing their prices (which, guess what, makes users commit more crime to pay for it).

        TL;DR: what is approximately "percentage-wise half-past fuck-all" in this situation is what the bust has achieved in the "War on Drugs" (even in AUS, let alone globally) and it has been achieved at a cost of somewhat more than that amount.

  15. iron Silver badge

    So how is this not entrapment?

    1. gnasher729 Silver badge

      "So how is this not entrapment?" The police didn't suggest to anyone that they should commit crimes.

    2. Eric Olson

      In the US at least, entrapment is when cops/government induce an otherwise law-abiding individual to commit a crime, and not just by leaving a brick of drugs sitting on the ground, waiting for them to pick it up.

      The phone itself is not illegal, and intent is important when determining culpability (usually).

      1. DevOpsTimothyC

        However the makers of mod chips have been successfully sued by the likes of Nintendo as the primary purpose of the mod chips are to bypass copyright.

        I wouldn't be surprised if a good lawyer cited that as the primary purpose of these devices seems to be to evade law enforcement .

  16. Pen-y-gors

    Legality?

    Not a problem.

    Just put a note on page 37 of the EULA saying that messages may be read by law-enforcement agencies worldwide, and you're clear. No-one ever reads those things anyway.

  17. Mnot Paranoid

    Like Liam Gallagher says...

    You only get to do it once.

    1. gnasher729 Silver badge

      Re: Like Liam Gallagher says...

      You get to do it again once all the criminals have forgotten about it.

      And an important thing is that if criminals fear that their "encrypted" data can be read by the police (there have been two completely cracked "real" applications and now this trojan), and that makes them hesitant to use encryption apps, that slows the criminals down, which is also a good thing.

      On the other hand, when I hear politicians calling that end-to-end encryption should be removed: For law enforcement purposes, I really hope that they play a game where they give Facebook, Apple etc. a bit of hell but not too much, while at the same time working with them to actually get that "end to end encrypted" data.

      On the other hand: Priti, I have nothing to hide, but my data is none of your f***ing business, and I don't trust you further than I could throw you and your whole family.

    2. Graham Cobb Silver badge

      Re: Like Liam Gallagher says...

      No. Like any organisation, criminals have to communicate. Yes, until now they assumed secure messaging apps were "magic" and they have now learnt, the hard way, that that isn't the case. But they will still need to communicate and will still use apps, some of which will be backdoored.

      The smarter crims will try to tradeoff the risks: each app has risks that it is a police snitch, but then so do people in the organisation, people they need to interact with, face-to-face interactions, etc. They may keep some more information to themselves, but that will make them less efficient and maybe less able to see law enforcement activity (in other gangs, etc).

      I am not an organisation design person but I imagine the smartest gangs might adopt a more cellular structure, with more delegation and less detailed monitoring (and hence less operational information being passed around).

      And some may try to use codewords more (but I am guessing that won't help unless they change them fairly frequently and I can imagine a future crim sitcom playing up the problem the heavies are having trying to remember whether "bloomers" is the code word for "drugs" or "murder" in even-numbered months).

    3. DS999 Silver badge

      No that's 100% untrue

      You get to do it an unlimited number of times.

      It isn't like there is a place crooks can go for chat apps / devices they know 100% for sure aren't bugged, so nothing stops this being done again. In fact, nothing prevents this being only the first of a dozen such bugged apps created by the FBI that are still in use. We don't know, and more importantly the crooks using other solutions don't know.

      This being announced was quite deliberate, to create paranoia in the crooks. They could have said "we successfully hacked into this app's servers" or "we arrested one of the principals behind it and he cooperated in exchange for a lighter sentence" or "we were able to use a software weakness to decrypt the traffic".

      They very deliberately said "this was written by the FBI and backdoored from day one" when they were under no obligation to admit that. They want criminals to know, so they can't trust anything will keep them secure. They want criminals to be paranoid, to not trust each other, to worry that everything they say or fellow criminals say that might incriminate them is being monitored.

    4. The Oncoming Scorn Silver badge
      Holmes

      Re: Like Liam Gallagher says...

      Ex boss did it twice, that's how he got caught.

  18. Binraider Silver badge

    How does one not know that Tor or other "anonymising" tools aren't cleverly planted tools on the part of the agencies to facilitate either their own exfiltration of data, the gathering of human or signals intelligence, or even to direct action.

    Of course they use the dark web. They may have been involved in the creation of it.

    There's a saying, where there's smoke, there's fire. Stay out if you don't want to get burned.

    The only truly secure system remains the one time pad. And that still depends on absolute trust in the distribution of the key. All other security measures are merely inconveniences for the truly determined. (And might in fact be used to catch you out, if you are up to no good).

    Cue usual questions about who watches the watchmen.

  19. Anonymous Coward
    Anonymous Coward

    Assuming the cell phone is a secure device

    was their most glaring failure. They got what they deserved because they trusted their cell phone and this should be a stark warning for all of us, criminals or decent law abiding citizens.

    1. DS999 Silver badge

      Re: Assuming the cell phone is a secure device

      What is a "secure device"? Please point to one that should be trusted.

      There is no 100% secure way to communicate, even if you only trust in person communication that leaves you vulnerable to being followed, having listening devices planted where you meet etc.

      1. DevOpsTimothyC

        Re: Assuming the cell phone is a secure device

        I'd consider a pencil and paper locked in a safe on the Titanic to be quite secure.

        I might go as far as a chalk board in part of the Mormon Church Vault, so long as it the entry door was beside the chalkboard (not oppisite)

        1. DS999 Silver badge

          Re: Assuming the cell phone is a secure device

          Bit hard for a criminal to use either of those as a method of communication, unless they want to communicate with an octopus or whatever the Mormon pope is called.

        2. The Oncoming Scorn Silver badge
          Pint

          Re: Assuming the cell phone is a secure device

          While the police are raiding those church vaults, can they check for more missing Doctor Who episodes at the same time?

          https://broadwcast.org/index.php/Mormon_Mystery

  20. Miss Config
    Thumb Up

    Plea In Mitigation

    The app, called AN0M, was seeded into the organised crime community .

    What kind of sentence reduction will these guys get on account of being so friendly as to be able to form a community among themselves ?

  21. Boris the Cockroach Silver badge
    Devil

    HA HA

    The title sums this up.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like