Police Decrypt 258,000 Messages After Breaking Pricey IronChat Crypto App (arstechnica.com)

← Back to Stories (view on slashdot.org)

Police Decrypt 258,000 Messages After Breaking Pricey IronChat Crypto App (arstechnica.com)

Posted by BeauHD on Wednesday November 7, 2018 @10:00AM from the heads-up dept.

An anonymous reader quotes a report from Ars Technica: Police in the Netherlands said they decrypted more than 258,000 messages sent using IronChat, an app billed as providing end-to-end encryption that was endorsed by National Security Agency leaker Edward Snowden. In a statement published Tuesday, Dutch police said officers achieved a "breakthrough in the interception and decryption of encrypted communication" in an investigation into money laundering. The encrypted messages, according to the statement, were sent by IronChat, an app that runs on a device that cost thousands of dollars and could send only text messages.

"Criminals thought they could safely communicate with so-called crypto phones which used the application IronChat," Tuesday's statement said. "Police experts in the east of the Netherlands have succeeded in gaining access to this communication. As a result, the police have been able to watch live the communication between criminals for some time." Blackbox-security.com, the site selling IronChat and IronPhone, quoted Snowden as saying: "I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation," according to Web archives. Whether the endorsement was authentic or not wasn't immediately known. The site has been seized by Dutch police.

20 of 122 comments (clear)

Min score:

Reason:

Sort:

Paid Product Endorsement? by Camel+Pilot · 2018-11-07 10:08 · Score: 4, Insightful

"I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation,"
Sure sounds like a paid product endorsement....
1. Re:Paid Product Endorsement? by Anonymous Coward · 2018-11-07 10:25 · Score: 5, Funny
  
  "Exactly, who the fuck is quoting me? And why do I look so fucking pale in all the paintings?" - Jesus of Nazareth
2. Re: Paid Product Endorsement? by reanjr · 2018-11-07 16:00 · Score: 4, Insightful
  
  I think what probably happened is Snowden was talking about the OTR protocol, and not a particular product and the marketurds twisted his words with their ignorant/malicious misquotation.
3. Re: Paid Product Endorsement? by karmatic · 2018-11-07 23:31 · Score: 2
  
  This is a common problem, and can also be accomplished by getting a rogue employee in, getting an backdoor in version control that eventually gets pushed, or stealing developer credentials.
  That's why the crypto hardware my company is working on has a four part process. To do an update, we first have to sign the firmware. Next, a third party code audit company has to countersign after auditing any changes and building their own identical build. Next, the customer must use their admin credential and upgrade PIN. This wipes all the key material from the HSM. Finally, it must be physically placed into a USB port on the machine.
  We also have a HSM controlled counter in every firmware we sign, so it's not like we could hide any nefarious builds without customers noticing we never released firmware number X.
  We really don't want to get beaten by pipes.
Extremely thin on useful detail by Srin+Tuar · 2018-11-07 10:12 · Score: 4, Interesting

This is likely just a fairly amateurish security protocol implementation sold at inflated prices to people flush with cash.
Its really not all that hard to do secure communications... if actual criminals used something called "ironchat" they deserve what they got.
1. Re:Extremely thin on useful detail by fred911 · 2018-11-07 10:24 · Score: 2
  
  "used something called "ironchat" they deserve what they got."
  Exactly! It would have been much cheaper, and just as secure to use triple ROT13. Cause it's 3x betterer.
  
  --
  09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
2. Re:Extremely thin on useful detail by AHuxley · 2018-11-07 11:08 · Score: 4, Interesting
  
  AC humans would start looking at other humans as the police issue. A news report that tells everyone that it was computers makes that deep search go away.
  Police informants deep in criminal networks are safe as everyone thinks it was the computers.
  
  Informants that stay in place can then report on the next use of crypto.
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:Extremely thin on useful detail by Zaelath · 2018-11-07 11:40 · Score: 5, Informative
  
  Rather succinctly explained in the release from the Police:
  
  We stopped the operation because we became aware that criminals were starting to suspect each other of leaking information to the police. This was causing safety risks. That’s why now we make clear that it was us acting upon information from the chats.
4. Re: Extremely thin on useful detail by Harlequin80 · 2018-11-07 14:00 · Score: 3, Insightful
  
  Just because someone is a crook doesn't mean its ok to step over their dead bodies to stop them.
  The information the police were obtaining causes the crims to suspect and then kill / harm each other. The police determined that the risks or death / injury to the people involved in or around the criminal activites exceed the rewards
5. Re:Extremely thin on useful detail by goose-incarnated · 2018-11-07 17:51 · Score: 2
  
  "used something called "ironchat" they deserve what they got."
  Exactly! It would have been much cheaper, and just as secure to use triple ROT13. Cause it's 3x betterer.
  I prefer the Rotweiller13 encrypted comms: the message is transmitted via a sled pulled by 13 extremely hungry rotweillers.
  
  *Lag is horrible and distance can become a problem.YMMV (literally).
  
  --
  I'm a minority race. Save your vitriol for white people.
6. Re:Extremely thin on useful detail by ripvlan · 2018-11-08 06:26 · Score: 2
  
  I see it several ways.
  1) maybe they can't crack it - so everybody move to another one that they can break.
  2) maybe they want to see Who moves - and that is telling
  3) I'm surprised they didn't say "gosh we can't break this other Secure Chat App" :-)
Brilliant by nehumanuscrede · 2018-11-07 10:32 · Score: 2

If there was any chance of listening to future conversations between parties using Iron Chat, this announcement just blew that right out of the water.
The folks who wish to talk via encrypted channels will now simply change their method of communication.
It could be another commercial app, a homebrew one or just go all old school and do things the way it was done before the era of smartphones.
It could also be complete bullshit on the part of the Police in an attempt to get folks to quit using it :D
1. Re:Brilliant by AmiMoJo · 2018-11-07 10:39 · Score: 5, Insightful
  
  They couldn't keep it secret for very long because they would have to present the intercepted messages in court eventually.
  It appears that weaknesses in the app are to blame here. It was a poorly designed app, basically snake oil.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:Brilliant by MtHuurne · 2018-11-07 11:01 · Score: 2
  
  It was on the news here: the police announced it at this moment on purpose, because several people getting arrested recently made other criminals suspect someone in their mids was leaking to the police and they were planning violent actions against them.
3. Re:Brilliant by Highdude702 · 2018-11-07 11:33 · Score: 2, Interesting
  
  You apparently don't understand the underworld.. They would have been killed, not beaten up.. I'm no longer a criminal but I still despise rats. If you do a crime and get caught for it shut the fuck up and do your time don't rat someone else out that was smart enough to not get caught because you're a fuck up. The rats deserve to die. I've seen police let violent offenders who have ratted go free and lock up the drug dealer(weed) for years because the violent person turned state.
4. Re:Brilliant by farble1670 · 2018-11-07 13:06 · Score: 2
  
  You apparently don't understand the underworld
  You're right, we don't.
  
  If you do a crime and get caught for it shut the fuck up and do your time don't rat someone else out
  In law there is something called the Clean Hands Doctrine that can be fit here. It a nutshell it says that if your hands are dirty, you are not entitled to a fair outcome.
Snowden mentioned OTR in the past by jelwell · 2018-11-07 11:00 · Score: 2

Pretty sure that quote is only half true. Snowden has mentioned OTR in the past. I doubt he specified IronChat.
Joseph Elwell.
Re:They siezed the site by darronb · 2018-11-07 11:24 · Score: 5, Interesting

A trojaned version of the app is also a good possibility. They could have quietly taken control of the site, changed the app to push the keys back to them, etc. Sure that's beyond a typical police department but with any agency help it's totally doable.
You don't have to be incompetent to get a gag order and have your stuff compromised like that.
The police did not break anything by ffkom · 2018-11-07 11:26 · Score: 2

They just fetched keys from the central service provider, and given that this crappy app never implemented actual end-to-end encryption, that was enough to decrypt the messages.

Seriously, criminals stupid enough to rely on proprietary, centralized messenger services deserve to get jailed for that alone.
Re:They siezed the site by gnasher719 · 2018-11-07 19:33 · Score: 2

Its not end-to-end if the service provider / middleman is providing or transmitting the keys. The key should be exchanged via an entirely different and unrelated channel of communications
You would be right if the purpose of the app was to provide secure communications. It wasn't. The purpose was to make money from criminals that are willing to pay for an application where they _believe_ they get secure communications.