Belgian police seize 28 tons of cocaine after 'cracking' Sky ECC's chat app encryption The Belgian plod says it seized 27.64 tons of cocaine worth €1.4bn (£1.2bn, $1.65bn) from shipments into Antwerp in the past six weeks after defeating the encryption in the Sky ECC chat app to read drug smugglers' messages. "During a judicial investigation into a potential service criminal organization suspected of knowingly …
So you CAN put back doors into encrypted software. So what our Pritti Home Secretary said is correct and our security services CAN have their data.
... Wait a cotton-picking minute there. I thought the mathematics says its not possible. Two very large primes are all that's needed, and there's no other way in. So presumably either the messages were not encrypted, or the platform got hacked and someone installed a keylogger. Hmm, now which of these is the more likely...?
Or somebody was arrested and on the receiving end of a lot of charges. They decided to open their device so their messages could be read and replied to by the plod in return for less charges. The encryption could have been shit or for Police Specialists you can read another unnamed agency.
Potential source is, as another post states, someone in a lot of chats/group messages got caught and made a deal. No breach of encryption necessary as you have a device able to see all those messages.
There's always the possibility of a flaw in the implementation - crypto is hard.
If they have access to an unlocked device then all bets are off.
It's very unlikely to have been a straight crack of encrypted data in-flight. If they managed to do that they would certainly not announce the fact.
Much more likely to be trojaned software (like Encrochat), keylogger or traditional human intelligence, followed by a nice big announcement to scare the shit out of the remaining users and drive them to (potentially less secure) communication methods.
You're assuming the crypto was correctly implemented. Doing it right isn't just a matter of picking an algo with a long key length and then weaving some code around it, and I suspect it;s there where the problem was.
I actually caught the interview about this on TV, and if I'm right, the person interviewed accidentally revealed they were (and are) listening in in real time. To me, that suggests a cracked algorithm instead of just a single subverted phone, and I think the people who were selling this may not sleep all that well right now.
As I said before, pissing off a customer base that is mainly composed of criminals strikes me as a good way to add a lot of excitement and possible life shortening events to your existence :).
The mention of "exchanging text messages" in the article implies short payloads and that may have made it easier for them to crack the encryption too. I'm pretty sure that short payloads are significantly easier to crack if you know the encryption and there's often "padding" put into short messages in real encryption to make it harder to crack.
So, yeah, poorly implemented crypto is a likely method of interception. I wonder how much they may have to reveal in the subsequent court cases on their methods?
I'm pretty sure that short payloads are significantly easier to crack if you know the encryption
Only for certain broken protocols, and in the trivial sense that very short messages only have a small number of possible corresponding plaintexts. (If you intercept a single-bit message, you know the original plaintext was one of two bits, and the actual message was one of two possibilities.)
In fact large amounts of ciphertext are generally more problematic, though for modern algorithms and protocols, it's not an issue for most use cases.
and there's often "padding" put into short messages in real encryption to make it harder to crack.
Not really. A number of cryptographic algorithms and protocols make use of padding, but the technical reasons for that are more complex than just "it's too short". And as a practical matter, padding is more often a source of vulnerabilities, such as padding oracles.
The mathematics doesn't say its not possible. Decades of trying to factor (or whatever) quickly and failing says maybe it's not possible. Decades of trying to prove it's not possible and failing says it still might be.
I wish people understood this subtlety better now our entire digital world, global financial system and several whole currencies all rely on modern crypto.
"So presumably either the messages were not encrypted, or the platform got hacked and someone installed a keylogger."
Or the service mediated the key exchange and kept copies or was being monitored.. End to end encryption is fine so long as nobody else knows the keys.
The maths say that you can break it with enough power and time. Moreover of course there are likely to be implementation flaws. I wonder as well about the keys, how do we really know whether these are shared, after all they may be on your security chip but that is actually zero guarantee given how few people can really check the chips innermost workings. I smell some complicity here, lull the criminals into falso security to build up.enouhh evidence, or use strong arm threats to get cooperation from a supplier. We managed to hide bletchley park from the jerries all through ww2 i have little doubt what NSA and gchq have known for sometime how to break all common cipher algos
The maths say that you can break it with enough power and time.
A meaningless statement, in practice.
First, of course, "it" hasn't been defined. RSA? ADH? ECC? Some other key agreement protocol? AES? Some other symmetric cipher? Or is this just hand-waving?
Second, once you assume unbounded resources, the question is no longer interesting. If you have a decision procedure for determining what the correct plaintext is, you can just try every possible key, or even every possible plaintext, "with enough power and time".
Third, it's quite easy to scale cryptographic algorithms up to the point where there aren't enough resources in the visible universe to brute-force them using a conventional computer. It's quite easy to do that for symmetric algorithms and hashing even with general quantum computing. It's a bit harder to do that for asymmetric crypto (key agreement and signatures), but we have candidates with strong evidence for being secure under GQC.
It's vanishingly unlikely that any correctly-implemented, well-studied, modern cryptography was broken in this case. Any of the mooted alternatives -- bad implementation, false implementation (the "it was a trap" theory), insider compromise -- are all much, much more probable.
Years ago, Bruce Schneier famously claimed that cryptography was good enough, and that "if you think your problem is cryptography, you don't understand cryptography and you don't understand your problem". Since then there have been successful attacks on widely-deployed cryptographic algorithms (MD5, SHA1, RC4) and protocols (all SSL/TLS versions prior to TLSv1.2, pretty much anything using CBC and not making a special effort to mitigate padding oracles, etc.). And we have the perennial worry that maybe someone will get feasible large-scale GQC working and so we need post-quantum asymmetric cryptography. But Schneier's basic point was right: implementations and people are the big threats to communication and data security, not the underlying cryptography.
I would be very surprised if this did not happen. It is an obvious tactic and the cops are not that stupid.
I was wondering what they do with 28 tons of cocaine ? It is not a small bag that can be tossed into a bin and forgotten about. Burning it would have interesting effects on anyone down wind of the incinerator.
It is an obvious tactic and the cops are not that stupid.
They are in the US. For decades now police departments specifically discriminate against the intelligent claiming intelligent people don't want to stay cops, but instead move on the become lawyers and the like. As a result, the average cop IQ in the US is only 104. It's probably a factor in why the US has such a large problem with cops shooting people when it's not justified. For perspective, the average IQ of enlisted soldiers in the US armed forces is 109, and officers in the US armed forces is in the low 120's.
https://abcnews.go.com/m/story?id=95836
The difference in training between countries is a bit pronounced as well.
UK: Join and commence a 3 month training programme, which qualifies the holder to use handcuffs, and a truncheon for the 3 years worth of on the job training and mentorship. So 3 years and 3 months on from joining you've qualified to work on your own. Two years after this is completed (with a satisfactory service history) then you could apply to become one of a few thousand armed police officers nationwide, and if you could pass dozens of stringent courses with a very low pass rate designed to weed out undesirables and individuals without a high enough level of competence then you might eventually be allowed to carry a firearm. If you use it at all expect to be grilled mercilessly and if it transpires to be an inappropriate use of force then you'll be charged with murder.
Random US Town: join and get given a police badge, handcuffs and a pistol and shotgun for your police car on the first day. And um, want an assault rifle or a minigun mounted on a humvee or anti tank mine proof assault vehicle? Available through our military disposals program for your town if you ask nicely at a huge discount! And try not to kill too many people; it causes bad PR and we might fire you.
There is a difference between IQ and being wise. Wisdom includes social morals and sociability. There are plenty of high IQ people who are sociopaths. In the 90's the term EQ (Emotional Quotient) became popular. EQ itself became a monetized fad, but the original idea is correct.
There's a shaggy dog story I was told about that. One of the South American countries had found a stash of marching powder in a rural area. They were worried about a cartel trying to get it back. So they decided to incinerate it quickly at a disused, local but out of the way industrial facility. Something went wrong and loads of it went unburned, up the chimney to be carried by the winds elsewhere.
Also this happened to the BBC journalist Quentin Sommerville at a drugs incineration.
"I would be very surprised if this did not happen."
The way that Apple continuously go on about how they are committed to user's privacy etc often makes me wonder if they are a TLA front organisation!
N.b. there is evidence of this sort of thing in the past - when Mint launched their "global SIM card" there was significant amount of oppostion from the US authorities as this allowed bad-agents to have mobile phone accounts that they "couldn't track" which clearly registered with some targets as a couple of years later a US General in Afghanistan, showing a lack of judgment, boasted that they were having great succcess against the Taliban as "they all use Mint phones ... as soon as we see one connect to a cell tower we send in a drone to take them out" - result was Taliban immediately stopped using all mobiles and relied on commuinicating by passing messages personn-to-person only.
Apple do try to control one particular aspect with respect to iPhones
"Apple does not 'let bad guys use iPhones on screen'
https://www.theguardian.com/technology/2020/feb/26/apple-does-not-let-bad-guys-use-iphones-on-screen
One does have to wonder whether such thinking extends to threaten the state and the fate of the dollar, which has for decades at least, and is still blatantly used as the default prime medium for the purchase and trafficking of drugs.
no, but it's a drop in the ocean of what's actually coming in and is essentially letting the authorities have some cheap publicity for something with a very cheap actual wholesale value (essentially thousands, and trivially replacable. the gangs are far more concerned about losing cash, not products)
this is why the war on drugs was won long ago by the people with the drugs
This post has been deleted by its author
Didn't the previous encrypted phone network get busted because the cops hacked the software update servers and introduced a backdoor'ed update the handsets then downloaded.
You know, like SolarWinds...
I guess its just another SupplyChainAttack(tm)
One way or another, it almost certainly didn't involve decrypting the messages in flight. One end or the other was compromised and made to dump the messages in clear.
Apparently, until the general availability of desktop computers the CIA in collab with some other secret service or (wish I'd book marked the Register story) ran a security business with a machine that companies and governments could buy via an outlet in Germany.
Of course none that purchased this device knew it was actually owned by the CIA who now knew all their deepest vilest secrets plots and plans.
Problem with getting old, I forget to use Bookmarks, obvious incipient dementia, HELP
Didn't the previous encrypted phone network get busted because the cops hacked the software update servers
Not even. They got a mole hired by the vendor, according to reports.
Good ol' HUMINT-style sabotage. People have been saying for decades that intelligence and police agencies should stop fetishizing technological solutions and continue to use older, less-glamorous techniques where appropriate. The EncroChat takedown is a fine example.
Well, unless all of the stories I've read are incorrect, encrochat was taken down by compromised update version getting pushed to about fifty percent of the handsets. They claim they did that with an attack on the update servers...
I guess an infiltrator could have made the changes to the server, but the articles I've read suggest it was done with a remote technical breach.
We'll probably never know the entire truth.
I'm obviously way out of date on my drug slang as back in the day blow as a slang term meant (in the UK) cannabis. *
Has the US blow = coke taken over everywhere now, or is it just a matter of a US writer authoring this article?
* No surprise given my age as its many years since I had los of friends who did drugs (AFAIK, who knows maybe plenty of my friends do decades later but I'm just unaware of it!)
That's a huge amount of recreational drugs for a population of x million people.
busted today, not even like that is the total.
At some point someone is going to do the math and realise that a large percentage of people in Belgium don't consider doing lines of coke to be immoral even if it is illegal. These people are being criminalised despite a dominant ideology of the population.
recreational drugs are fun, by definition.
anon because its illegal to think this way, not because its bad.
A large part of the population may well think "what's the harm".
At least the same percentage of the population would probably also react badly if somebody on drugs then stabs a member of their family while totally out of it, or ploughs a family down while driving under the influence.
I'm not particularly against the idea of allowing drugs to be sold legally, however as a quid pro quid I would expect a life sentence (and by that I do actually mean life) for people who make the choice to take drugs and then kill whilst under their influence.
Imagine if there was a simple drug molecule that could be made at home and was widely available in Belgium and caused people to stab a member of their family and led to car crashes - I'm sure the Belgian authorities would crack down on it.
In comparison i think coke mostly causes bad ad campaigns
In the late 80's US urban areas were filled with crack smokers and cocaine injecters. Horrifying. It did result in a lot of crime and wasted away women selling their bodies on the street for the next hit. Crack + AIDS = Fast Death. Crack gives 30 minutes of pleasure followed by desperation for the next hit. Like the mouse hitting the pleasure bar repeatedly until it dies. A lot of people also got burned faces while trying to smoke the crack because it can easily explode.
Nowadays it is the speed freaks - c.f. buzznicked, faces-of-meth. Better value for money?
Antwerp... Second busiest port in Europe, where goods from all over the world are received to be distributed in all of the continent.
But nope, that is not the case here. If the blow was found in Belgium then it is for local use only: Belgians consume coke by the kilo...
"That's a huge amount of recreational drugs for a population of x million people"
Never ever consider Coke as being a recreational drug, it's not, treat it as a serious Class A drug, it was given that classification for a reason.
It bites far worse than it barks... it's a subtle bastard that will creep up on you very slowly but steadily.
The encryption isn't the problem.
Distributing keys to groups of people, being able to message groups of people when you don't know if one of them is a police, getting apps that do this and can run on your phone, trusting that the app is written by the police - these are trickier
I think Moxie whatever his name is went into the details in an interview as to what your typical issues are, much as you've indicated, and that the encryption of the message isn't really one of them. They are most likely using an open source (probably audited) library, however they've likely f*cked up the tougher parts of the implementation.
Quote: "....police specialists managed to crack the encrypted messages from Sky ECC...."
*
So some bad actors relied on "end-to-end encryption" provided by a service provider. We hear about this a lot (Whatsapp, Proton Mail, Telegram.......).
*
But the backdoors are secret (for obvious reasons). How long does it take for EVERYONE to realise that relying on SOMEONE ELSE'S ENCRYPTION might be a poor idea?
*
The snoops reading El Reg are welcome to have a go at this secret message on this subject!
*
8DGX6JAngreFSB4Xq5kLsza945SZ0f4vKpqf236z
mZm3G9eR0zGz0nIFgputmJIzg10vuJMbalk90BkD
KlE9eDC7gJIhWfcnCziFSheNIlUlk3YVQfapMFCV
qni9gnIRkXEjIHKPSz2RWVq1g3GDqb0FY3Ap0bS9
sbYZUvQFOD2d4Bm50rsTIfCvevwrM3E9CVALWZkB
ADihy36XKDIzklidC1MleNWDOFYb2d0jk7QhuXQ9
WrG1qpe5ErO32bUrUjkFUXwNitKbqtU56XeB21iv
mVwRKFuTU9o7sTspMtkNqJCVS5on6NUpsdc16XIn
YJqx8hyJW521IJqXQZc3ObAPSfIdC98faDyNydUt
ClGl6NO3uJapGV8JYTYP0JU5SpWfE3K9mz4TAXmz
s7E9sXSFC1MJCf8Jo5Q5UNSRszEpqZCdQ9CbMLGn
iJw1yNcpq5mHsNYNcNADE38xsd0HwfOhyRoboxUZ
O1mXc3sLOhCl0FodU5gtWZsfYtEVWZ6diVSRkR0Z
Q3GpGTEBaFiDgF4lkX8PQteDGlGjOVkZc1SLML4j
WbkJY92TgzIbeF4leLKNI3qtyP2DCPul8Jy1AZI3
iTMv
*
"How long does it take for EVERYONE to realise that relying on SOMEONE ELSE'S ENCRYPTION might be a poor idea?"
Do you suggest that each person create their own encryption, and don't use anyone else's encryption? How will those clevers communicate?
Don't you hate it when someone answers your question with a question?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
