FBI, Australian Police Ran A Backdoored Encrypted Chat Service For Three Years

(Mis)Uses of Technology

from the we've-got-a-server-on-the-inside-[wink] dept

Recently unsealed documents have revealed the FBI and the Australian Federal Police ran a backdoored encrypted communications service for more than three years, resulting in dozens of arrests and several large drug busts. Here’s a brief summary via Joseph Cox for Motherboard.

For years the FBI has secretly run an encrypted communications app used by organized crime in order to surreptitiously collect its users’ messages and monitor criminals’ activity on a massive scale, according to a newly unsealed court document. In all, the elaborate operation netted more than 20 million messages from over 11,800 devices used by suspected criminals.

This honeypot/chat app went into development following law enforcement’s takedown of other encrypted phone providers like Phantom Secure and Sky Global. According to the unsealed warrant [PDF] targeting a Gmail account of a suspect, the backdoored communications offering was the direct result of the indictment of Vincent Ramos, the CEO of Phantom Secure.

After Ramos was arrested, San Diego FBI agents recruited a Confidential Human Source (“CHS”) who had been developing the “next generation” encrypted communications product, poised to compete for market share against established hardened encrypted device competitors. At the time, the void created by Phantom Secure’s dismantlement provided a new opportunity for criminal users to switch to a new, secure brand of device. The CHS previously distributed both Phantom Secure and Sky Global devices to TCOs [transnational criminal organizations] and had invested a substantial amount of money into the development of a new hardened encrypted device. The CHS offered this next generation device, named “Anom,” to the FBI to use in ongoing and new investigations. The CHS also agreed to offer to distribute Anom devices to some of the CHS’s existing network of distributors of encrypted communications devices, all of whom have direct links to TCOs.

ANoM was first distributed to criminals in Australia by the FBI’s source. But not before both the FBI and AFP added interception capabilities.

The FBI opened a new covert investigation, Operation Trojan Shield, which centered on exploiting Anom by inserting it into criminal networks and working with international partners, including the Australian Federal Police (“AFP”), to monitor the communications. Before the device could be put to use, however, the FBI, AFP, and the CHS built a master key into the existing encryption system which surreptitiously attaches to each message and enables law enforcement to decrypt and store the message as it is transmitted. A user of Anom is unaware of this capability. By design, as part of the Trojan Shield investigation, for devices located outside of the United States, an encrypted “BCC” of the message is routed to an “iBot” server located outside of the United States, where it is decrypted from the CHS’s encryption code and then immediately re-encrypted with FBI encryption code. The newly encrypted message then passes to a second FBI-owned iBot server, where it is decrypted and its content available for viewing in the first instance.

The investigation began in Australia with the AFP intercepting messages, utilizing the expanded powers given to it by 2018’s Telecommunications and Other Legislation Amendment (TOLA) to secure permission to intercept every communication carried by the ANoM devices. But the permission it received had limits. It was only able to “discuss generally” the content of the intercepted communications, rather than share them directly with the FBI.

As more devices made their way into the hands of suspected criminals, the FBI began performing its own interceptions. But it didn’t do it directly. Instead, it asked an unnamed third country to perform the interception for it with the understanding it would hand over intercepted communications to the FBI.

[T]he FBI itself was not yet reviewing any of the decrypted content of Anom’s criminal users. Also by summer of 2019, the investigative team engaged representatives from a third country to receive an iBot server of its own and obtain the contents of communications occurring between Anom users… The third country agreed to obtain a court order in accordance with its own legal framework to copy an iBot server located there and provide a copy to the FBI pursuant to a Mutual Legal Assistance Treaty (“MLAT”). Unlike the Australian beta test, the third country would not review the content in the first instance. FBI geo-fenced the U.S., meaning that any outgoing messages from a device with a U.S. MCC would not have any communications on the FBI iBot server.

[…]

In October 2019, the third country obtained a court order which enabled the copying of the iBot server and the receipt of its contents every two to three days. The initial MLAT between the U.S. and the third country authorized FBI to receive data from October 7, 2019, through January 7, 2020. […]

Since October 2019, the third country has obtained additional court order pursuant to its own laws to copy the iBot server and the United States has obtained the server data pursuant to additional MLATs. The third country provides Anom server data to the FBI every Monday, Wednesday, and Friday, and will continue to do so until the expiration of the third country’s court order on June 7, 2021. This data comprises the encrypted messages of all of the users of Anoms with a few exceptions (e.g., the messages of approximately 15 Anom users in the U.S. sent to any other Anom device are not reviewed by FBI).

The 15 or so users in the US were monitored by the Australian Federal Police for “any threats to life” and this information “shared generally” with the FBI. Once this was all in place, the FBI was soon swimming in intercepted messages from all over the world.

Since October 2019, the FBI has reviewed the content from the iBot server in the third country pursuant to the MLAT. They have translated the messages (where necessary and where translations are available) and have catalogued more than 20 million messages from a total of 11,800 devices (with approximately 9000 active devices currently) located in over 90 countries.

The affidavit notes that most of ANoM’s users reside in Serbia, Germany, Netherlands, Spain, and Australia. Other than Australia, no other country (or their applicable laws/legal processes) are discussed.

There’s a whole lot of criminal activity being discussed using these devices. And not all of it is directly drug-related.

[T]he review of Anom messages has initiated numerous high-level public corruption cases in several countries. The most prominent distributors are currently being investigated by the FBI for participating in an enterprise which promotes international drug trafficking, money laundering, and obstruction of justice.

[…]

From those messages, more than 450,000 photos have been sent detailing conversations on other encrypted platforms discussing criminal activity, cryptocurrency transactions, bulk cash smuggling, law enforcement corruption , and self-identification information.

Yep. Law enforcement corruption.

Information reviewed on the platform has revealed law enforcement sensitive information passed to TCOs, such as reports and warrants. TCOs have also been notified of anticipated enforcement actions against the TCO or other criminal associates.

This multi-national investigation shows it’s still possible to take down criminal organizations despite their use of encrypted communications. One solution for law enforcement appears to be to “roll your own” — one that allows investigators to listen in on conversations as they happen.

Filed Under: australia, backdoor, encrypted chat, encryption, fbi, honeypot
Companies: anom