Netherlands security company Black Box Security was raided by the Dutch Police and shuttered on suspicion of money laundering and operating a criminal enterprise. Black Box was the inventor of the Iron Phone and the Iron Chat app. Together, they were supposed to provide an unbreakable encrypted chat service. This service became a popular favorite among cyber and other criminals.
According to Sophos Naked Security, the police in The Netherlands successfully cracked the encryption and have been reading the messages for quite some time, in all about a quarter of a million messages. The information they gathered allowed them to close a drug laboratory, and make several other arrests. Eventually, because of the compromised communication channel and police activity, the criminals using these phones started accusing each other of working with the police. The Politie had to shut it down and arrest everyone in order to avoid bloodshed on the streets.
Encryption is a useful protection when implemented properly. The problem was with the way the encryption in the phone and app were implemented. This is not the first time that poor encryption has been beaten by smarter cryptographers. In some of the earlier ransomware variants, the attackers were using SHA-1 and other easily cracked methods to create their encryption keys. In those cases, the encrypted data was easily recovered. This is just another example of the dangers of home brewed encryption.
The other lesson is this: when searching for encryption solutions such as encrypted email, browsing, messaging, and services such as VPN, it falls on you, the subscriber, to perform your due diligence to ensure that you are getting the security, secrecy, privacy and anonymity you are expecting. Not all services perform as advertised, so checking customer reviews and independent testing labs can help you find reliable alternatives.
Share
NOV
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com