Encrochat - what lessons can we learn?

Jun 16 , 2020

2 Comments

Encrochat - what lessons can we learn?

BEST SECURITY ADVICE OF TODAY: FOR THOSE EXTREMELY CAUTIOUS  INDIVIDUALS  - DON'T CLICK ON ANY LINKS EMAILED OR SENT BY TEXT. 

Encrochat suffered what was easily the worst security  breach in encrypted phone history, if you consider Encro's customer base & the calibre of intelligence that authorities could gather from eavesdropping.

Whilst others will take delight in dancing around the twitching corpse of Encrochat, I believe a more progressive take is to look at what we can learn from the incident & use these lessons to build a stronger, more secure service for customers.

Note the word service & not "phone". A true secure handset is built around a full service & not just a single piece of hardware. To this end Omerta, from day 1, has taken a customer-centric focus & we try at every stage to educate our customers because security starts with people.  However, in this instance, the weak link in the chain wasn't the customer but the company.

It appears Encrochats infrastructure was targeted & this bypassed all phone defences, quite possibly rendering all communications wide open for eavesdropping. How could this happen? There are many vectors for malware to end up installed within a companies infrastructure & these can include (and certainly not limited to):

  • Through email attachment or malicious link embedded in an email.
  • Via memory stick
  • Through messaging
  • By third party installation
  • By visiting a malicious website.

 

These routes for entry would be an opening salvo of an attack, since it is unlikely a compromised PC could bring down a firm. A company with strong IT leadership will have defences in place, so even in the event of a successful attack, the compromised device will be isolated and not capable of diving deeper into systems.

However, if an IT estate is poorly managed & suffering from weak leadership, an environment can exist whereby the appropriate defences simply do not exist giving an attacker carte blanche on their movements. 

So what steps can a company take to protect themselves from this kind of attack? The following:

  • Train staff to be appropriately aware of their IT security responsibilities. Especially make them aware of how to spot malicious emails & messages
  • Ensure an appropriate communication strategy is in place to keep staff abreast of current IT developments, risks & changes.
  • Ensure staff are given the appropriate level of permissions on IT systems, even at senior levels (weak IT leadership will often buckle at the demands of the board when the demands are for convenience over security).
  • Keep all systems & software patched and up to date so vulnerabilities don't exist.
  • Lifecycle equipment and software to ensure your estate is up to date & never at risk of becoming legacy without funding to replace it.

 

The second lesson to be learned is, quite simply, if you intend to run handsets & use a remote management tool, then you will always be at risk. Customers need to be aware that regardless of how secure a system is, if there is a remote command centre, then the risk of complete exposure exists. With such systems, the breach doesn't need to be cyber-based.

It can include getting the system manager tipsy and asking them for the password! Or using social engineering to extract login details. Encrochat had such a system. A single point of failure when compromised. 

In terms of lessons learned, Encrochat possibly became too close to their customer base, thus seen by authorities as empowering criminal behaviour & worth the investment to bring down. At Omerta, we keep a distance from our client base by trading through our website. We need not know about our clients business & we certainly do not run any systems which collate our client's data, other than to ship a handset.

The second lesson is to make sure customers are made aware of the risks associated with any tools they use. If your data & comms are so top secret as to be considered high value, then maybe you should avoid using a remote management system. Again, at Omerta we would educate our customers about this so they can make an informed decision. We presently do not offer remote device management so this risk currently is not an issue.

The third lesson is clearly to ensure the businesses IT is managed correctly & staff adequately trained and aware of their responsibilities.  At Omerta, even though small, I make sure my partner is aware of her responsibilities for IT security so that Omerta doesn't become part of the problem.

A fourth lesson, and one which is costly, is simply to not host all clients services in one place. If a clients information is that critical then the client's services should be hosted in isolation away from everyone else. If the worst happens then impact mitigation should be included in your IT strategy.

Overall, lessons will be taken away from this incident. When it comes to security, it is everyone's responsibility, regardless of the tools used, because ultimately there never will be a panacea or silver bullet to guarantee security.

 


2 Comments

  • Craig

    — Do your phones allow updates? Yes -OS Updates & App updates

    — How are they handled? OS updates are handled by GrapheneOS & Apps by F-Droid

    — What servers in what jurisdictions? Updates are managed by GrapheneOS not Omerta.

    — What would prevent you from complying with a valid court order to deliver a rootkit, should one be served? GrapheneOS isn’t able to comply with a government order to build, sign and ship a malicious update to a specific user’s device based on information like the IMEI, serial number, etc. The update server only ends up knowing the IP address used to connect to it and the version being upgraded from based on the requested incremental.

    — Do you use any kind of multiparty signatures, with the various parties in independent jurisdictions to make such compliance impossible? We use open source software which we have no direct control over & compliance would be impossible.

    — Do your phones perform regular hashing/fingerprinting of the os partition to detect any changes? GrapheneOS utilises Attestation to regularly to ensure the OS is not compromised.

    — Do you support disabling the baseband processor to prevent telco-delivered exploits? Yes GrapheneOS offers this feature via Airplane mode(If I’ve read the question right).

    The joy of Open Source Software.

  • Curious

    It seem likely to me that the french authorities took over Encrochats servers, and pushed an update to every single customer that installed their rootkit. Do your phones allow updates? How are they handled? What servers in what jurisdictions? What encryption/signature method is used to verify updates are genuine? What would prevent you from complying with a valid court order to deliver a rootkit, should one be served? Do you use any kind of multiparty signatures, with the various parties in independent jurisdictions to make such compliance impossible? Do your phones perform regular hashing/fingerprinting of the os partition to detect any changes? Do you support disabling the baseband processor to prevent telco-delivered exploits?


Leave a comment

Please note, comments must be approved before they are published