Dutch police say they have “decrypted more than 258,000 messages” sent using an expensive chat service, Ars Technica reported on Wednesday, citing a National Police Corps statement that claimed authorities in the Netherlands have achieved a “breakthrough in the interception and decryption of encrypted communication between criminals.”
The encrypted chat service in question is BlackBox Security’s IronChat, which runs on a proprietary device called the BlackBox IronPhone. Per the Register, the company behind it claimed to use a “custom implementation of the end-to-end off-the-record (OTR) encryption system to scramble messages,” and sold the service for approximately $US1,700 ($2,344) (1,500 euros) for six-month subscriptions. Dutch police allege it was intended for use by criminals, writing in their statement that “police and the Public Prosecution Service take a hard line against people who help criminals by making their activities possible.”
Authorities apparently seized control of a BlackBox Security server, though they did not disclose how they were able to intercept messages being sent through IronChat. The most likely scenario is either that the service was lying about whether it offered true end-to-end encryption, in which the messages could not have been intercepted in transit, or that there was a flaw in their implementation that offered police an in. Dutch media reported there were several serious flaws with the software, Ars Technica added:
An article published by Dutch public broadcaster NOS said a version of the IronChat app it investigated suffered a variety of potentially serious weaknesses. Key among them: warning messages that notified users when their contacts’ encryption keys had changed were easy to overlook because they were provided in a font much smaller than the rest of the conversation. While crypto keys often change for legitimate reasons, such as when someone obtains a new phone, a new key might also be a sign a third party is trying to intercept the communications by encrypting them with a key it controls.
… [The IronChat app] also failed to automatically check if the server it used to exchange messages with other users was the correct one. A panic-button feature, which was supposed to let users instantly delete messages, was also practically useless, the article said, citing a tweet from privacy researcher Floor Terra.
A 46-year-old man behind IronChat and a 52-year-old partner in the business have been arrested, according to police, and a subsequent drug bust in Enschede resulted in seizures of about $US103,000 ($141,998) (90,000 euros) automatic weaponry, and a large quantity of MDMA and cocaine. BlackBox Security is now defunct, they added, and the IronChat service is no longer functional.
“Criminals thought they could safely communicate with so-called crypto phones which used the application IronChat,” Dutch police wrote in the statement. “Police experts in the east of the Netherlands have succeeded in gaining access to this communication. As a result, the police have been able to watch live the communication between criminals for some time.”
As Ars Technica noted, BlackBox Security claimed on their website to have been endorsed by Edward Snowden, the former National Security Agency contractor who leaked troves of documents to Wikileaks and now resides in Russia. Though the endorsement is in all likelihood fake, Gizmodo has reached out to an associate of Snowden for comment, and we’ll update this post if we hear back.