There’s nowhere to run, and now there’s nowhere to hide. Earlier this year, international law enforcement secretly infiltrated one of the most secured communication networks in organized crime. By inserting malware on encrypted EncroChat, cartel plans have been laid bare, shipments have been intercepted and dealers have been put under arrest. It begs the question—what lessons can enterprises learn from cybercriminals about the importance of protecting encryption?
It was “industry standard.” EncroChat was the best encrypted chat platform in the (underground) business, and whole networks of cartels, weapons trafficking and other nefarious enterprises were built on it. Until it was hacked by law enforcement and the protected chats became incriminating evidence.
Users of EncroChat were summarily rounded up and taken into custody this year. It was estimated that somewhere in the realm of 90% of its users were employing the app for illegal purposes.
“They’re just lifting people,” said a source close to criminal users of the app in a communication to Motherboard. Said Andy Kraag, head of National Criminal Investigations Department in the Netherlands. “We’ve captured messages that give us a view of daily life in the criminal world." Everything from price lists to customer profiles were laid bare for law enforcement.
EncroChat was supposed to be the best. With “customized hardware, a dedicated OS, and its own servers” it was virtually impenetrable, as any good encryption should be. However, Operation Venetic showed that with enough dedicated firepower, well supported agencies can fight back.
International law enforcement, spearheaded mainly by the French, created malware specifically designed for the devices. These were special phones with dedicated hardware, now made vulnerable. Not only could the state-made malware evade detection, it could infiltrate a device and read its messages pre-encryption, record and store the lock screen password and affect EncroChat devices all over the world. Now, having the most viable communication pathway thwarted, a source close to criminal users reported that many are deciding to “to go ground.”
Law enforcement may now have to search in many more places as they go back to catching criminals “the old-fashioned way.” Or perhaps a new encrypted model will soon take its place. However, it may be a moment before full faith is restored as technology advances on both sides and the reality of encryption breaching malware stings sinks in. In this game of cat and mouse encryption, is anything ever permanently safe?
Aside from the immediate headlines, what is interesting is that all this was done without the use of a backdoor. And that, for avid fans of privacy and encryption, might be the most salient part.
- SSL/TLS Certificate Toolkits: A Hot Commodity on the Dark Web
- Beginner’s Guide: How Cyber Criminals Misuse the TLS Certificates They Buy on the Dark Web
- Are Your TLS Certificates Being Sold on the Dark Web?
Just a quick refresher course on the Ps and Qs of encryption protocol in practical use, and some pitfalls to avoid.
Humans prove and protect their identities with social security numbers, passports and other documents, and continue the process online with usernames and passwords. Machines (anything from ATMs to digital containers) need to establish the same trust in identification and do so with digital keys and certificates. These TLS keys prove the machine is what it says it is, and then allows you to sell your bitcoin.
First, digital certificates establish identity—and encryption is a means by which they do so. Encrypting the information gets it safely from one machine to another, for the purpose of establishing trust. Encryption is a means, not an end, in this process.
Secondly, when establishing trust, self-signed certificates make the most sense when working internally. It’s arguably a little far-fetched to claim your identity by reference to yourself (“It’s me, honest”). So even though bypassing a Certificate Authority and spinning up your own encrypted self-signed certificate may be handy, when presenting a strong security profile to outside investors or even savvy clients, going through a CA might still be the most traditional, and trusted, route.
- Self-signed Certificates Open a Can of Worms for DevOps Security Teams
- Code Signing Certificates: A Dark Web Best Seller
- Crypto Mining, Code Signing Compromise: Are Your Certificates Safe?