New Info About Encrypted Messaging Service Bust Shows Signal Protocol Is Still Secure, Law Enforcement Can Still Bypass Encryption
from the good-news-for-everyone,-bad-news-for-careless-criminals dept
Last month, the DOJ announced it had secured indictments against an encrypted device maker, claiming the company had violated all sorts of laws by selling these to criminals. This closely mirrored the DOJ’s earlier prosecution of Phantom Secure, another encrypted device maker it accused of aiding and abetting criminal enterprises.
Sky Global was the most recent target. Both prosecutions seem a bit performative though. The FBI — which participated in both investigations — has been making the case for years that encryption benefits criminals far more than it benefits non-criminals. The FBI isn’t much for subtlety. It doesn’t hint that it believes secure communications are something only criminals need. It comes right out and says that in Congressional testimony and any place that allows its directors to speak.
But devices with more secure options aren’t just the playthings of criminals. The desire for more secure communications dates back to the days of burner phones. Sure, criminals loved burners. But so did journalists and their sources, as well as dissidents, government critics, and anyone who desired to keep their communications free of malicious interference and interception.
Encryption is the target. The FBI has made this clear. Anyone paying attention can see this. The ongoing prosecution of Sky Global — a company offering encrypted devices and an encrypted messaging service it rolled itself — has inadvertently exposed how little encryption actually matters when it comes to criminal investigations.
Sky Global’s takedown involved a phishing attack that resulted in compromised devices and exposed communications. The takedown of EncroChat — another network/service provider accused of hooking up criminals with encrypted devices/communications — made encryption seem like no big deal.
The investigation — which spanned several countries — culminated in more than 1,000 arrests. The communications platform utilized the Signal protocol, which is freely available to be utilized by anyone with a desire for more secure communications. At the time the arrests took place, officials made it clear Signal’s protocol had not been compromised. From Joseph Cox’s report on EncroChat’s takedown:
“EncroChat encrypt their messages with the Signal Protocol. This is a commonly used encryption protocol that is freely available. I am unaware of any capability to decrypt messages encrypted using the Signal protocol,” the document, written by a technical employee from the UK’s National Crime Agency (NCA), reads.
This may read like a defeat. But it isn’t. Encryption may seem impenetrable if you only approach the front door. There are other ways to get in. Encrochat ran parallel systems on the phones it sold — one that allowed users to wipe info when they input a PIN and one that looked like stock Android. But the system went down anyway.
Last year, authorities managed to push a malicious update from Encrochat’s server down to individual Encrochat devices, according to other law enforcement documents obtained by Motherboard. The malware could harvest the phone’s GPS location, stored messages, passwords, and more information, Motherboard previously reported. In the wake of that large scale hacking operation, French police shared the collected data with multiple international law enforcement agencies, including the NCA as well as Dutch authorities.
We know what this tells us: encryption isn’t insurmountable, no matter how well-crafted it is. The Signal protocol is still considered impenetrable. And yet, thousands of devices were compromised, leading to a wave of arrests and indictments. Phones are hackable. This remains true, no matter what encryption protocol is deployed. Compromise is only a click away and less than that if law enforcement can seize servers phones and/or apps rely on.
“Going dark” isn’t what the dishonest FBI pretends it is. Things may be more difficult but it’s far from hopeless. Law enforcement still has plenty of options. Just because it can’t fully unlock a phone with nothing more than the swipe of a thumb doesn’t mean encryption — and criminals — have won the tech race.