A group of European law enforcement agencies were able to crack a high-level encryption app that a group of suspects created to avoid law enforcement monitoring, according to a statement issued Tuesday by Europol. Europol, understandably, did not provide any specifics about how they broke the app, but encryption experts said that the most likely method involved cracking the app as opposed to the encryption algorithm itself. Still, for enterprise CISOs who are already nervous about trusting highly sensitive communications to encrypted apps, this incident will likely further deepen those suspicions.”A joint investigation team (JIT) involving French and Dutch authorities has taken down another sophisticated encrypted messaging service, MATRIX. For three months, authorities were able to monitor the messages from possible criminals, which will now be used to support other investigations,” the Europol statement said. “During a coordinated operation supported by Eurojust and Europol, the messaging service was taken down by Dutch and French authorities and follow-up actions were executed by their Italian, Lithuanian, and Spanish counterparts.”The suspects named the app MATRIX, but that is not related to any companies or products using that name. Europol said thieves charged other thieves between Euro1,300 and Euro1,600 (roughly between $1,369 and $1,685) for a 6-month subscription. “At least 8,000 accounts” were sold globally, and were used on more than 40 servers across Europe, Europol said. “More than 2.3 million messages in 33 languages were intercepted and deciphered during the investigation,” Europol said. “The messages that were intercepted are linked to serious crimes such as international drug trafficking, arms trafficking, and money laundering.” Dean Coclin, a senior director and digital trust specialist at Digicert, stressed that he doubts law enforcement cracked the encryption itself, mostly because they didn’t need to. “It’s highly unlikely that they broke the encryption, meaning the mathematical part. What is more likely, as we have seen in the past, is there was a weakness in the implementation that was uncovered and subverted,” Coclin said. “It sounds like this system was quickly put together by the bad guys.”That may be the only silver lining for enterprise CISOs, he said, because “enterprise encryption products tend to be more secure due to the use of published encryption algorithms that have been extensively vetted and having been developed by reputable companies.”While encryption has been broken in the past, the threat potentially posed by quantum computing could make much of 2024-level encryption irrelevant in any case. But the issue is critical today, as more end users are relying on various free encryption apps, including Signal, WhatsApp, and Telegram, which raises concerns about the apps’ weaknesses.With the European thief-created app, “maybe there was a flaw in the way that they put the program together, where the data might have been left in an unencrypted state for a period of time” and that would make it vulnerable to malware on the device, Coclin said. But he added that he thinks the real flaw was simply that the suspects didn’t sufficiently test their app and didn’t test it among a large enough group of beta users.The proper approach is to “develop something and then you put it into the public domain. This app was likely thrown together by some hackers and it didn’t get stress tested,” Coclin said. Erich Kron, security awareness advocate at KnowBe4, agreed that it was mostly likely the app that was broken and not the encryption.”There is not a lot to go off of at this time, so without knowing how the encryption was broken, it’s difficult to say if this will have an impact on legitimate encryption,” Kron said. “Typically speaking, when encryption is broken, especially modern encryption, it usually happens through the way that the application using the encryption handles the keys, not in a fault with the encryption itself.”Law enforcement’s having broken this app, however, could send a frightening message to criminals, Kron said. “A secure way to communicate is vital to these criminal operations, and the disruption of the service will not only impact their ability to continue communications, but also their faith in other applications such as this,” Kron said. “It may cause them a significant amount of anxiety as they wonder if their communications with other players have been decrypted, and many of the more cautious criminals might have to adjust their current operations to counter the potential that law enforcement knows about them.”
Implications for CISOs
A more dire perspective on the European encryption situation came from Georgianna Shea, the chief technologist for the Foundation for Defense of Democracies, which bills itself as “a nonpartisan think tank focused on national security and foreign policy.””The Europol takedown of MATRIX underscores critical implications for enterprise CISOs regarding the fleeting security of encryption. Although the exact methods used by authorities remain undisclosed, this incident highlights that no system is impenetrable, and that encryption vulnerabilities may arise from operational weaknesses as much as technical flaws,” Shea said. “CISOs should be taking note of the diminishing lifespan of current encryption standards. Cryptography generally relies on hard mathematical problems, but as computing power advances, these problems become increasingly solvable. CISOs must implement multi-layered defenses such as tokenization, zero-knowledge proofs, distributed storage, and other technologies that protect data even if encryption is compromised. This proactive approach ensures a robust defense against the accelerating evolution of both technology and threats.”Another security specialist, Audian Paxson, principal technical strategist at Ironscales, said encrypted communication in an enterprise is surrounded by other technologies, and those other pieces of code may be the encryption app’s undoing.”I think this MATRIX takedown shows that criminals aren’t losing because encryption is being cracked. It’s because law enforcement is targeting everything around it,” he said. “They’re going after the infrastructure, endpoints, and sometimes even the people running these platforms. It’s not Hollywood hacking. It’s patient methodical work, like seizing servers or leveraging insider intelligence.”Paxson noted that the Europol effort unintentionally illustrates the lack of a need for universal backdoors.”This takedown is a perfect example of law enforcement doing their jobs without needing surveillance backdoors. Those backdoors would create a circus of problems that, to me, will make everyone less secure,” Paxson said. “Sure, law enforcement has constraints such as court orders, warrants, red tape, but here’s proof that they can take some of these platforms down. By the way, criminals don’t play by the same rules and constraints. They’ll adapt, always. They’ll move to fragmented and distributed tools, and keep exploiting the gaps.”His takeaway? “For CISOs, the lesson here isn’t to worry about encryption failing. It’s to focus on protecting the endpoints, servers, and especially human vulnerabilities that criminals will always try to exploit, and they will do so without a court order.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3617500/european-law-enforcement-breaks-high-end-encryption-app-used-by-suspects.html
