As a Belgian citizen (but not a criminal, as far as I know) I'm very interested to hear the HN community's take on this. The local press is saying no encryption is safe for the police (anymore) and that it was Belgian law enforcement that was able to crack the encryption of the app the criminals were using.
I wonder if the press knows what it's talking about.
From what I read in the Dutch news, they managed to crack about half the messages so far. That they haven't cracked them all indicates that it is not a vulnerability in the encryption itself. I suspect that the police managed to gain physical access to the servers and went from there. Opsec is really really hard.
Fun, unrelated story: apparently some of the intelligence operations managed to get their hands on the laptop of a target while it was at some maintenance store to get the screen replaced. They managed to install a physical keylogger inside it with its own radio, but hooked up to the laptops power supply. This is the kind of shenanigans you have to be aware of and defend against when you run a service like Sky ECC. The slightest slip up and you are doomed.
It'd be nice a to have police officer talk about this :-)
But is it me or police techniques such as gaining physical access to criminals, flipping them to informers, close surveillance, etc. continue to be very efficient even in the face of quite good technology ?
To expand in case it isn’t clear... if you have a federated client it has to work to a standard, a backdoor at the client could be added on one app but probably not all the options. If you were trying to hack a system like this and they don’t use a federated client, the only option is the “official app” and authorities could have taken control of that, added a backdoor, and pushed it out as an update.
This could still happen with any one or two or multiple federated apps, but the changes at a lot less likely this would go undetected.... then again... I have less faith in the “many eyes” theory of these things since HeartBleed was an OpenSSL flaw for years and that was open source no one ever noticed.
Most likely Sky ECC had some kind of weakness or vulnerability that made it vulnerable to attack.
Encryption is really hard, and one mistake can unravel all of your efforts. I doubt that a boutique shop like Sky ECC's owners had the resources to secure it as well as they claimed.
If you go to their store page, you'll see their side of the story. Basically they say that the hack clients were sideloaded / modified versions. Which if you think about it, might be the way the police cracked the network.
"Sky ECC platform remains secure and our authorized devices have not been hacked.
There have been recent news articles that claim Sky ECC has been hacked and is involved in criminal activity. This information is not accurate. We have looked into these claims and discovered that a small group of individuals illegally created and distributed an unauthorized version of Sky ECC which they modified and side-loaded onto unsecure devices. Security features that come standard with the Sky ECC phones were eliminated in these bogus devices. ..." [0]
Sowing confusion with bold claims of compromise will lead criminals to not believe encrypted platforms are not secure and not use them, instead using easier to intercept methods of communication.
I don't. In fact I don't believe any kind of PR, really, as that whole exercise is more about telling a favorable story than actually informing on anything.
But those bold claims of compromise are backed up by a large, international, and simultaneously-executed roundup of the service's users, who from the likes of it all had Sky ECC in common. Also, the last time this happened was when Encrochat was compromised? That wasn't even all that long ago.
Because Signal definitely will comply with a judge if given good reasons, like "here is a criminal organization using your app, help us dismantle it" and Telegram is the same as Signal with the exception is Russian.
Also encryption is as good as its weakest link, in this case are humans. Probably police flipped some criminals to be informers and now it's running a smoke&mirrors campaign in media in order to send rest of criminals to make more mistakes.
As for the ideal way to do organized crime the main ingredient is to own judges + police and you're set for life. From time to time let some minor transport get intercepted by your corrupt policemen, have some small fish get fried by your judge and stir waters for a few days in media in their favor. Maybe this news is exactly that and while the newspapers are reporting few millions captured you haul the rest of billions without a hiccup.
Love the disclaimer ("but not a criminal, as far as I know").
Have you read those bizarre fake facts like "it is illegal to eat oranges in your bathtub in California" ? If you haven't, I am sure you have broken myriad weird laws like that and are, in fact, a criminal ! :-).
When your client base is comprised of child traffickers, cocaine smugglers and murderers. A company that prides itself on hiding nefarious figures with little to no legitimate clients will surely find itself at the end of a LEO hack.
I wonder if the press knows what it's talking about.