New Info About Encrypted Messaging Service Bust Shows Signal Protocol Is Still Secure, Law Enforcement Can Still Bypass Encryption
from the good-news-for-everyone,-bad-news-for-careless-criminals dept
Last month, the DOJ announced it had secured indictments against an encrypted device maker, claiming the company had violated all sorts of laws by selling these to criminals. This closely mirrored the DOJ's earlier prosecution of Phantom Secure, another encrypted device maker it accused of aiding and abetting criminal enterprises.
Sky Global was the most recent target. Both prosecutions seem a bit performative though. The FBI -- which participated in both investigations -- has been making the case for years that encryption benefits criminals far more than it benefits non-criminals. The FBI isn't much for subtlety. It doesn't hint that it believes secure communications are something only criminals need. It comes right out and says that in Congressional testimony and any place that allows its directors to speak.
But devices with more secure options aren't just the playthings of criminals. The desire for more secure communications dates back to the days of burner phones. Sure, criminals loved burners. But so did journalists and their sources, as well as dissidents, government critics, and anyone who desired to keep their communications free of malicious interference and interception.
Encryption is the target. The FBI has made this clear. Anyone paying attention can see this. The ongoing prosecution of Sky Global -- a company offering encrypted devices and an encrypted messaging service it rolled itself -- has inadvertently exposed how little encryption actually matters when it comes to criminal investigations.
Sky Global's takedown involved a phishing attack that resulted in compromised devices and exposed communications. The takedown of EncroChat -- another network/service provider accused of hooking up criminals with encrypted devices/communications -- made encryption seem like no big deal.
The investigation -- which spanned several countries -- culminated in more than 1,000 arrests. The communications platform utilized the Signal protocol, which is freely available to be utilized by anyone with a desire for more secure communications. At the time the arrests took place, officials made it clear Signal's protocol had not been compromised. From Joseph Cox's report on EncroChat's takedown:
"EncroChat encrypt their messages with the Signal Protocol. This is a commonly used encryption protocol that is freely available. I am unaware of any capability to decrypt messages encrypted using the Signal protocol," the document, written by a technical employee from the UK's National Crime Agency (NCA), reads.
This may read like a defeat. But it isn't. Encryption may seem impenetrable if you only approach the front door. There are other ways to get in. Encrochat ran parallel systems on the phones it sold -- one that allowed users to wipe info when they input a PIN and one that looked like stock Android. But the system went down anyway.
Last year, authorities managed to push a malicious update from Encrochat's server down to individual Encrochat devices, according to other law enforcement documents obtained by Motherboard. The malware could harvest the phone's GPS location, stored messages, passwords, and more information, Motherboard previously reported. In the wake of that large scale hacking operation, French police shared the collected data with multiple international law enforcement agencies, including the NCA as well as Dutch authorities.
We know what this tells us: encryption isn't insurmountable, no matter how well-crafted it is. The Signal protocol is still considered impenetrable. And yet, thousands of devices were compromised, leading to a wave of arrests and indictments. Phones are hackable. This remains true, no matter what encryption protocol is deployed. Compromise is only a click away and less than that if law enforcement can seize servers phones and/or apps rely on.
"Going dark" isn't what the dishonest FBI pretends it is. Things may be more difficult but it's far from hopeless. Law enforcement still has plenty of options. Just because it can't fully unlock a phone with nothing more than the swipe of a thumb doesn't mean encryption -- and criminals -- have won the tech race.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, encryption, security, signal
Reader Comments
Subscribe: RSS
View by: Time | Thread
This makes a very good point but... so they are just outright hacking entire phone services now, and that is OK?
[ link to this | view in thread ]
What this really says is that commercial security systems are often not nearly as secure as they pretend to be. A properly secured system should not be setup to blindly trust unsolicited "pushing" of updates from outside sources, even if that source is ostensibly the original manufacturer.
[ link to this | view in thread ]
Re:
This. What I'll never understand is why a perfectly good phone, working as intended, needs to be updated in the first place. The very idea of "phoning home" is based on this exact scenario - get updates to make sure that the phone can still be compromised by outsiders be they the authorities (and why would they need to do such a thing in the first place??), hackers who have penetrated the servers without permission, or the very manufacturers themselves, for whatever ulterior motive they might have up their sleeves.
Oh, wait a moment, I recall now.... It's all in the name of "protecting the customer/user". Of course, how could I forget.
[ link to this | view in thread ]
Depending on the country, the law enforcement service, and the circumstances, compromise could be no further away than the nearest rubber baton.
[ link to this | view in thread ]
Re:
The have that nice soft rubber where you live? Lucky duck.
[ link to this | view in thread ]
Re: Re:
Because new vulnerabilities are continually identified in every operating system ever developed by man. Maybe one day that won't be true. But until that day arrives, the security of your devices is directly dependent on your ability to update them.
[ link to this | view in thread ]
Re:
This. I am rather disturbed by how easily they can just walk in and completely bypass the security mechanisms on a device.
It seriously raises the question of how far we are willing to go. I am sure there are plenty of people who have something to fear from the government, and yet, they're not a menace to society like fraudsters or drug dealers. Is it worth it to catch some criminals? What about the users who aren't?
Even the obsession with drug dealers. For decades, we have been watering down rights more and more, and allowing outright subpoenas (not even a court order) to be sent to retrieve information on a potential drug crime. Do we really want to expand the War on Drugs to the crypto world? Has the War on Drugs gotten anywhere over the past few decades?
[ link to this | view in thread ]
Re:
Authorities like central points of pownage. The next step up in the arms race could be the removal of those points: e.g. for distribution the Interplanetary File System. For trust however it's hard. Signing certificates rely on centralized trust roots. You'd need to create many different trust roots and trust only those you personally know and trust. But trust is ultimately fallible and the Web of Trust been an utter failure. Keeping the tech stack low to have a few updates and them being security updates and auditing them actively seems the only chance.
[ link to this | view in thread ]
So communications are not going dark
Rather they're going bright, where law enforcement can not only bypass phone and internet encryption but also legal limitations on what they're allowed to access during an unwarranted search.
So we're back to square one, where they can scrape a suspect's entire history for something to bust him on and to disgrace him in the eyes of a jury.
So we each better hope no official or officer decides we have something worth ruining a life over.
[ link to this | view in thread ]
History
Back to ancient Greece, at least.
https://en.wikipedia.org/wiki/Histiaeus#Ionian_revolt_%28499-494_BC%29
[ link to this | view in thread ]
This article points out how vulnerable single point failures are. Such as a central place to get updates. A solution for open source at least is the source code is shared to many trusted sources and they compile it and if one of them is not the same as the other ones the update app on the phone will refuse to download it. Distributed update verification. The only single point of failure will be the source code itself and since it's public and many talented people keep an eye on the source code changes. It would be very difficult to add something malicious to it without getting detected.
I have seen some groups have a no change rule for critical software. As in auto updates are forbidden. You compile from verified good source code. Test it to the max then everyone use it and it stays static. Compartmentalization and independent cells are also commonly used. Staying safe is an exhausting process of always keeping up to date on the latest OPSEC. It's the classic cat and mouse game. I've seen some promising work using neural nets in encryption software. For instance neural net starts off with certain goals in mind and is locked to a specific group of people. They neural net in that group evolves in a unique way so each group have a unique encryption protocol that keeps on changing within that group. Much harder to hit a moving target that keeps on changing form.
Another way I've seen is using a special torrent client that use a random chosen file and that file is used to communicate and the file changes from for example one movie to another movie that is currently popular. It looks a normal torrent swarm sharing a files.
Those aren't even the sneaky and very clever ways I've seen. I bet some of these clever people could cure cancer if they wanted to.
[ link to this | view in thread ]
Re: Re: Re:
Absolutely the wrongest thing you could've said.
Your personal security is your business, not anyone else's, period. If you rely even on others, even at just 1%, for your security needs/desires, then you are at fault when the fan becomes shitfaced - no one else can be blamed but you.
Whyzzat? Simple - you have no recourse when your personal life becomes fubar, all because your computer/phone/smartTV/etc. was compromised. Do you honestly believe that Norton, McAfee, any of the others, can be sued for you're identity being stolen via malware? Guess again, bunky. Every one of those suppliers have a disclaimer to the effect that they accept no responsibility for your actions, and the way you use your computer. Can't blame them, can you. It'd be a courtroom's worst nightmare to have a couple hundred million users all trying to sue Norton just because they failed to detect (and exterminate) some new kind of virus/trojan/worm/phage/what-have-you/flavor of the week malware.
In short, let me once again blurt out the old saw that goes: Practice Safe Hex. Do it like your digital life depends on it, because it does. (Side note: or more properly, a "side brag" - I've gone 22 years now without so much as seeing, let alone succumbing to, any kind of malware. That's right, 1999 was the last time I was "hit" with a browser hijack attack. Since then, I think first about everything I do online, before I do it. Works a treat, I assure you.)
[ link to this | view in thread ]
Re: Re: Re: Re:
Sorry for the typos above, I "accidentally" hit the Submit button instead of the Preview button. Sigh.
[ link to this | view in thread ]
Re: Re: Re: Re:
The comment you're replying to says nothing other than security updates to software are important, because new vulnerabilities are discovered all the time. And you're disagreeing with that. So what are you saying, we should all write our own operating systems so we're not relying on others for our security? Or just write the update patches ourselves?
[ link to this | view in thread ]