Australian cops, FBI created backdoored chat app, told crims it was secure – then snooped on 9,000 users' plots - The Register

Posted: 07 Jun 2021 06:53 PM PDT

The Australian Federal Police (AFP) has revealed it was able to decrypt messages sent on a supposedly secure messaging app that was seeded into the criminal underworld and promoted as providing snoop-proof comms.

The app was in fact secretly built by the FBI, and designed to allow law enforcement to tune into conversations between about 9,000 users scattered around Earth.

Results in Australia alone have included over 500 warrants executed, 200-plus arrests, the seizure of AU$45m and 3.7 tonnes of drugs, and the prevention of a credible threat to murder a family of five. Over 4,000 AFP officers were involved in raids overnight, Australian time. Europol and the FBI will detail their use of the app in the coming hours.

The existence of the app — part of Operation Ironside, which quietly began three years ago — was revealed at a press conference in Australia today, where AFP commissioner Reece Kershaw said that, during informal meetings over beers, members of the AFP and the FBI cooked up the idea of creating a backdoored app. The idea built on previous such efforts, such as the Phantom Secure platform.

The app, called AN0M, was seeded into the organised crime community. The software would only run on smartphones specially modified so that they could not make calls nor send emails. These handsets were sold on the black market between criminals as secure messaging tools. The app would only communicate with other AN0M-equipped phones, and required payment of a monthly fee.

"We were able to see every handset that was handed out and attribute it to individuals," Kershaw said.

"Criminals needed to know a criminal to get a device," reads the AFP's announcement of the operation. "The devices organically circulated and grew in popularity among criminals, who were confident of the legitimacy of the app because high-profile organised crime figures vouched for its integrity."

But the software had a backdoor. Commissioner Kershaw said the organisation he leads "provided a technical capability to decrypt the messages," and that as a result his force, the FBI, and Europol were able to observe communications among criminals in plain text.

"All they talk about is drugs and violence," Kershaw said. "There was no attempt to hide behind any kind of codified information." Intercepts included comments about planned murders and information about where and when speedboats would appear to shift contraband.

Kershaw said the surveillance enabled by the app is legal under the terms of Australia's Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018. Law enforcement agencies in other jurisdictions also had legal cover for their use of the software.

However, some of those authorities were set to expire. That, and an operational decision to end the operation due to the opportunity to act on intelligence gathered using AN0M, led to today's disclosures.

AN0M gave us insights we never had before

"The use of encrypted apps represents significant challenges," Kershaw said. "AN0M gave us insights we never had before."

The commissioner acknowledged that criminals will now adjust their behaviour as a result of this news, but suggested the AFP is working to develop similar capabilities. "This was a small platform. We know there are bigger ones. We will ensure we have the technology to disrupt criminals."

FBI International Operations Division legal attaché for Australia Anthony Russo offered similar comments, saying: "Criminals should be on notice that law enforcement are resolute to continue to evolve our capabilities."

Kershaw somewhat smugly suggested that organised crime will take a while to bounce back from this operation, as intercepts of AN0M conversations suggest that arrests made before the app was revealed have sparked internecine warfare and revenge plots.

By the way, it turns out someone was able to figure out the FBI's ruse in March this year, though they thought the software had been backdoored by its makers and not the Feds. A blog post describing the workings of the code was later deleted. ®

Cryptography whizz Phil Zimmermann looks back at 30 years of Pretty Good Privacy - The Register

Posted: 08 Jun 2021 10:01 AM PDT

Encryption and verification package Pretty Good Privacy (PGP) has celebrated a troubled 30 years of securing secrets and giving cypherpunks an excuse to meet in person, with original developer and security specialist Phil Zimmermann toasting a world where encryption is common but, he warns, still under threat.

"It was on this day (6 June) in 1991 that Pretty Good Privacy was uploaded to the Internet," Zimmermann wrote in a piece published over the weekend. "I had sent it to a couple of my friends for distribution the day before. This set in motion a decade of struggle to end the US export controls on strong cryptographic software.

"I became the target of a criminal investigation for violating the Arms Export Control Act by allowing PGP to spread around the world. This further propelled PGP's popularity. The government dropped the investigation in early 1996, but the policy debate raged on, until the US export restrictions finally collapsed in 2000. PGP ignited the decade of the Crypto Wars, resulting in all the western democracies dropping their restrictions on the use of strong cryptography. It was a storied and thrilling decade, and a triumph of activism for the right to have a private conversation."

PGP's workaround for these export restrictions, the US International Traffic in Arms Regulations (ITAR), is storied. Realising that the nation enjoyed a constitutional right to free speech which extended to published work, the source code was published as a printed book – a protected work under the 1st Amendment to the US Constitution – and distributed abroad, where it was scanned through an optical character recognition system and compiled into a freely distributable international variant.

Hungry hungry mergers and acquisitions

Following the end of the criminal investigation into Zimmermann, the PGP team set up PGP Inc. which was quickly gobbled up by security specialist Network Associates Inc. (originally McAfee, then Intel Security, and now McAfee once more) in 1997. The feature set of PGP grew quickly, but Zimmermann grew disillusioned and parted ways with the company in 2001 before Network Associates put its PGP assets up for sale.

While there were definite fears that PGP would die a death in limbo, those assets became PGP Corporation in 2002, with Zimmermann taking the role of social advisor and consultant. PGP Corporation would in turn be swallowed by Symantec in 2010.

Despite concerns about its usability and a handful of security concerns – though never truly broken – the core technology introduced in PGP 1.0 remains very much alive among everyone from privacy enthusiasts and cypherpunks to CESG, the cybersecurity division of UK spy agency GCHQ – when it works, at least.

Three decades on, the battles remain

"Here we are, three decades later, and strong crypto is everywhere," wrote Zimmermann on the day of PGP's 30th anniversary. "What was glamorous in the 1990s is now mundane. So much has changed in those decades. That's a long time in dog years and technology years. My own work shifted to end-to-end secure telephony and text messaging. We now have ubiquitous strong crypto in our browsers, in VPNs, in e-commerce and banking apps, in IoT products, in disk encryption, in the TOR network, in cryptocurrencies. And in a resurgence of implementations of the OpenPGP protocol. It would seem impossible to put this toothpaste back in the tube.

"Yet, we now see a number of governments trying to do exactly that. Pushing back against end-to-end encryption. We see it in Australia, the UK, the US, and other liberal democracies. Twenty years after we all thought we won the Crypto Wars. Do we have to mobilise again? Veterans of the Crypto Wars may have trouble fitting into their old uniforms. Remember that scene in The Incredibles when Mr. Incredible tries to squeeze into his old costume? We are going to need fresh troops."

Zimmermann's retrospective indicated a need for defence on a range of fronts – from "ordinary citizens and grass-roots political opposition groups" to those who can "push back hard in policy space" – though stopped short of a full call to arms. PGP itself, meanwhile, is now most commonly used in tools adhering to the OpenPGP specification, an email-focused standard under the stewardship of the OpenPGP Alliance, founded by Zimmermann himself back in 2001. ®

Search This Blog

Android Full Encryption