On June 13, tens of thousands of EncroChat users received an alert on their mobile: “We have been infiltrated by government entities,” it said. “We advise you to turn off the device and get rid of it immediately.” The recommendation to destroy your device is not a common type of notification for mobile users. But EncroChat was not a normal app either.
EncroChat sold encrypted and anonymous communication through an encrypted mobile and a messaging application. In an operation of at least three years by the French and Dutch police, with the collaboration of others (including the Spanish police), the authorities managed to infiltrate their system: “This is one of the largest providers of encrypted digital communication with a high percentage of users allegedly engaged in criminal activity, ”says the Europol press release that revealed the police work. Spain was one of the five countries with the most mobile phones for the brand, according to the press release from the French authorities.
“A team of more than 500 people has worked in Operation Venetic day and night, with thousands of more agents watching,” said Nikki Holland, director of investigations for the British National Crime Agency. It was clearly not just any operation: “It has been the most extensive and profound operation in the United Kingdom against great organized crime, infiltration has been like having one person within each criminal group,” she added. British police have arrested 746 suspects, more than € 50 million in cash and more than two tonnes of drugs.
EL PAÍS has spoken with an EncroChat mobile distributor in Spain. The sale of encrypted phones is legal: “They say they are the phones of the drug traffickers, but there is everything. I have sold these phones to people in suits and ties, judges, lawyers or police, “he explains after requesting anonymity to speak freely about this company, which owes him money. There are many possible profiles of people who want to protect their communications from rivals, enemies, or the government.
EncroChat not only offered that the messages were impossible to intercept, but also that they were not linked to any identity. That mobile is not linked to any identity through the SIM, the IMEI (the device identifier) or other accounts that the user may have on their mobile. But neither to his ID: “It was all in black, there is no invoice for anything, I did not need to know the names,” says the distributor. “Nicknames were used for users: black dog, cold beer, darthvader, kawasaki, the system gave them to you randomly or you could ask for them and if they were not caught they would give it to you. Do you want to call yourself a black fox? I look in the database and if it is caught, then I will put blackfox on you ”, he adds.
An EncroChat cost 1,400 euros, which included a subscription to the service for six months. If someone wanted to renew it, it cost 1,600 euros: that is, using this service for a whole year would cost 3,000 euros. But only with the prices it is already seen that the company promoted the renewal of the device, not the subscription: “Those who renewed were judges, lawyers, police. People who use them for confidential things but don’t have to disappear. The others use the phone for six months and throw it away. They would buy four new ones for their people and the ones they had would throw them into the sea, ”says the distributor.
The problem with changing devices was the name change. An EncroChat’s agenda consisted of names, not numbers. If ponchonegro wanted to contact caracortada, he should send him a request and the other should accept it. If he did not do it in 48 hours, the request disappeared. Users who wanted to contact had to exchange their user in some other way.
This anonymity effort made it impossible for the police to easily link identities, despite the infiltration. According to authorities, they analyzed more than 100 million messages. EncroChat had 60,000 users, 10,000 of them in the UK, according to the British police. The messages could reveal addresses, encounters or shipments. Despite the likely candor of the messages between two traffickers who think no one sees them, figuring out who exactly they are is more complex.
His success was his end
EncroChat’s success has also been its well. The operation apparently started in France when the police discovered the mobile system of several detainees. How will the police easily stop trying to infiltrate a tool used by thousands of potential criminals? It is like being able to look from a window into a room where crimes are committed.
“In cybersecurity, if you have a target on your forehead and you are wanted, one way or another they will come,” says Javier Agüera, cofounder of Barbara IoT and before Blackphone, a company dedicated precisely to secure mobiles. “The police had this on target, but they did not even pull the net. They took advantage of the network and physical phones. Nothing is 100% safe if they come after you, “he adds.
This is what happened. When they come for you, forget about secure chats. “So I was telling them to talk what they have to talk about, but for delicate things, move your ass and speak in person,” says the EncroChat distributor. Really secret conversations have only one solution: in person. For organizations with many resources, there is the option of creating an ad hoc communication system to which no one other than the chosen group has access. But even that is not completely certain: “Encryption is mathematics and programming. It requires hiring a team of experts and for a fraction of the money that many of these criminal networks move, they can be created ad hoc and they exist, ”says Agüera. “At the same time, it is also true that the fewer users a technology has, the more likely it is to have failures. In more commercial networks like Signal, failures emerge more and there are more eyes, “he adds.
The big question that remains to be asked is how the security forces did to dismantle the network. And here there is no single path. The discreet explanation in Europol’s official note argued that the French police discovered that “the company operated from servers in France” and that, “eventually, it was possible to put a technical device that went beyond encryption and had access to correspondence of the users”.
Experts consulted by EL PAÍS agree that a malware package sent via an update to the devices is the most likely method. That can also be done in several ways, they explain. There are, however, at least two other possibilities that can be considered.
The first, that the encryption was poorly done and accessible. The formulas that enable secure encryption would require years of powerful computers to solve. That, if it is well done. It should not be forgotten that, in the end, EncroChat is still a company that has enriched itself by offering a service that has ended in failure.
The Spanish distributor has hardly had any complaints: “Only one client called me and I was not very pissed off either. I told him there had been a small security breach. But a week later I told him to throw the phone in the sewer now. He had bought it for me three weeks ago and I never heard from him again, ”he explains. The distributor himself, for his part, was also hanging: “When I called the people of Madrid they no longer picked up the phone, and when I went to enter the portal to manage my clients, it no longer existed. They blew up with the pasta ”.
The second possibility is that a targeted, infiltrated or sneak employee within the organization can directly place the malware. To make matters worse, the device itself could already carry malware as standard. EncroChat used the Spanish BQ Aquarius mobiles for a season, before manufacturing specifically called Carbon. Both of them could be infected. EL PAÍS has repeatedly written to BQ without obtaining a response.
Can there be a secure phone?
EncroChat’s failed challenge leads to the question of whether a secure phone is possible. “Most of these secure phones are not working,” says Simón Roses, an expert in cybersecurity and a teacher in the C1b3rwall online course. These devices are not typical of the underworld. Members of the board of directors of a large company may want to communicate like this. The French police have offered an email in case there are “bona fide” citizens who used EncroChat without committing crimes and want to ask to have their messages deleted from the database.
From the moment a system is successful, it will attract attention. And holes will appear: “If you have systems with a failure that can be exploited by the police with the authorization of a judge, that same failure can be used by an attacker with different intentions,” recalls Agüera. It is a pending subject with a very complex solution. But it has a clear business model and there are already companies waiting to occupy the EncroChat space.