Failures in Encryption – IronPhone

Netherlands security company Black Box Security was raided by the Dutch Police and shuttered on suspicion of money laundering and operating a criminal enterprise.  Black Box was the inventor of the Iron Phone and the Iron Chat app.  Together, they were supposed to provide an unbreakable encrypted chat service.  This service became a popular favorite among cyber and other criminals.

According to Sophos Naked Security, the police in The Netherlands successfully cracked the encryption and have been reading the messages for quite some time, in all about a quarter of a million messages.  The information they gathered allowed them to close a drug laboratory, and make several other arrests.  Eventually, because of the compromised communication channel and police activity, the criminals using these phones started accusing each other of working with the police.  The Politie had to shut it down and arrest everyone in order to avoid bloodshed on the streets.

Encryption is a useful protection when implemented properly.  The problem was with the way the encryption in the phone and app were implemented.  This is not the first time that poor encryption has been beaten by smarter cryptographers.  In some of the earlier ransomware variants, the attackers were using SHA-1 and other easily cracked methods to create their encryption keys.  In those cases, the encrypted data was easily recovered.  This is just another example of the dangers of home brewed encryption.

The other lesson is this:  when searching for encryption solutions such as encrypted email, browsing, messaging, and services such as VPN, it falls on you, the subscriber, to perform your due diligence to ensure that you are getting the security, secrecy, privacy and anonymity you are expecting.  Not all services perform as advertised, so checking customer reviews and independent testing labs can help you find reliable alternatives.



About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.