Failures in Encryption – IronPhone

Netherlands security company Black Box Security was raided by the Dutch Police and shuttered on suspicion of money laundering and operating a criminal enterprise.  Black Box was the inventor of the Iron Phone and the Iron Chat app.  Together, they were supposed to provide an unbreakable encrypted chat service.  This service became a popular favorite among cyber and other criminals.

According to Sophos Naked Security, the police in The Netherlands successfully cracked the encryption and have been reading the messages for quite some time, in all about a quarter of a million messages.  The information they gathered allowed them to close a drug laboratory, and make several other arrests.  Eventually, because of the compromised communication channel and police activity, the criminals using these phones started accusing each other of working with the police.  The Politie had to shut it down and arrest everyone in order to avoid bloodshed on the streets.

Encryption is a useful protection when implemented properly.  The problem was with the way the encryption in the phone and app were implemented.  This is not the first time that poor encryption has been beaten by smarter cryptographers.  In some of the earlier ransomware variants, the attackers were using SHA-1 and other easily cracked methods to create their encryption keys.  In those cases, the encrypted data was easily recovered.  This is just another example of the dangers of home brewed encryption.

The other lesson is this:  when searching for encryption solutions such as encrypted email, browsing, messaging, and services such as VPN, it falls on you, the subscriber, to perform your due diligence to ensure that you are getting the security, secrecy, privacy and anonymity you are expecting.  Not all services perform as advertised, so checking customer reviews and independent testing labs can help you find reliable alternatives.



About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.