> The Serbian criminals shared photos of their victims on Sky without realizing police had installed a probe on the Sky ECC servers in France, which allowed authorities to intercept and read every user’s messages.
I'm surprised criminals keep picking these niche messaging services, which keep turning out not to use proper end to end encryption, rather than Signal.
I believe I once read that back in the day, Al-Qaeda decided that AES and the like was probably compromised because it was made by the infidels, and launched their own "Islamic secure messenger" with an encryption algorithm their people had designed themselves.
This is not only terrible from a "let's get the list of all accounts who downloaded this app and perhaps track their phones" perspective, but also the encryption turned out to be exactly as good as you might have guessed.
Just a fun aside: Islam is responsible for the foundations of algebra and the al in algorithm is of the same Arabic root.
I'm not an Imam but I feel like if someone wanted to justify using a Western created algorithm they could just say "well technically this is just built on our initial work"
How any group of one thousand people could be truly safe? Of course they would get infiltrated. Groups who want to survive being hunted kinda have to either be smaller, or divide themselves into cells.
i think these are the criminals that dont know the concept of local encyption vs encryption services, multiple serial encryptions, subjective "in" euphemisms, or other obfusication of clear payload
I guess you didn't really read the article so I'll put it here :
> They intercepted one billion messages, but they couldn't read them at first because they were encrypted. It wasn’t until late 2020 that they managed to decrypt them.
The article is extremely vague on how they did this. The one big red flag though is that the protocol for the messenger in the article was a bespoke secret design by a single person who wasn't a cryptographer and not a well vetted public one.
I would love to see a technical analysis of the supposed end-to-end encryption methodology used here.
I have thoughts and feelings about a lot of this, but the part that stands out to me is LE folks intentionally working with agents out of their jurisdiction to circumvent the laws in their own jurisdiction.
You want to talk about unethical behaviour? That sounds borderline like a poison tree to me.
The only practical check acting against the whims of these agencies is that if they do things that are too horrible the resulting public perception will be bad for the career advancement prospects of the top ranks who want to move into politics where optics matters.
"His father designed the data encryption algorithm.
“My dad's a genius,” said Eap. “It had the highest level of encryption available.”
Not only did Sky ECC provide end-to-end encryption, like Whatsapp or Signal, but unlike those free apps, it also redirected the data on its own secure network.
"
This was the basis for users to think the system was secure? Seriously!?!
I'm reminded of the saying 'don't roll your own crypto'. Obviously the authorities were able to crack the crypto, probably at multiple points.
> This was the basis for users to think the system was secure? Seriously!?!
Charisma and similar flavours of "trust me bro" works more than reasonable people would anticipate. See every pseudo science and conspiracy theory ever. Cryptography is no exception.
Pretty ironic that they got caught after going out of their way to buy secure phones and use secure messaging services when an off-the-shelf iPhone and Whatsapp/Signal/Telegram would have made them 100% untraceable.
One of the features the phones had was that they could be remotely deleted and were locked down to prevent other apps on them. So an off the shelf iphone with signal is going to be vulnerable to having the device itself hacked via text message, bluetooth, or something else in a way the Sky ECC phones theoretically can't be, so it's not necessarily a slam dunk.
Probably Signal would have been a safe bet. Telegram doesn't do encryption by default (on group messages? Been a year or two since I've used it). And Facebook complies with law enforcement agencies, and I don't think it's unreasonable for them to have a feature flags to selectively and transparently disable encryption for some participants if need be.
Facebook certainly likes to at least have sense to know what you are conversating about. Sometime in 2016 we and my buddy abroad got our accounts frozen "due to security reasons" at exact same time; what we were doing is having fun with FB Messenger and sending each other PGP-encrypted messages. This least about 2 months and my buddy is Egyptian, so I am pretty sure at some point FB said "we don't know what they chat about and enough is enough". I got my account recovered after multiple layers of verification including video-call to hold up my ID done by third-party ... my friend never gotten his reinstated.
I suppose the hope is that if relatively good people, maybe bad actors but with certain limits, if they get exposed to or inadvertently the "opportunity" to be involved in higher orders of magnitude of bad - that they may then act as a light that helps create cracks in the armour to expose such horrific behaviour?
If you enjoy this story, read the book Dark Wire which focuses on the FBI’s infiltration of Anom, another encrypted message service. It also covers sky briefly. Fascinating story
> In 2011, Eap started developing an encrypted messaging system with the help of his father, who holds a master’s degree in computer science from Simon Fraser University in Burnaby, B.C. The app was initially designed for BlackBerry phones and later made available for iPhones.
> His father designed the data encryption algorithm.
> “My dad's a genius,” said Eap. “It had the highest level of encryption available.”
It's hard to imagine that this level of ignorance wasn't intentional from the beginning.
"My dad's a genius" because you're not supposed to rely on genius to make a good crypto system, and also because it makes Eap sounds like he has absolutely zero knowledge on the subject.
"highest level of encryption available" because there's a fairly low floor above which it's all uncrackable anyway (ChaCha20 + BLAKE2B authenticated encryption, and Curve448 + post quantum winners for the public stuff, should go beyond total overkill).
I don't believe it was intentional though. I'm just out of a quick job implementing SSCPv2 (encryption over RS485 to secure communication between card readers and central computer, typically used to secure buildings). Good specs, fairly good separation between cryptography and business logic, and as far as I could tell the crypto isn't broken… but it is quite old school: AES CBC + HMAC SHA256, using MAC then encrypt. https://moxie.org/2011/12/13/the-cryptographic-doom-principl... And while I think my implementation is okay, I did have to pay special attention to specific traps raising from this design, and to be honest wouldn't bet my life on having ironed out all possible timing attacks.
SSCPv2 was almost certainly designed after 2020, but it took books from 2005. Good books for their time, but a bit dated unfortunately. I'm pretty sure no actual cryptographer was involved. If there were, they would almost certainly have used standard authenticated encryption scheme like AES CGM, or ChaPoly (RFC 8439), they would have authenticated the unencrypted header, and provided an even better separation between crypto and business logic.
For this one however this seems to be the case? The wording of the article isn't crystal clear, but it looks like the cops took control of the servers, and decrypted messages from there. So either the messages weren't truly end-to-end encrypted, or the encryption truly was broken.
> Not only did Sky ECC provide end-to-end encryption, like Whatsapp or Signal, but unlike those free apps, it also redirected the data on its own secure network.
So how the messages were intercepted if e2e encryption is used?
I’ve seen it before—a SaaS claiming to offer end-to-end encryption simply because it uses HTTPS/SSL for communication between the client and server. It’s laughable, but the lack of clear regulations or standards defining E2E encryption lets them get away with treating the client and server as the “ends.”
Not sure if that’s what happened here but it wouldn’t surprise me.
Readit News
I'm surprised criminals keep picking these niche messaging services, which keep turning out not to use proper end to end encryption, rather than Signal.
This is not only terrible from a "let's get the list of all accounts who downloaded this app and perhaps track their phones" perspective, but also the encryption turned out to be exactly as good as you might have guessed.
I'm not an Imam but I feel like if someone wanted to justify using a Western created algorithm they could just say "well technically this is just built on our initial work"
No e2e is going to help you if you invite the cops to your group chat I guess.
Because social engineering is the foundation of hacking. Not technology.
Dead Comment
I would love to see a technical analysis of the supposed end-to-end encryption methodology used here.
You want to talk about unethical behaviour? That sounds borderline like a poison tree to me.
The only practical check acting against the whims of these agencies is that if they do things that are too horrible the resulting public perception will be bad for the career advancement prospects of the top ranks who want to move into politics where optics matters.
“My dad's a genius,” said Eap. “It had the highest level of encryption available.”
Not only did Sky ECC provide end-to-end encryption, like Whatsapp or Signal, but unlike those free apps, it also redirected the data on its own secure network. "
This was the basis for users to think the system was secure? Seriously!?!
I'm reminded of the saying 'don't roll your own crypto'. Obviously the authorities were able to crack the crypto, probably at multiple points.
Charisma and similar flavours of "trust me bro" works more than reasonable people would anticipate. See every pseudo science and conspiracy theory ever. Cryptography is no exception.
- Run a basic script to disable app installs, phone calls and some other features.
- Never update the OS. Don't do any security patching.
- Write your own encrypted messaging app with your own crypto. Don't get any external reviews or audits.
- Resell this as a Sky ECC phone with some marketing dollars labeling it as "secure" and "private".
What do you think is more hackable, this or a regular iPhone/Samsung Galaxy/Pixel?
Remote wipe is provided by both Android and iPhone iirc even to end users.
A stock android phone, a knowledgeable user could already remove a bunch of stock apps.
End to end encryption is available for one-to-one conversations, but must be turned on manually.
https://www.hachettebookgroup.com/titles/joseph-cox/dark-wir...
https://darknetdiaries.com/transcript/146/
Truly fascinating story
https://www.youtube.com/watch?v=uFyk5UOyNqI
https://youtu.be/uFyk5UOyNqI?si=i-GtpeCR1QEj69cz
> His father designed the data encryption algorithm.
> “My dad's a genius,” said Eap. “It had the highest level of encryption available.”
It's hard to imagine that this level of ignorance wasn't intentional from the beginning.
"My dad's a genius" because you're not supposed to rely on genius to make a good crypto system, and also because it makes Eap sounds like he has absolutely zero knowledge on the subject.
"highest level of encryption available" because there's a fairly low floor above which it's all uncrackable anyway (ChaCha20 + BLAKE2B authenticated encryption, and Curve448 + post quantum winners for the public stuff, should go beyond total overkill).
I don't believe it was intentional though. I'm just out of a quick job implementing SSCPv2 (encryption over RS485 to secure communication between card readers and central computer, typically used to secure buildings). Good specs, fairly good separation between cryptography and business logic, and as far as I could tell the crypto isn't broken… but it is quite old school: AES CBC + HMAC SHA256, using MAC then encrypt. https://moxie.org/2011/12/13/the-cryptographic-doom-principl... And while I think my implementation is okay, I did have to pay special attention to specific traps raising from this design, and to be honest wouldn't bet my life on having ironed out all possible timing attacks.
SSCPv2 was almost certainly designed after 2020, but it took books from 2005. Good books for their time, but a bit dated unfortunately. I'm pretty sure no actual cryptographer was involved. If there were, they would almost certainly have used standard authenticated encryption scheme like AES CGM, or ChaPoly (RFC 8439), they would have authenticated the unencrypted header, and provided an even better separation between crypto and business logic.
So how the messages were intercepted if e2e encryption is used?
Not sure if that’s what happened here but it wouldn’t surprise me.