Category Archives: phone

Gangsters with Blackberry’s & the Upsurge in “Intelligence Led” Busts

A sensational story about the criminal use of encryption appeared across social media this week like it was a scoop. It wasn’t. But that’s the way it was portrayed.

For the uninformed it played directly into the narrative that encryption is bad and overwhelmingly used by those withquestionable motives or downright evil intentions.

So What Happened?

The headlines varied but basically Vincent Ramos the boss of Phantom Secure, a company whose website declares that it supplies “THE WORLDS MOST TRUSTED COMMUNICATION SERVICE” was arrested in California.

The company supplies or supplied a modded and allegedly zero knowledge handset which is or was it claimed “Simple, effective and easy to use while highly secure, … recognized by government agencies and cyber experts as “Uncrackable” “.

All utter rubbish of course but if you are selling a high performance sports car to a guy who struggles with a gear change on a bicycle then who is to contradict you?

Imagine! Organised crime were using encrypted phones to communicate and those encrypted phones were being supplied by commercial outfits who knew.

Scoop? No.

“Buyer Beware” — What Did Phantom Secure Sell?

Phantom

The sales bumf declared that the “Classic Phantom Secure Encrypted BlackBerry Device”, apparently proven “year after year”, (by whom is unstated) was light weight and easy to use and provided end to end encrypted messaging, in theory. The package included:

  1. Modified and Locked Down Device
  2. Secure Encrypted Device to Device Encrypted Messaging
  3. Anonymous Communication
  4. International Roaming
  5. 6 months Subscription Included

The “Phantom Secure Android Edition” made the laughable statement that it provided unmatched secure enterprise mobility from BlackBerry and the “best at rest” security on an Android KNOX device, which communicated over the Phantom Secure service.

Summarising, the company promised “totally anonymous, device-to-device encrypted communications, brought to you by a globally trusted and recognized secure communications service.

The problem with that is that it was not brought to the companies customers by anything approaching a globally trusted and recognized secure communications service because it was hosted on Blackberry Enterprise Service servers.

Blackberry executive chairman and chief executive officer John Chen recently said “Today’s encryption has got to the point where it’s rather difficult, even for ourselves, to break it, to break our own encryption… it’s not an easily breakable thing. We will only attempt to do that if we have the right court order. The fact that we will honor the court order doesn’t imply we could actually get it done.

This Phantom Secure Android version included:

  1. Modified and Locked Down Device
  2. Secure Encrypted Device to Device Encrypted Messaging
  3. Anonymous Communication
  4. KNOX hardware and software integrated device security
  5. Prive Encrypted Chat
  6. Compatible messaging with BB7 Devices
  7. International Roaming
  8. 6 months Subscription Included

Worthless Disclaimers & Hollow Promises

Phantom Secure, and many like them, take care to make various disclaimers which they seem to think are a get out of jail freecard and state in their “Legal Compliance” section that:

We are a law-abiding company that is permitted to deliver encrypted communication services to our clients in order for them to protect their communications, without having the ability to decrypt their communications.”

The statement in no way ensures that these kind of suppliers cannot be indicted on charges. What it does do is give the impression to prospective customers that the company can in some way guarantee that even in the face of a warrant they do not possess the ability to compromise the historic or future communications of their customer base either intentionally or unintentionally.

But in the case of Blackberry that is just not true. It is public knowledge since 2016 that Operation Clemenza by the RCMP allowed Canadian investigators to access consumer-grade phones from Blackberry where the decryption key is in the company’s (RIM) possession.

BlackBerry, however, also offers the option to run their BlackBerry Enterprise Server (BES) which allows clients to run their own network of phones, and keep possession of their own decryption key. And this is what Phantom Secure were doing but as far back as January 2016 Dutch police said that they were able to read encrypted messages sent on the custom, security-focused BlackBerry devices.

Also in December 2015 in the article “The Encryption Debate: a Way Forward,” on the official Blackberry blog INSIDE Blackberry the company wrote that “privacy and security form the crux of everything we do. However,our privacy commitmentdoes not extend to criminals.”

But isn’t criminality established after due process has taken place? Warrants do not prove criminality even if there is probable cause? Are RIM Blackberry qualified to make the distinctions?

Regardless they sold their BES products based on the claim that they would never be called upon to make the distinction because they had designed a product that was totally secure.

There are products which can guarantee this and even in the face of warrants are unable to provide logs, metadata, or encryption keys. But BES cannot. There lies one of the many significant problems that Mr. Ramos faces.

The disclaimer continues …

“Our service does not require personal information and has no back doors. In providing such a service we do understand that there will be a very small number of people that may use our service to do activities we do not support. We do not condone the use of our service for any type of illegal activities and if known we will terminate the use of our service without notice.”

“Considering this, requests for the contents of communications may arise from government agencies, which would require a valid search warrant from an agency with proper jurisdiction over Phantom Secure.”

“However, our response to such requests will be the content and identity of our clients are not stored on our server and that the content is encrypted data, which is indecipherable.”

“Our company was founded as a means to provide businesses and people the opportunity to communicate in private in this modern technological age. Unfortunately there will be people that will use this technology for acts we do not condone but this should not be the reason why our universal human right to privacy should be taken away.

Mr. Ramos & Explaining the Unexplainable

The very unlucky or very silly Mr. Ramos, depending on which way you look at it, has now been charged with racketeering activity involving gambling, money laundering, and drug trafficking. I hope Mr. Ramos enjoyed the spoils while he could because he is in a very tight spot now, one way or the other.

US authorities have argued that Phantom Secure operated explicitly to enable organised crime groups to evade detection while planning major crimes. Phantom allegedly built an international client base of criminals by taking BlackBerry devices, stripping out the camera, microphone, GPS navigation and other features, and installing encryption software, making them difficult for law enforcement to crack. He was arrested in California, amid claims that his firms products’ were allegedly linked to Australian murders and drug trafficking.” [This extract is from “Phantom Secure boss arrested in US, amid products’ suspected links to Australian murders” By Dan Oakes, ABC Australia, Monday 12th March 2018]

Think about that statement “Making them difficult for law enforcement to crack.”. Hmmmm. If Mr. Ramos makes bail I predict that one of the first questions that he will be asked by some of his more colourful customers is how exactly does that statement sit with the claims the company made on their website. At best he over-promised and under-delivered. [For posterity I have preserved the Phantom Secure website before it inevitably goes dark.]

These dog and bones went for between USD1500–USD2000 a piece with 6 months shelf life and Phantom Secure had 20k subscribers. Do the figures! If you lost one then you had to buy a new one, no discounts.

Isn’t it amazing that a market segment of normally paranoid individuals are willing to buy an expensive technology that they do not understand from a supplier that they do not know and then proceed to drop all normal “opsec”, if you could call it that, and openly plan the spectaculars that led to these arrests.

The Recent Upsurge in Success for “Intelligence Led” Operations

In the fullness of time it will be very interesting to see how the evidence to construct this indictment was acquired, what paper trail was left by the company showing their modus operandi, the promises versus the actual reality of what the company claimed it could deliver, and whether these claims as and of themselves are seen by the Courts as a marketing tool solely intended to appeal specifically to a certain base, namely those with criminal intentions, and how that can be proven.

The story also raises interesting questions on a topic that I have been researching now for some time – parallel construction. Over the last three years there has been a staggering increase in seizures of drug shipments and the foiling of multiple gangland assassinations attributed to “intelligence led” operations.

Since the late noughties Blackberry handsets have been the comms weapon of choice for organised crime even though they have been widely discredited. There is a school of thought that outfits such as Phantom Secure have been tolerated and let exist by law enforcement because they were such a rich source of warrantless intel.

But now that even the most clueless crims are moving away from the platform it seems that it has been decided that it is time to bring in all the “CEO’s” of these secure comms companies. Their usefulness has been exhausted.

Some of the coverage in recent days has claimed that Ramos is co-operating. My guess is that LE wish to use his arrest to turn him into a “co-operating witness” and as such provide them with what looks like legal access to the Phantom Secureservers.

In that way all of that juicy warrantless surveillance can be seen to have been legitimately obtained intelligence and the clientbase, big fish and small, can be hoovered up en-masse or turned into assets.

As for the stuff that has gone before — well, it didn’t become an issue at the trials so no need to revisit that. It was credited to HUMINT in the shape of informants who could not be named in order to protect their identity.

The Inevitability of Licensing

I have no particular insight into the innocence or guilt of Mr. Ramos in this case. I do not know whether he overtly solicited criminal clients in the full knowledge of their business and their need for secure comms in order to evade detection in a criminal enterprise.

What I do know is that if you are legally recorded saying:

“Hey man, I sell these phones that are bullet proof and can’t be hacked or eavesdropped (“even though that is not the case”) and I know you value your security and privacy because your foe is law enforcement and your trade is illegal and I can sell you these phones for $$$$’s and you can ply your trade without fear of discovery

….. then you are nicked mate.

Mr. Ramos is damned if he does and damned if he doesn’t. He is finished every which way he turns.

The movie Layer Cake has a rich seam of relevant content to illustrate my point. In that movie Colm Meaney explains to Daniel Craig’s character XXXX his Cornelian dilemma as a result of being present during an incident:

“Listen, son. Let me explain something to you. Freddie’s in intensive care with a bit of a brain haemorrhage. You were there at the scene. That’s called joint venture. Now, if Freddie dies, you’re either in the dock with Morty… …or you’re in the witness box putting him away. Think about that.

The outcome of this matter is likely to produce significant and wider repercussions for the providers of secure communications solutions in general.

This case and those to follow are a preparatory step for compulsory licensing for purveyors of private encryption systems. They offer an antidote to the privacy objections about backdoors and present a far more pragmatic solution to giving law enforcement access to encrypted communications than systems that are “thoughtfully design” as was recently and ridiculously suggested by FBI Director, Christopher Wray.

The provision of private secure comms solutions will evolve to the same standard of licensing as is applied to firearms sales. Such companies will be required to be licensed before offering the service and when selling licenses I guess that pre-qualification checks on the purchaser will be required too. Purchasing a license will probably be enough to claim “probable cause” under FISA rules in the US. It takes little enough justification to eavesdrop as it stands.

Undermining the Argument for Un-Compromised Encryption

The arguments in support of generally available un-compromised encryption services are devalued by the incorrect parallels that the opponents of encryption make between them and the Phantom Secure case.

It plays directly into the narrative that the host of encryption luddites in law enforcement, government, and the intelligence community peddle daily as they seek to justify back-dooring or banning encryption products.

Those who oppose encryption use illogical extrapolations when making their arguments — “the bad guy used encryption … therefore the crime was committed because of encryption”. They use the special case to undermine the general case.

The Phantom Secure case will be used as another example of why encryption is bad. But the Phantom Secure case is not about privacy or encryption rights or freedom of speech.

If there is even the slightest question that the provider of hardware, software, and any other “wares” knowingly supplies them for assisting the commission of an offence or even suspects that they will be used in one then it is aiding and abetting and all the other bits and pieces that have been included on Mr. Ramos’s much publicised indictment.

References and Bibliography

  1. https://www.justice.gov/usao-sdca/pr/chief-executive-and-four-associates-indicted-conspiring-global-drug-traffickers
  2. https://motherboard.vice.com/amp/en_us/article/a34b7b/phantom-secure-sinaloa-drug-cartel-encrypted-blackberry?__twitter_impression=true
  3. https://motherboard.vice.com/en_us/article/bme5w3/customer-data-from-encrypted-phone-company-ciphr-has-been-dumped-online
  4. http://www.bbc.com/news/technology-43425333
  5. https://motherboard.vice.com/en_us/article/mbpyea/encrochat-secure-phone-hacking-video
  6. https://www.eff.org/nsa-spying/state-secrets-privilege
  7. https://www.peerlyst.com/posts/the-rogues-gallery-of-encryption-luddites-graham-penrose
  8. https://www.peerlyst.com/posts/peertalk-tm-privacy-vs-national-security-panel-questions-for-session-1-graham-penrose
  9. https://www.peerlyst.com/posts/all-blackberry-messages-can-be-decrypted-using-global-encryption-key-valery-marchuk
  10. https://www.peerlyst.com/posts/would-you-hire-a-locksmith-you-dont-trust
  11. https://www.peerlyst.com/posts/boss-of-a-company-that-supplied-encrypted-phones-arrested-andrew-commons
  12. https://www.hrw.org/report/2018/01/09/dark-side/secret-origins-evidence-us-criminal-cases
  13. https://www.peerlyst.com/posts/canadian-law-enforcement-obtained-blackberry-global-encryption-key-hega-geoffroy
  14. https://www.peerlyst.com/posts/android-blackberry-spyware-used-in-india-attacks-or-securityweek-com-hega-geoffroy
  15. https://nakedsecurity.sophos.com/2016/01/13/police-say-they-can-crack-blackberry-pgp-encrypted-email/
  16. https://www.theregister.co.uk/2016/01/13/blackbery_pgp_riddle/
  17. https://www.v3.co.uk/v3-uk/news/2441666/blackberry-pgp-handsets-cracked-by-dutch-cyber-cops
  18. https://www.makeuseof.com/tag/one-reason-get-blackberry-2016-security/
  19. https://nakedsecurity.sophos.com/2016/04/26/police-seize-network-behind-encrypted-blackberry-pgp-devices/
  20. https://www.itgovernance.co.uk/blog/phone-evidence-remotely-wiped-in-police-stations/
  21. http://www.zdnet.com/article/police-hack-pgp-server-with-3-6-million-messages-from-organized-crime-blackberrys/
  22. https://www.techdirt.com/articles/20160118/07441433368/blackberry-which-said-it-wouldnt-protect-criminals-assures-criminals-phones-are-still-secure.shtml
  23. https://www.smh.com.au/national/nsw/are-encrypted-phones-allowing-criminals-to-get-away-with-murder-20150523-gh82gv.html
  24. http://www.cbc.ca/news/technology/criminals-love-the-blackberry-s-wiretap-proof-ways-police-1.815031
  25. https://www.dailyrecord.co.uk/news/crime/cops-struggling-crack-encrypted-phones-6962815
  26. https://www.thedailybeast.com/meet-danny-the-guy-selling-encrypted-phones-to-organized-crime
  27. https://www.gizmodo.com.au/2018/03/the-fbi-busts-phantom-secure-ceo-for-allegedly-selling-encrypted-phones-to-gangs-drug-cartels/
  28. https://www.dailyrecord.co.uk/news/crime/cops-struggling-crack-encrypted-phones-6962815
  29. http://uk.businessinsider.com/methods-that-police-use-to-catch-deep-web-drug-dealers-2016-8?r=UK&IR=T
  30. https://www.theguardian.com/uk/2011/oct/30/metropolitan-police-mobile-phone-surveillance
  31. http://www.bbc.co.uk/news/uk-38183819
  32. https://www.techrepublic.com/article/fbi-nabs-ceo-of-encrypted-phone-company-for-sales-to-cartels-gangs/
  33. https://motherboard.vice.com/en_us/article/nz7e3z/decrypted-pgp-blackberry-messages-helped-convict-uk-gun-smugglers
  34. https://arstechnica.com/tech-policy/2018/03/fbi-again-calls-for-magical-solution-to-break-into-encrypted-phones/
  35. http://scholars.wlu.ca/etd/1758/
  36. https://www.digitaltrends.com/mobile/phantom-secure-ceo-arrested/?utm_source=dlvr.it&utm_medium=twitter

ENDS.

"Has My Phone Been Hacked? Am I Being Surveilled?" – You Have No Idea

When someone asks that question do they mean that they are worried about rootkits, backdoors, trojans, worms, spyware, keystroke logging; are they concerned that someone has clocked their PGP private key; do they suspect LE have a warrant to eavesdrop their voice comms; or do they fret about the integrity of SIM card encryption and the Gemalto hack? Do they fuck.

Continued Happiness & Abundant Joy (For Hackers)

No, they don’t worry about these things because they don’t know about these things, they don’t care to spend the time understanding the threats or pay for the solutions and I don’t blame them. And that simple reality assures the continued happiness and abundant joy of the hacking for profit community.

If they are an above ordinary John Q then they follow a few simplistic tips they read after a quick Google and subsequently consider themselves bullet-proof and smart. If they are a small business they get comfortable when some self proclaimed infosec expert in a suit charges them a small fortune for “steal your watch & charge to tell you the time” consulting.

Good Old Fashioned Olde Worlde Surveillance 

And it’s not all about super-elegant hacks written by PLA Unit 61398 swirling around in the matrix gobbling up industrial secrets. A scene in the documentary CitizenFour showed Snowden using a blanket to cover his head and his laptop screen. The Snowden-Greenwald dialogue was as follows:

37:35 [Snowden pulling blanket over his head/laptop]
37:44 Greenwald: Is that about the possibility of…
37:47 Snowden [still under blanket, interrupts] visual, yeah visual collection
37:50 [Greenwald looking around the room, seems not rather sure what to think and say]
37:55 Greenwald: I don’t think at this point there is anything in this regard that will shock us. [laughter in room]

Gras Double commented on this precaution and noted that allegedly: “Still, using some advanced audio software, from the typing sound of the pressed keys, deducing from echo, reverb, comparing with the sound of a keyboard of an identical laptop, you could determine their coordinates in space. You can also analyse the movement of muscles of Snowden’s arms and extrapolate up to its fingers’ location and movement.” – a bold claim.

Another bright spark on Information Security Stack Exchange stated “He was using the blanket to fool visual recording devices attempting to steal his password, even though with modern technology x-ray or thermal imaging you could effectively ‘see through’ the blanket.” In rebuttal it was noted “I can see how an IR Thermographic Camera has a chance to detect something if the wrong kind of blanket is used. No idea how you want to use XRay, as it requires an emitter as well as a receiver.”

Line of Sight Surveillance for the Common Man

Still – the point is made I think – visual intercepts are economically viable even for local LE – it’s just an ultra low light wifi enabled pin-hole snake camera in the right spot. One above the driver and passenger seat belt brackets in a private vehicle is a good loc (easy access to and plenty of space behind the plastic covering the B pillar to store the bits). Five uninterrupted minutes and both are installed. Just wait for the target to take a Sunday drive and game on.

Most people rest the handset on their lap while typing stationary in traffic or better still upright and in front or on top of the wheel when driving – using one hand – which gives a nice unobstructed keystroke by keystroke view of their typing activities.

From a low value non-tech savvy target you will get screen lock password, SIM lock password, their main contacts, their email password and transcripts of their conversations during the time slot – even more if they are road safety conscious and use a speaker phone. For the high value target – encryption keys, app locks, timeline stats and so on and so on.

Turning Everyday Visual Objects into Visual Microphones 

When sound hits an object, it causes small vibrations of the object’s surface. This project shows how, using only high-speed video of the object, those minute vibrations can be extracted and partially recover the sound that produced them, allowing you to turn everyday objects—a glass of water, a potted plant, a box of tissues, or a bag of chips—into visual microphones.

The sound is recovered from high speed footage of a variety of objects with different properties, and uses both real and simulated data to examine some of the factors that affect the ability to visually recover sound.

The researchers evaluate the quality of recovered sounds using intelligibility and SNR metrics and provide input and recovered audio samples for direct comparison. They also explore how to leverage the rolling shutter in regular consumer cameras to recover audio from standard frame-rate videos, and use the spatial resolution of the method to visualize how sound-related vibrations vary over an object’s surface, which they can use to recover the vibration modes of an object.

In simple terms:

1. Two guys talking out of sight in a room;
2. You, outside at a distance pointing a video camera, through a window at a glass of beer on a table in the room;
3. Record the glass of beer for the duration of their conversation;
4. Take the footage and process it and extract the audio contents of the conversation that was happening out of sight;
5. No installs, no intrusion, no access to the room required, no need to see the targets;

SIM Card Encryption 

Here is a sobering thought in plain language that applies to every SIM card that you have ever owned:

“US and UK intelligence agencies after the Gemalto hack in 2010 and 2011 have the ability, with the stolen encryption keys, to monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.”

Sentimentality is Your Enemy

The easiest way to ensure that your smart phone remains un-hacked or returns to an un-hacked state is to be willing to survive on cheap throwaways – but most people are not willing to do that. If you are it’s simple as 🙂

1. Take the SIM out of your phone every few days / weeks / months (depending on your level of paranoia or the reality of your work / life), drill a hole in the motherboard, hit it with a hammer, microwave the mess and flush the remnants down a public toilet or a subset thereof;

2. Insert your SIM card in another cheap smart phone with the proper set of reliable tools that reduce (note the use of the word “reduce” not “remove”) your risk of infection, don’t transfer the data from the old phone or the apps and carry on. For maximum safety – bin your SIM too and buy a new one;

3. As before following a few simple rules like not downloading apps from random sites (although even the Google Play & Apple App Stores have their fair share of dodgy apps and are no guarantee of malware avoidance), don’t click on links in emails from Eastern European porn sites and don’t give your unlocked phones to strangers at airports – although you can just as easily be hacked remotely.

However, if you will insist on treating your phone as a treasured fashion accessory and have to travel everywhere with tons of personal data you haven’t looked at in years at your finger tips – just in case – then you will not want to do the above and will insist on a different answer to the question.

The Advice “Out There” 

A simple search on DuckDuckGo demonstrates the amount of posts out there on the subject and the amount of bizarre “clues” which are considered worthy of worrying about – that’s before you even get into the Android / iPhone variations and exposures.

Alarm bells should ring for you apparently, according to many of these posts if:

1. On checking your bank accounts / credit cards you see unusual activity that seems to arise from app purchases that you did not make (sort of blindingly obvious I would have thought);

2. You are also to worry if your pointer starts levitating across the screen to select specific options as opposed to the random behaviour of the pointer on a busted or water damaged handset (I would have thought this would worry even the most non-savvy user or really interest all paranormal investigators);

3. Seeing photos in your gallery that you did not take (Really?) – be very worried if they are of you while watching PornHub 🙂 – RansonWare;

4. Getting text messages from unrecognized numbers with weird characters in them (Oops);

5. Notifications that flash across your screen, disappear and then can’t be found in any app or the notification centre (Seems fair);

Subscribe to New Posts

To be notified as each post is published please subscribe to the blog – over there on the right – yes over there in the right column at the top where it says “Follow by Email”.

No new content, no email for you – ever – and we won’t sell your email details to the NSA either and we are subpoena proof too so we can’t be forced to either.

END.