How Dutch Police Hacked Over 3 Million Encrypted Emails
The wider bitcoin-using and enthusiast communities sometimes laud criminal enterprises for keeping good operational security practices, and pushing the envelope on online privacy and security. Dutch police have reminded us today this assumption is dangerous and irresponsible, announcing they’ve defeated the PGP encryption on several Blackberry devices seized a year ago. This gives them access to over 7 TB of encrypted data connected to criminal enterprise.
Criminals Had a Massive Single Point of Failure: Ennetcom
Before you start to believe the alarmist rhetoric that will no doubt spring up over this hack, PGP was not the point of failure. The Blackberries were purchased by criminal organizations from a company called Ennetcom, which modified the devices to communicate via PGP encrypted email. In the year after they were seized, extensive research was done on how the devices communicated with each other.
They found the Blackberries were modified so they could only communicate with other Ennetcom modified phones, leading to a probe into the company’s operations. This yielded a very important detail about the encrypted emails: they all passed through Ennetcom’s network, which employed the Blackberry Enterprise Server middleware, as well as the BIS network. These services generate the initial encryption key when adding devices to their Enterprise Mobility Management system, effectively providing a mirror of the integrated Blackberrys’ local, secure PGP keystores.
One data raid later, in cooperation with the City of Toronto, and the Canadian and Dutch police forces now have access to a treasure trove of criminal communication. There is 7TB of data, comprising 3.6 million previously encrypted messages:
“The data comes from computer servers in Canada that were seized on April 19, 2016 and copied at the request of the National Office of the Public Prosecutor. These servers were used by the Dutch company Ennetcom, the leading provider of encrypted communication to criminals in the Netherlands, with retail outlets in Western Europe and South America.” – Openbaar Ministerie press release (translated from the original Dutch)
We’ve Seen This Before – Commercial Centralized Trust at Fault, Not PGP
For those with a keen interest in OpSec and encryption, this should harken back to the days of Lavabit and silk road 1.0. Law enforcement can’t target the security and privacy technologies, (at least in most cases) so they go after the people selling them. The people, and their companies, tend to be far more fallible. The takeaway, for criminals and upstanding citizens alike, should not be that PGP encryption isn’t reliable — but that trusting your security to commercial enterprise is. “Your OpSec, your keys, your responsibility” should be the mantra of those who concern themselves with what they let out into the wild blue yonder of the worldwide web.
People will speculate on the legality of accessing this information, and whether mass surveillance played a role in building this case. One fact remains: widespread snooping or no, nothing will save you from bad security practices, and trust-less, decentralized systems are more important than ever in preserving individual privacy on the internet. Even developed nations are reluctant to respect (or in some cases recognize) the right to privacy. This leaves the responsibility squarely in the hands of the reader.
How much of your daily communication privacy do you entrust to private companies? Are you likely to change that? Let’s hear your thoughts.
Image via: Ennetcom