EncroChat Secure chat service. Can your chat be hacked?
Can your chat be hacked? EncroChat Secure chat service claimed it could not be broken into. Let’s take a look at how it’s done and what to do to stay protected. Fortunately, for the average user it’s not quite that easy to do, but with enough effort, skill and resources — it’s very much possible! Using a secure chat service is the first step, but which one to choose? You may have heard of the recent fall of EncroChat that was used by many questionable individuals to conduct their criminal activities undetected, carefully hiding from the ever-growing ears and eyes of the government-operated surveillance networks.
Hacking secure communications
It is known that out of the 60,000 users of the encrypted chat service, around 10,000 active users were linked to the UK, initiating a joint cooperation between the UK’s NCA and Europol. To the big surprise of the users who have been reassured that the service is super-secure, the law enforcement task force managed to find a way to hack the unhackable.
When a chat service does everything right
EncroChat did everything right — using only their own custom Spanish built BQ Aquaris X2 Pro devices with bespoke dual operating system. Standard Android for the casual public view and a hidden OS with the heavily customized privacy settings with all potential hardware leaks, such as GPS, camera, microphone, USB — fully disabled.
EncroChat secure chat service security features
The features are reassuring and let’s be frank — quite impressive:
- State-of-the-art forward secrecy (every message with each contact is encrypted with a different set of keys. Cracking a set of keys would result only in a small number of individually decrypted messages)
- Ultra-high encryption standard (RSA+AES pair of algorithms used to ensure that both brute-force cracking of keys is virtually impossible and a potential exploit against one will not suffice in getting through the other)
- Incorrect password device wipe (after a set of failed password attempts, the device is completely wiped)
- Anonymous SIM (pre-paid and pre-loaded SIM card does not link to the customer)
- FIPS 140–2 certified hardware (impossible to mount and access storage memory independently)
- Panic wipe and remote reset (specific PIN or remote command instantly wipes the device)
- Self-destructing messages (optional timer for each sent and received message)
- Plausible deniability via hidden OS (enables users to deny knowledge of encrypted data as its existence can’t be easily proven)
The list goes on, but these are the major security features that should (and often do) make the system impenetrable. As such, the devices and the network are desirable not only to criminals but also to celebrities, royals and high net worth individuals that take their privacy more seriously.
Secure chat service alternatives
You are perhaps aware of some of the super-secure-chat alternatives like the now dismantled Phantom Secure. My favorite Wickr offers both personal and enterprise solutions to legitimate users or the rather elusive Silent Phone with more focus on voice and video communication.
In the modern era of newspapers hacking phones of celebrities to acquire gossip material, industrial espionage between companies to gain competitive advantage, private investigators eavesdropping on persons of interest — it is only a matter of time for your data to end up in the wrong hands — unless you take at least some precautions.
WhatsApp, Viber, WeChat, Messenger, Telegram?
Are the ultra-secure chat services what they claim to be? Where do these solutions leave the likes of WhatsApp, Viber, WeChat, Telegram? Excellent question.
Naturally, the dust comes to mind! However, it’s not quite as bad if you stay mindful of a few best practices. I will explore the security of mainstream chat apps in our next article and highlight a handful of tricks everyone could benefit from if privacy is a concern.
Hacking EncroChat’s sophisticated security
What really happened with the super-secure chat app EncroChat? The joint law enforcement task force infiltrated the backend servers and the hosting infrastructure of EncroChat in France. They claim to have installed a RAT device that listened in on every conversation exchange. There are two hypotheses:
– The encryption secret/salt was either too weak, was reused across password or message hashes, the encryption keys to the database or backups were stored on the servers or it was possible to extract them from the phone devices — allowing law enforcement to gain access to new messages by reverse-engineering the old ones from confiscated phones.
– The developers of the secure chat or the owners of the company ended up cutting a deal with prosecutors in order to retain their freedom when the whole thing would come crashing down.
Plausible deniability in the real world
When the police in 2016 discovered a number of identical-looking phones and interrogated a handful of criminals, they put the two and two together and realized that the underworld is evolving and it’s not only DarkNet and Tor network that are a thriving ground for illegal activities, but also specific apps and devices that are readily available for the bad guys.
The reality of plausible deniability in data storage works only if the adversary doesn’t know that an ‘alternative data set’ exists. The commercial existence of a specific device with that feature partially defeats the primary purpose of data being hidden. If the existence of a ‘hidden container’ can be detected, the owner can be tricked or forced to reveal it. (More on Phishing next time).
Weaknesses of TrueCrypt
This was also one of the weaknesses of the infamous TrueCrypt. A free cross-platform encryption program which was widely used to encrypt all sensitive information for many years, especially after Edward Snowden promoted its use during his presentations. TrueCrypt was challenging the well-established commercial PGP suite for the number one spot in encryption software. Until the Open Source community put unprecedented pressure on the authors to audit the partially obfuscated code.
The rise of VeraCrypt
Long story short — the authors have disappeared and the project got shut down, leaving a lot of room for conspiracy theories about which government agency was behind funding the project and leaving backdoors in the software. Luckily, for the privacy-conscious (e.g. you and me), the cryptographic community didn’t give up and a new/old fork VeraCrypt got well-deserved attention and support.
My final thoughts on secure communications
Secure chat service? There are various options and approaches. Here at HelpDesk Heroes, we keep abreast of the latest technologies and security developments to be able to recommend the best available service that fits each client’s individual needs. Whether you prefer convenience and ease of use to security and privacy or you are crazy paranoid about what could leak and where — we have a solution and a recommendation for you. When you are protecting your business the approach may be slightly different as the emphasis is likely to be more on collaboration.
Our security experts assess your situation and offer a bespoke recommendation, there is no such thing as one size fits all when it comes to security. If you need help with your personal data protection, it is beneficial to keep the relevance to business in mind as well, especially if you use the same device to access both realms. Data Encryption is crucial whether you store your business transactions in the Cloud or you just want to save a backup of your family photos on a portable hard drive.
Secure chat service — tips & tricks
I believe in a reasonable balance — being super cautious will take a lot of time while being careless will put you in danger. Assess your most valuable data assets and create a hierarchy of importance and sensitivity. Review again and reach out to us for tips on how to handle your data securely.