FBI, Australian Police Ran A Backdoored Encrypted Chat Service For Three Years

from the we've-got-a-server-on-the-inside-[wink] dept

Recently unsealed documents have revealed the FBI and the Australian Federal Police ran a backdoored encrypted communications service for more than three years, resulting in dozens of arrests and several large drug busts. Here's a brief summary via Joseph Cox for Motherboard.

For years the FBI has secretly run an encrypted communications app used by organized crime in order to surreptitiously collect its users' messages and monitor criminals' activity on a massive scale, according to a newly unsealed court document. In all, the elaborate operation netted more than 20 million messages from over 11,800 devices used by suspected criminals.

This honeypot/chat app went into development following law enforcement's takedown of other encrypted phone providers like Phantom Secure and Sky Global. According to the unsealed warrant [PDF] targeting a Gmail account of a suspect, the backdoored communications offering was the direct result of the indictment of Vincent Ramos, the CEO of Phantom Secure.

After Ramos was arrested, San Diego FBI agents recruited a Confidential Human Source (“CHS”) who had been developing the “next generation” encrypted communications product, poised to compete for market share against established hardened encrypted device competitors. At the time, the void created by Phantom Secure’s dismantlement provided a new opportunity for criminal users to switch to a new, secure brand of device. The CHS previously distributed both Phantom Secure and Sky Global devices to TCOs [transnational criminal organizations] and had invested a substantial amount of money into the development of a new hardened encrypted device. The CHS offered this next generation device, named “Anom,” to the FBI to use in ongoing and new investigations. The CHS also agreed to offer to distribute Anom devices to some of the CHS’s existing network of distributors of encrypted communications devices, all of whom have direct links to TCOs.

ANoM was first distributed to criminals in Australia by the FBI's source. But not before both the FBI and AFP added interception capabilities.

The FBI opened a new covert investigation, Operation Trojan Shield, which centered on exploiting Anom by inserting it into criminal networks and working with international partners, including the Australian Federal Police (“AFP”), to monitor the communications. Before the device could be put to use, however, the FBI, AFP, and the CHS built a master key into the existing encryption system which surreptitiously attaches to each message and enables law enforcement to decrypt and store the message as it is transmitted. A user of Anom is unaware of this capability. By design, as part of the Trojan Shield investigation, for devices located outside of the United States, an encrypted “BCC” of the message is routed to an “iBot” server located outside of the United States, where it is decrypted from the CHS’s encryption code and then immediately re-encrypted with FBI encryption code. The newly encrypted message then passes to a second FBI-owned iBot server, where it is decrypted and its content available for viewing in the first instance.

The investigation began in Australia with the AFP intercepting messages, utilizing the expanded powers given to it by 2018's Telecommunications and Other Legislation Amendment (TOLA) to secure permission to intercept every communication carried by the ANoM devices. But the permission it received had limits. It was only able to "discuss generally" the content of the intercepted communications, rather than share them directly with the FBI.

As more devices made their way into the hands of suspected criminals, the FBI began performing its own interceptions. But it didn't do it directly. Instead, it asked an unnamed third country to perform the interception for it with the understanding it would hand over intercepted communications to the FBI.

[T]he FBI itself was not yet reviewing any of the decrypted content of Anom’s criminal users. Also by summer of 2019, the investigative team engaged representatives from a third country to receive an iBot server of its own and obtain the contents of communications occurring between Anom users… The third country agreed to obtain a court order in accordance with its own legal framework to copy an iBot server located there and provide a copy to the FBI pursuant to a Mutual Legal Assistance Treaty (“MLAT”). Unlike the Australian beta test, the third country would not review the content in the first instance. FBI geo-fenced the U.S., meaning that any outgoing messages from a device with a U.S. MCC would not have any communications on the FBI iBot server.

[...]

In October 2019, the third country obtained a court order which enabled the copying of the iBot server and the receipt of its contents every two to three days. The initial MLAT between the U.S. and the third country authorized FBI to receive data from October 7, 2019, through January 7, 2020. [...]

Since October 2019, the third country has obtained additional court order pursuant to its own laws to copy the iBot server and the United States has obtained the server data pursuant to additional MLATs. The third country provides Anom server data to the FBI every Monday, Wednesday, and Friday, and will continue to do so until the expiration of the third country’s court order on June 7, 2021. This data comprises the encrypted messages of all of the users of Anoms with a few exceptions (e.g., the messages of approximately 15 Anom users in the U.S. sent to any other Anom device are not reviewed by FBI).

The 15 or so users in the US were monitored by the Australian Federal Police for "any threats to life" and this information "shared generally" with the FBI. Once this was all in place, the FBI was soon swimming in intercepted messages from all over the world.

Since October 2019, the FBI has reviewed the content from the iBot server in the third country pursuant to the MLAT. They have translated the messages (where necessary and where translations are available) and have catalogued more than 20 million messages from a total of 11,800 devices (with approximately 9000 active devices currently) located in over 90 countries.

The affidavit notes that most of ANoM's users reside in Serbia, Germany, Netherlands, Spain, and Australia. Other than Australia, no other country (or their applicable laws/legal processes) are discussed.

There's a whole lot of criminal activity being discussed using these devices. And not all of it is directly drug-related.

[T]he review of Anom messages has initiated numerous high-level public corruption cases in several countries. The most prominent distributors are currently being investigated by the FBI for participating in an enterprise which promotes international drug trafficking, money laundering, and obstruction of justice.

[...]

From those messages, more than 450,000 photos have been sent detailing conversations on other encrypted platforms discussing criminal activity, cryptocurrency transactions, bulk cash smuggling, law enforcement corruption , and self-identification information.

Yep. Law enforcement corruption.

Information reviewed on the platform has revealed law enforcement sensitive information passed to TCOs, such as reports and warrants. TCOs have also been notified of anticipated enforcement actions against the TCO or other criminal associates.

This multi-national investigation shows it's still possible to take down criminal organizations despite their use of encrypted communications. One solution for law enforcement appears to be to "roll your own" -- one that allows investigators to listen in on conversations as they happen.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: australia, backdoor, encrypted chat, encryption, fbi, honeypot
Companies: anom


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Pixelation, 10 Jun 2021 @ 12:38pm

    Well...

    If you can't do the time, don't use a communication service.

    reply to this | link to this | view in chronology ]

  • identicon
    PrivateFrazer, 11 Jun 2021 @ 12:06am

    The third party country?

    Bet it's the UK

    reply to this | link to this | view in chronology ]

  • icon
    Scary Devil Monastery (profile), 11 Jun 2021 @ 12:19am

    For once, a smart move by law enforcement

    This is really the way to go about it.

    • Build an encrypted app you have full control over.
    • Get your snitches and undercover agents to sell it to the criminal sector like the best thing since sliced bread.
    • Collect the information and start up investigations.
    • Go to court.

    Mind you, there are a few moral implications around building and setting up a massive sting op this way. To whit, I'm fairly sure this involves more than a few gray areas and outright black ones narrowly circumvented by loopholes just to remain legal.

    It also doesn't set a good precedent to have government operating communications infrastructure explicitly built to monitor deplorables.

    reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 11 Jun 2021 @ 11:52am

      Re: For once, a smart move by law enforcement

      The BIG part of this tends to be, how fast the criminals figure out WHERE the info came from to get arrested.
      Better to Collect TONS and years of data, then to let loose the idea that, 'That program was the only way I communicated, with others'.

      And I really wonder sometimes, that as a Criminal, Why not get someone With abit of programming skill, LOOK at the program you are using BEFORE you use it. AND MAKE your OWN Chat program, QUIT using what is around and made by others.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Jun 2021 @ 2:10pm

        Re: Re: For once, a smart move by law enforcement

        And I really wonder sometimes, that as a Criminal, Why not get someone With abit of programming skill, LOOK at the program you are using BEFORE you use it. AND MAKE your OWN Chat program, QUIT using what is around and made by others.

        There's a Key & Peele skit to this degree, about a bank heist where they become men on the inside, working to keep a low profile, and gradually getting the money given to them by the mark each week. Then after 30 years they leave like ghosts.

        To say that if they were capable of doing what you're saying, they'd just be developing those apps, not necessarily being criminals.

        reply to this | link to this | view in chronology ]

        • icon
          ECA (profile), 11 Jun 2021 @ 2:20pm

          Re: Re: Re: For once, a smart move by law enforcement

          And making tons of money just making the communications app. to sell to the other crooks.
          Thanks for the idea.

          reply to this | link to this | view in chronology ]

    • icon
      Tanner Andrews (profile), 14 Jun 2021 @ 5:11am

      Re: For once, a smart move by law enforcement

      narrowly circumvented by loopholes just to remain legal

      Do not count on it. The FBI does not have a history of carefully remaining legal. Rather, they have a history of trying not to get caught. That, combined with AUSAs who do not prosecute the guys on ``their team'', generally provides adequate safety for the FBI operatives.

      reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 14 Jun 2021 @ 8:32am

        Re: Re: For once, a smart move by law enforcement

        "Do not count on it. The FBI does not have a history of carefully remaining legal."

        Well, no, I'll admit that I'm not assuming the FBI's to necessarily be competent enough to go sliding through the loopholes they've bargained for rather than run smack into the wall.

        But at least when a bureaucracy has a mechanism in place whi9ch at some point renders something horribly shady fully legal they can argue good faith. Which, in many jurisdictions renders the group of civil servants calling the shots immune to prosecution barring some fairly exotic evidence is brought to the table...

        reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.