Encrochat - what lessons can we learn?

Jun 16 , 2020

Encrochat - what lessons can we learn?

BEST SECURITY ADVICE OF TODAY: FOR THOSE EXTREMELY CAUTIOUS  INDIVIDUALS  - DON'T CLICK ON ANY LINKS EMAILED OR SENT BY TEXT. 

Encrochat suffered what was easily the worst security  breach in encrypted phone history, if you consider Encro's customer base & the calibre of intelligence that authorities could gather from eavesdropping.

Whilst others will take delight in dancing around the twitching corpse of Encrochat, I believe a more progressive take is to look at what we can learn from the incident & use these lessons to build a stronger, more secure service for customers.

Note the word service & not "phone". A true secure handset is built around a full service & not just a single piece of hardware. To this end Omerta, from day 1, has taken a customer-centric focus & we try at every stage to educate our customers because security starts with people.  However, in this instance, the weak link in the chain wasn't the customer but the company.

It appears Encrochats infrastructure was targeted & this bypassed all phone defences, quite possibly rendering all communications wide open for eavesdropping. How could this happen? There are many vectors for malware to end up installed within a companies infrastructure & these can include (and certainly not limited to):

  • Through email attachment or malicious link embedded in an email.
  • Via memory stick
  • Through messaging
  • By third party installation
  • By visiting a malicious website.

 

These routes for entry would be an opening salvo of an attack, since it is unlikely a compromised PC could bring down a firm. A company with strong IT leadership will have defences in place, so even in the event of a successful attack, the compromised device will be isolated and not capable of diving deeper into systems.

However, if an IT estate is poorly managed & suffering from weak leadership, an environment can exist whereby the appropriate defences simply do not exist giving an attacker carte blanche on their movements. 

So what steps can a company take to protect themselves from this kind of attack? The following:

  • Train staff to be appropriately aware of their IT security responsibilities. Especially make them aware of how to spot malicious emails & messages
  • Ensure an appropriate communication strategy is in place to keep staff abreast of current IT developments, risks & changes.
  • Ensure staff are given the appropriate level of permissions on IT systems, even at senior levels (weak IT leadership will often buckle at the demands of the board when the demands are for convenience over security).
  • Keep all systems & software patched and up to date so vulnerabilities don't exist.
  • Lifecycle equipment and software to ensure your estate is up to date & never at risk of becoming legacy without funding to replace it.

 

The second lesson to be learned is, quite simply, if you intend to run handsets & use a remote management tool, then you will always be at risk. Customers need to be aware that regardless of how secure a system is, if there is a remote command centre, then the risk of complete exposure exists. With such systems, the breach doesn't need to be cyber-based.

It can include getting the system manager tipsy and asking them for the password! Or using social engineering to extract login details. Encrochat had such a system. A single point of failure when compromised. 

In terms of lessons learned, Encrochat possibly became too close to their customer base, thus seen by authorities as empowering criminal behaviour & worth the investment to bring down. At Omerta, we keep a distance from our client base by trading through our website. We need not know about our clients business & we certainly do not run any systems which collate our client's data, other than to ship a handset.

The second lesson is to make sure customers are made aware of the risks associated with any tools they use. If your data & comms are so top secret as to be considered high value, then maybe you should avoid using a remote management system. Again, at Omerta we would educate our customers about this so they can make an informed decision. We presently do not offer remote device management so this risk currently is not an issue.

The third lesson is clearly to ensure the businesses IT is managed correctly & staff adequately trained and aware of their responsibilities.  At Omerta, even though small, I make sure my partner is aware of her responsibilities for IT security so that Omerta doesn't become part of the problem.

A fourth lesson, and one which is costly, is simply to not host all clients services in one place. If a clients information is that critical then the client's services should be hosted in isolation away from everyone else. If the worst happens then impact mitigation should be included in your IT strategy.

Overall, lessons will be taken away from this incident. When it comes to security, it is everyone's responsibility, regardless of the tools used, because ultimately there never will be a panacea or silver bullet to guarantee security.