The beginning of the month brought some interesting news in the form of the Encrochat takedown.
Having worked in law enforcement not only allows you to build some interesting contacts, both domestically and internationally; it also allows you to hear a bit more detail of the stories published in the media and to gain a different perspective on those.
So I reached out to a fellow former law enforcement officer James Hector* who is knowledgeable in the topic of underground encrypted phone networks.
He kindly agreed to share some of his expertise on what happened with Encrochat.
Without further ado, let’s hear it from James.
*an alias, obviously
Can we start with a quick intro – who are you and what is your background?
I’m a former police officer and current security practitioner working with European and state organisations. I have experience in digital forensics, investigations, incident response and threat intelligence.
When did you start researching Encrochat? I have to admit I knew little about it prior to the story breaking out. To me it was just one of the shady private encryption services…
I first got interested in the topic of encrypted communications being used by criminals a few years ago, when I read that a cartel in Mexico had assembled its own mobile phone network to avoid surveillance.
Encrochat is just one of a number of companies offering specially prepared mobile phones, purportedly to privacy conscious individuals. Encrochat mostly sold mobile phones from a Spanish manufacturer that had GPS, camera and microphones disabled to reduce the chance of surveillance.
These phones also ran a hardened version of Android and were restricted to mostly sending messages and calls through Encrochat.
The phone purportedly cost €1000 up front with a licence fee of €1500 every six months thereafter – money well spent if you suspect you’re the subject of state surveillance.
Although there were/are legitimate providers of encrypted comms, such as the now defunct Blackphone, many of the providers know that a good proportion of their customer base is criminals and market their products on that basis.
What can you tell me about the timeline of the Encrochat events? How did all this unravel?
Encrochat hit the news recently because it was compromised by the police and evidence gained used to arrest hundreds of people in the UK – so far – however this isn’t the first encrypted communications network to have been accessed by police.
It has happened previously in both Europe and the Americas and begs the question whether it is worth setting up and using such a service.
In this case, Encrochat first appeared on the scene in about 2016. It appears to have been merely a fork of Android and something you could install yourself at the time. As the custom handsets gained acceptance and clients Encrochat also gained the interest of the French police.
They launched a targeted operation to compromise it back in 2018 before involving the Dutch police’s High Tech Crime Unit. Although the Americans often get the kudos for technically complex operations, the French and Dutch police are quiet but highly competent – I wouldn’t want to fall in their crosshairs.
How do you think law enforcement agencies acted to achieve their objectives and what could have happened that led to the compromise of this service?
I think this was an exemplary action by law enforcement, enabled by Europol, and bearing fruit in March-May this year across the user base of approx. 60K clients in Europe. It appears that the Encrochat system was fully compromised by this investigation and millions of data points extracted before it was discovered by the company in early June.
It’s also noteworthy that the investigation team so fully controlled the network that they were able to disable some of the protective features on the Encrochat handsets even when repeatedly re-enabled by the company – that is hugely impressive.
Another element that is impressive is the operational security maintained by the team.
This was a multi-national, cross-functional and large scale operation – one of the biggest and most successful Europe has seen. It is also not the end of it, there are many more arrests to come I would suggest. The arrests have only numbered in hundreds so far and with sixty thousand users there’s a lot of scared people out there.
One of the big challenges faced by the team is the sheer amount of information they now possess. How do you triage and mine that information to get it to the right people? How do you identify the users if there is just unregistered numbers? It’s a problem that hasn’t been addressed publicly that Ive seen and will need specialists just for that.
As for how they compromised the Encrochat system, that will likely remain a closely guarded secret – at least until any court case for the company principals. It appears that the police compromised the handsets themselves – always a good idea because it means you don’t have to decrypt anything in transit. As I mentioned above it looks they had full control of the company servers too.
There’s certainly a number of ways in; the handset manufacturer, the SIM card provider, poor security on the company servers, reverse engineering a seized handset and the co-operation of the company are all amongst the possibilities.
Can you talk broadly about the market for similar services? Have there been any alternatives to Encrochat and do you think there will be in the future?
There are certainly users who may benefit from encrypted comms such as journalists, CEOs and dissidents but the majority of us can make do with widely available operating systems and apps on them.
There remain some competitors to Encrochat (many of whom devote resources to trash talking each other to reduce faith in the competition). I’m not sure why criminals use these services to be honest.
Many dissidents avoid these kind of services because of the attention they draw in the long term. I would rather hide in the noise than make myself stand out by using these services – are they status symbols amongst criminals I wonder?
Perhaps it’s a control thing as there’s reports that some are used to surveil their own gangs with the ability for the boss to read all messages sent between their underlings.
What is your opinion on digital privacy vs encryption in the light of the Encrochat events?
One of the touch points in this argument was the 2015 US case where the FBI attempted to legally compel Apple to decrypt an iPhone found at the scene of a suspected terrorist attack. Apple refused claiming they were unable to and it went to court, however it was never settled as a private company stepped forward with the capability to do it for the FBI.
That was a shame because it’s a difficult problem and a matter of significant public importance.
My own view is that with the right legal protections, and bright minds behind the scenes, it should be possible to decrypt mobile phones involved in serious cases with the co-operation of their makers.
What we have now is an arms race between operating systems and governments. There are some advantages in that system of competition but also many drawbacks – for example when governments find a widespread flaw in an operating system they should be able to report that safe in the knowledge that they can still maintain access after due process to devices seized in the course of investigations.
On the other hand of course that puts software companies in an invidious position when you’re operating in a country without strong legal safeguards. Again, if I were a criminal I would see these encrypted systems as honeypots.
What information can we draw from this whole situation about organised crime, both cyber crime and traditional crime in Europe?
What can we learn about organised crime from this episode? An awful lot – this is probably one of the biggest insights into the structure of organised crime groups we’ve had in a decade.
Even from outside the investigation we can observe just how pervasive, tenacious, vicious (watch the video of the torture chamber uncovered by the Dutch) and, let’s face it, organised they are.
There’s so much money to be made we won’t be able to tackle it until we tackle the sources of their wealth. Pending that it requires strong law enforcement and transnational co-operation to combat it.
Hopefully this kind of operation won’t be impacted by Brexit or other political considerations.
What lessons could be drawn from this for individual national LE agencies?
I think one takeaway here is that there is a homegrown technical capability in Europe that would surprise people not in the know.
The problem is that this expertise is concentrated in certain forward thinking (or better funded) countries and even then can be siloed within organisations.
Smaller countries should look to develop their own in-house technical competences and not look to take crumbs from the table.
That should mean that they can’t be used as safe havens by criminals, as is sometimes the case now.