The Dutch police made the coup a while ago. They didn’t say when, exactly, but they did reveal that they’ve been quietly reading live communications between criminals for “some time.” At any rate, it was enough time to read 258,000 chat messages: a mountain of information that they expect to lead to hundreds of busts.
Already, the breakthrough has led to the takedown of a drug lab, among other things, according to Aart Garssen, Head of the Regional Crime Investigation Unit in the east of the Netherlands. He was quoted in the press release:
This operation has given us a unique insight into the criminal world in which people communicated openly about crimes. Obviously, this has led to some results. For example, we rolled up a drug lab in Enschede.
In the course of this investigation we also discovered 90,000 euros in cash, automatic weapons and large quantities of [hard drugs] (MDMA and [cocaine]). In addition, we became aware of a forthcoming retaliatory action in the criminal circuit.
IronChat used tinfoil marketing fluff by simply making up at least one celebrity endorsement, from Edward Snowden.
Also on Tuesday, Dutch police shut down the site that sold the phones, Blackbox-security.com. An archived page shows this purported endorsement from Snowden …
I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation
… an endorsement that, Snowden said through a representative at the American Civil Liberties Union (ACLU), he never made. In fact, he’s never heard of the phone, Snowden said. Ben Wizner, director for the ACLU’s Speech, Privacy & Technology Project, relayed this message from Snowden in an email to Dan Goodin at Ars Technica:
Edward informs me that he has never heard of, and certainly never endorsed, this app.
Police said that they discovered the server through which encrypted IronChat communications flowed when police in Lingewaard, in the east of the Netherlands, traced a supplier of the cryptophones during a money-laundering investigation.
The phones cost about 3,000 euros per year (USD $3,400). The devices could only be used for texting, not for phone calls or web browsing, with the encryption happening on a separate server that rendered the communications unreadable by police.
The company was owned by a 46-year-old man from Lingewaard and his partner, a 52-year-old man from Boxtel. Both have been arrested under suspicion of money laundering and participation in a criminal organization. Their homes and the IronChat office have been searched, in addition to other, unspecified locations around the country.
The police could have let this play out until lord knows when but eventually pulled the plug on IronChat because they’d have had to step over dead bodies to keep up the investigation. As it was, criminals were suspecting each other of playing stool pigeon and leaking information to the police.
When they saw chats indicating that there was this kind of finger-pointing going on, they made it clear that “it was us acting upon information from the chats,” police said.
How did they crack the supposedly uncrackable?
Police aren’t saying: no surprise there. Frank Groenewegen, a security researcher at Fox-IT, told De Telegraaf that the likeliest explanation is that there was a mistake in the encryption:
In my opinion, that is the most likely option. If encryption is properly applied, nobody can do anything to make a message visible, but it sometimes depends on a comma that is wrong somewhere. Then you can put fifteen locks on a safe door, but if the hinges come loose and the door falls out, you will enter.
If, however, the encryption was in fact “iron-clad,” with no stray commas or other mistakes, it could be that police managed to crack the encryption algorithms, Groenewegen said. That would make this a problem for everyone who relies on the encryption in question, he said, not just Dutch crooks.
If that were the case, the police would be able to read all the chats with that encryption all over the world, so to speak… Then everyone has a problem.
For his part, Rik van Duijn, a security researcher with Dearbytes, told Dutch public broadcaster NOS that IronChat had multiple security issues.
For one thing, the app warned users about possible message interception in teensy type, worded in such a way that an average user wouldn’t understand, he said, if they read the smaller font at all. The warning:
Encryption is enabled, but conversation partner is not authenticated.
The average user does not understand exactly what this means. You would expect that an app that so clearly focuses on encryption is clearer.
According to NOS, a spokesman confirmed to the police on Tuesday evening that the server used to exchange messages was cracked. Police aren’t saying how but Van Duijn has ideas: besides other flaws, he noticed that the app didn’t have much protection from people who want to use it for free.
He himself cracked the code users needed to show that they paid for the phone: all it was a “combination of a number of numbers” that he gleaned from the app’s source code, he said.