The Mirage of Encrypted Phones, and Why They Fail
In June 2014, the company Silent Circle launched the first version of its Blackphone. This device, running a modified version of Android, promised to reign in difficult to understand privacy and security settings to make it easy to communicate securely. Blackphone users were supposed to be able to make encrypted calls and send encrypted messages that could not be eavesdropped. Unfortunately for the company, Blackphone sales never materialized and the phone was discontinued 5 years ago.
While the Blackphone may have been a commercial flop when targeting business users, the concept survived, but geared towards a different crowd: offenders. Companies replicated the Blackphone’s features, but were not so concerned with who was purchasing the phone, and whether the money they received was dirty or not.
Arrest and Failure of EncroChat
EncroChat was such a company that sold ‘secure’ mobile phones. Its carbon units as they were known came with the GPS, camera and microphone disabled so as to make it hard to remotely monitor. EncroChat required a subscription in addition to the cost of the phone to use the secure communication applications. It reached quite a following, with over 60,000 subscribers at its peak.
In the summer of 2020, it was revealed that while the phones themselves may have been secure, the company’s infrastructure was not. Law enforcement managed to gain access to the company’s servers and monitor all of the communications of its users. This was a major blow to offenders all over the world, and a police operation that led to seizures of firearms, drugs, and illicitly gained millions.
Offenders Never Learn
The failure of EncroChat was not surprising by any account. Using a centralized infrastructure was sure to lead to compromise, sooner or later. Having a central point of failure is what makes it possible for law enforcement to disrupt offender communications.
Another issue is the phone itself that was sold. Forcing users to purchase a specific phone is an attractive proposition for vendors looking to profit from offenders. It however provides little value over using encrypted communication applications on a regular iOS or Android headset. The hardware disabling of GPS, microphone and cameras does matter, but law enforcement is rarely hacking into, or abusing these except in major criminal cases.
Still, the shutdown of EncroChat, and the revelation of its success in the criminal underground have brought publicity around this type of service which now abound in criminal forums, and clearweb forums. In another example of history that repeats itself, the police arrested the owner of yet another one of these companies, SKY ECC. Bleeping Computer reports that:
“As of mid-February, authorities have been able to monitor the information flow of approximately 70 000 users of Sky ECC. Many users of EncroChat changed over to the popular Sky ECC platform, after EncroChat was unveiled in 2020.“
Reviews of SKY ECC Service
The fact that so many offenders decided to purchase a SKY ECC phone, and subscribe to its service, is puzzling. In May 2020, a new forum thread on a Russian hacking forum started discussing options for secure encrypted phones. When one user suggested SKY ECC, replies piled in.
“Sky […] is […] owned by gov”
“I’m sure you’ve seen what happened with EncroChat. I wouldn’t trust anything which uses closed source encryption. Law enforcement always finds back doors and when you find out it is too late”
“Almost all of these products are snake oil. They’re developed by marketers, not by cryptographers or security experts”
“Doubtful proposal. SkyECC are using Blackberry phones from TLC in which backdoors with remote installation of adware are found”
And, in perhaps in a bizarrely accurate prediction made 6 months ago, one user replied:
“Snake oil product. Wait another 5-6 months to see dejavu of all of the busts caused by breach in Encrochat. Sky ECC is the next one to go that way”
Others, finally, had some surprising reasons as to why companies like SKY ECC should be trusted. Can you go against this logic?
“if SKY ECC was under the government’s authorities, all Amsterdam would be empty of drugs and also all Europe, so it doesn’t make sense i think”
A Blind Reliance on Empty Marketing Messaging
If there is one lesson to learn from the fiasco of supposedly secure and encrypted phones, it is that communicating securely is still very much a challenge today for companies, but also for offenders.
Offenders are in dire need of communicating with each other, and rarely have the technical skills to make it happen on their own. They often rely on services provided to them by a third-party and are not encrypting their messages themselves using encryption keys they securely obtain. This makes law enforcement’s job of identifying and arresting offenders much easier.
This false sense of security however also extends to how malicious actors communicate online. Malicious actors tend to share much about themselves in chat rooms that may be believed to be private, or in anonymous paste sites that can be easily indexed.
You should be equally doubtful when choosing which applications to use to communicate. Marketers have become quite efficient at convincing users that their service is secure, when it is not. This article seeks to clear up the benefits and limits of messaging services, and it shows how an application may protect you in one case, but not in all cases, against eavesdropping, making finding a single solution that works all the time difficult.
Maybe it is time to meet people in person when communicating sensitive information?