Federal law enforcement authorities in the U.S., as well as governments worldwide, face a continuing dilemma as a result of encryption, the everyday tool meant to protect our privacy. After the terrible mass murders in Dayton, Ohio, the FBI struggled for days to get into the mobile phone of the shooter to understand what happened and whether others had conspired with him. The same thing happened nearly four years ago after the horrific shootings in San Bernardino, Calif.
Counterterrorism requires prevention and preparedness. But today, identifying threats before they happen is nearly impossible, as extremist groups like Boko Haram and ISIL take advantage of smartphones with encrypted technologies to covertly plot their attacks. Platforms like WhatsApp and Viber help smartphone users keep their personal data private but can also be exploited for nefarious purposes. Like encryption, terrorists and extremists can use the Darknet to mask their communication and propaganda efforts, recruit and radicalize, and gain material benefits in the form of illicit goods, such as weapons and fraudulent documents.
El Chapo, the Mexican drug lord, operated undetected for years by running his cartel using encrypted messages. The investigation into coordinated terrorist attacks in France has quickly turned up evidence that members of the Islamic State (ISIS) communicated with the attackers from Syria using encrypted communications, according to French officials. Al Qaeda has used various forms of encryption to hide files on websites for dissemination, as well as using encrypted or obfuscated files carried on CDs or USB drives by couriers. The organization has heavily used steganography to conceal electronic documents—even files within pornographic videos on websites—rather than relying on e-mail, and has used the technique since before the September 11, 2001 attacks.
Former CIA Deputy Director Michael Morell said in an interview on CBS’, “I think what we’re going to learn is that these guys are communicating via these encrypted apps, this commercial encryption which is very difficult or nearly impossible for governments to break, and the producers of which don’t produce the keys necessary for law enforcement to read the encrypted messages.”
“Something that concerns not just the FBI but all law enforcement is what we call ‘lawful access.’ Technology companies are deploying encryption software in which the customer can encrypt and only (they) and the end-user can access,” said Luis M. Quesada, special agent in charge of the El Paso Field Office.
Encryption is useful when it comes to protecting private information like banking, he said, but unrestricted use of this technology could pose a threat to the public. “It means we couldn’t follow kidnappings, child pornography, terrorist acts … the lone terrorist shooters which usually communicate through (digital) platforms,” he said. “We want to know if the shooter was communicating with somebody else, if he was being radicalized. It could lead us to somebody else to prevent the next event. Or if we arrest a child pornographer we’d like to know who he’s communicating with so we have a map of who he’s (talking to) and save more kids,” Quesada said.
Intelligence agencies are considerering variety of measures and technologies . Calls have been made by governments to allow ‘backdoors’ to encryption in apps such as Telegram. A joint statement from leaders in Australia, Canada, New Zealand, the UK, and the U.S., collectively known as the Five Eyes, outlines the “urgent need” for law enforcement to overcome this gap, explaining: “The inability of intelligence and law enforcement agencies to lawfully access encrypted data and communications poses challenges to law enforcement agencies’ efforts to protect our communities.”
The FBI has called for laws mandating encryption backdoors, but these laws would be mostly futile. They do not apply to software or phones created in other countries, for example. They do not apply to jihadist programmers who create their own apps based on open-source software. This is why many in the intelligence community, such as former head of the NSA Michael Hayden, oppose backdoors
While end-to-end encryption itself difficult to break , intelligence agencies have been able to hack the software on the ends and take advantage of users’ mistakes. The NSA’s vast compute power will not be dedicated to complex encryption algorithms but to the rather simpler task of guessing terrorist’s passwords.
Advances in lawful interception tools mean government agencies with a sworn duty to protect civilians can overcome encryption to access vital intelligence so criminals can’t plot behind an impregnable wall. These technologies can and have prevented tragedies, with the public undisturbed. Moreover, they are designed for careful, highly targeted and limited use, making surveillance less invasive but more effective than ever before.
Intelligence agencies are also looking to Quantum computers that shall bring power of massive parallel computing i.e. equivalent of supercomputer to a single chip. They shall also be invaluable in cryptology and rapid searches of unstructured databases. The spy agencies are now giving thrust to development of Quantum computers which can break this encryption used by terrorists.
Encryption and Opsec Methods for hiding
A cell phone already uses encryption to talk to the nearest cell tower. This is because hackers could otherwise eavesdrop on radio waves to listen in on phone calls. However, after the cell tower, phone calls are not encrypted as they traverse copper wires and fiber optic cables. It is considered too hard for nefarious actors to dig up these cables and tap into them.
In a similar manner, older chat apps only encrypted messages as far as the servers, using what is known as SSL. That was to defeat hackers who would be able to eavesdrop on internet traffic to the servers going over the Wi-Fi at public places. But once the messages reached the servers, they were stored in an unencrypted format because at that point they were considered “safe” from hackers. Law enforcement could still obtain the messages with a court order.
Newer chat apps, instead of encrypting the messages only as far as the server, encrypt the message all the way to the other end, to the recipient’s phone. Only the recipients, with a private key, are able to decrypt the message. Service providers can still provide the “metadata” to police (who sent messages to whom), but they no longer have access to the content of the messages.
The online messaging app Telegram was one of the earliest systems to support end-to-end encryption, and terrorists groups such as the Islamic State took advantage. These days, the feature has been added to most messaging apps, such as Signal, Wickr, and even Apple’s own iMessage. Recently, Facebook’s WhatsApp3 and Google4 announced they will be supporting Signal’s end-to-end encryption protocol.
Such end-to-end encryption relies upon something called public-key cryptography. Two mathematically related keys are created, such that a message encrypted by one key can only be decrypted by the other. This allows one key to be made public so that one’s interlocutor can use it to encrypt messages that the intended recipient can decrypt through the private-key.d Al-Qa`ida’s Inspire magazine, for example, publishes its public-key so that anyone using PGP can use it to encrypt a message that only the publishers of the magazine can read.The reason an iPhone is secure from criminals is because of full device encryption, also full disk encryption. Not only is all of the data encrypted, it is done in a way that is combined or entangled with the hardware. Thus, the police cannot clone the encrypted data, then crack it offline using supercomputers to “brute-force” guess all possible combinations of the passcode. Instead, they effectively have to ask the phone to decrypt itself, which it will do but slowly, defeating cracking
On personal computers, the software known as PGP, first created in the mid-1990s, reigns supreme for end-to-end encryption. It converts a message (or even entire files) into encrypted text that can be copy/pasted anywhere, such as email messages, Facebook posts, or forum posts. There is no difference between “military grade encryption” and the “consumer encryption” that is seen in PGP. That means individuals can post these encrypted messages publicly and even the NSA is unable to access them. There is a misconception that intelligence agencies like the NSA are able to crack any encryption. This is not true. Most encryption that is done correctly cannot be overcome unless the user makes a mistake.
The reason an iPhone is secure from criminals is because of full device encryption, also full disk encryption. Not only is all of the data encrypted, it is done in a way that is combined or entangled with the hardware. Thus, the police cannot clone the encrypted data, then crack it offline using supercomputers to “brute-force” guess all possible combinations of the passcode. Instead, they effectively have to ask the phone to decrypt itself, which it will do but slowly, defeating cracking
Full disk encryption is also a feature of personal computers. Microsoft Windows comes with BitLocker, Macintosh comes with FileVault, and Linux comes with LUKS. The well-known disk encryption software TrueCrypt works with all three operating systems as does a variation of PGP called PGPdisk. Some computers come with a chip called a TPMg that can protect the password from cracking, but most owners do not use a TPM. This means that unless they use long/complex passwords, adversaries will be able to crack their passwords.
These programs can also produce volume or container files. They will exist as a normal file on the disk, like foobar.dsk. But the contents of this file will look like random gibberish. When the file is opened with the encryption software, it will appear as a disk drive (like F:) on the computer. Anything written to this virtual drive F: will, in fact, be encrypted and written to foobar.dsk.
Encryption is only one way of hiding. To describe this, technologists often use the word opsec, or operational security. Most chat apps (like Telegram and Wickr) now have a feature where old messages automatically self-destruct after an hour or a day, as well as the option to manually delete messages. It means incriminating evidence disappears without any interaction by the user. For law enforcement, this can mean that when a terrorist’s phone is obtained, most of the evidence may already be gone. On desktops/laptops, there is special software, such as “Windows Washer” on Windows, for wiping the disks, designed to get rid of any remaining information. It is also a feature on web browsers, which can automatically delete browser history.
One industry leader for opsec is “Tails,” which is frequently mentioned on terrorist forums. It contains all the encryption tools and more. Tails is a live flash drive, which means when a user inserts it into the computer, no trace is left on the computer. Tails boots the Linux operating system, which is similar to Windows or Mac OS in most ways. It is a bit clunky but easy enough to use. Most importantly, it reduces the chance that the user will make a mistake because once the USB drive is removed and the computer is shut down, there will be no accidental evidence left behind. Tails includes a normal web browser like Firefox that runs through Tor. It includes PGP and Pidgen+OTR for end-to-end encrypted email/messages. It includes LUKS (Linux Unified Key Setup) for full disk encryption of the USB drive, so that even if the user loses it, no one will be able to decrypt the lost drive.
Between 2009 and 2010 he and Rajib Karim, a British Airways call center worker based in Newcastle, set up an elaborate system of encrypted communications to plot attacks against British and American aviation. The intricate system, outlined in a 2011 trial in which Karim was convicted of terrorism offenses, involved Karim using end-to-end encryption to send messages to his brother in Yemen, who was in contact with al-Awlaki.
They used a multi-layered process to encrypt the messages. First, the text message was pasted into an Excel document, which used their own macros to encrypt the message. Second, the result of that encryption was copied and pasted into a Word document, then saved with Microsoft’s “password protect” feature, which is unbreakable if long and complex passwords are chosen. Third, the Word document was compressed and encrypted using the RAR program, which is also unbreakable if long and complex passwords are chosen. Lastly, they uploaded to web hosting sites through a URL shortener in an attempt to anonymize the metadata. Police described his use of encryption as “the most sophisticated they had seen in a British terrorist case.”
Karim practiced good opsec by using the program “Windows Washer” and other Windows tools to keep his laptop clean of any incriminating evidence. He used full disk encryption in order to put all of his plans as well his encrypted communications with al-Awlaki on an external hard disk, separate from his laptop
While PGP was installed on the computer, Karim does not appear to have used it to encrypt and decrypt messages, perhaps out of paranoia about the capabilities of Western intelligence agencies, but instead used an unorthodox and complex technique based on cipher codes and passwords stored on Excel spreadsheets. His biggest slip-up was that he had saved this spreadsheet on his computer, allowing British police over a period of several months to decipher the messages stored on his external hard drive and use them as evidence against him.
Another bizarre technique uncovered by intelligence agencies was to use a TrueCrypt volume file in which full disk encryption was used as a replacement for end-to-end encryption. The system involved creating text files with messages inside the virtual disk drive, then uploading the container file to file-sharing websites. By creating a file in a virtual disk drive, no other copy would exist on the system.Once Hame was caught and interrogated, his technique would have been conspicuous, making it easier for the NSA and its European counterparts to track the metadata of others using this technique.
Methods used by Intelligence agencies
In 2013, Edward Snowden released documents from the NSA8 revealing widespread mass surveillance, even of U.S. citizens. This surveillance did not eavesdrop on the phone calls of people in the United States but instead collected the metadata about the calls: who was calling whom and for how long. Reportedly the United States has targeted overseas terrorists with drone strikes based on this metadata. A survey of terrorist publications and details that have emerged from interrogations suggest that terrorists are at least as concerned about hiding metadata as they are about encrypting communications. But the various chat apps/services now available on the market do little to hide metadata. Servers must know the address or phone number in order to know where to forward the message.
The most common way to deal with this problem on the internet is through a service called Tor (The Onion Router). It passes traffic (encrypted) through multiple proxy servers around the internet controlled by different organizations, often private individuals. This makes it sometimes very difficult and at times even impossible to figure out the source of network traffic.
As the Snowden leaks revealed, Tor is a double-edged sword for intelligence services. Reportedly, U.S. government agencies had a role in Tor’s development, have provided funding for it, and have used it to hide their own activities. Yet intelligence agencies spend significant resources trying to defeat it when terrorists use it.
With an internet address, intelligence services could discover the unique identifier of the phone (known as the IMSI or International Mobile Subscriber Identifier). This would require intelligence services to hack into the phone company servicing the Islamic State or to utilize a paid informant on the inside. Then IMSI catchers in drones/airplanes flying overhead can be used to pinpoint the radio signals coming from the phone.
In end-to-end encryption, it is no longer viable to crack the encryption in the middle. Intelligence agencies must instead hack the software on the ends. According to reports, in the drone strike that killed Junaid Hussain (and fellow militant Reyaad Khan), British agents were able to find their physical location by “hacking” their end-to-end encrypted app Surespot. With a virus, they can do all that and more. Instead of grabbing the IMSI from the phone company, the virus can simply acquire it from the phone. Instead of planes flying overhead, the phone itself can report its GPS location on a regular basis via the internet. Intelligence services like the GCHQ and NSA have such viruses in their arsenal, known as implants, which use what is known as “0dayn exploits” to break into the phone as soon as a user taps on a link within the Surespot app.
0days are the archetypal cyber weapon. Intelligence services can point them at a target, gain control of the computer, and implant a virus that allows them to maintain control. This technique gets away from remote signals detection to find a target, which was the traditional role of the NSA, and moves toward subverting the device to monitor itself. 0day exploits will likely be the most common way the NSA will eavesdrop on communications in the future – by hacking the “ends” of end-to-end communication with an 0day.
Companies introduce secure mobile messaging apps
Companies have started introducing a new generation of secure mobile communication apps to address the privacy concerns of most users living in the post-Snowden world. The following analysis by John E Dunn in “The best secure mobile messaging apps 2016.”
WhatsApp’s Signal Protocol
In April 2016, the Signal protocol was rolled out as a mandatory upgrade to all WhatsApp users across all mobile platforms. At a stroke it also made Open Whisper Systems the most widely used encryption platform on earth, albeit one largely used transparently without the user realising it. Whisper Systems improves security by using true end-to-end encryption with perfect forward secrecy (PFS). This means the keys used to scramble communication can’t be captured through a server and no single key gives access to past messages.
Signal was designed as an independent end-to-end platform that transports messages across its own data infrastructure rather than, as in the past, Google’s Google Cloud Messaging (GCM) network. The App itself can be used to send and receive secure instant messages and attachments, set up voice calls, and has a convenient group messaging function. Security is based on OTR protocol, uses AES-256, Curve25519 and HMAC-SHA256; voice security is based on ZRTP.
BlackBerry Messenger (BBM)
BlackBerry Messenger (BBM) has broader compatibility than most messaging apps; it’s the obvious pick for BlackBerry users, and it’s also available for Android, iOS and Windows Phone devices. Instead of connecting with others using phone numbers or email addresses, each user is identified by a unique personal identification number (PIN). That keeps the service private and gives you more control over who contacts you. All messages are encrypted during transmission, and pass through a firewall before they hit BlackBerry’s servers, so they can only be decrypted by a private key on the intended receiver’s device. Individual businesses can also obtain a unique encryption key for an extra layer of security.
Cryptique’s Pryvate
Launched in November 2015, Cryptique’s Pryvate is intended for use by businesses as competition for high-end mobile security such as the Blackphone/Silent Circle which embeds software inside a secured version of Android. As with that service, Pryvate is another do-it-all voice, video, messaging, IM, secure file transfer, and secure storage app (integrating with Dropbox, One drive, BOX) and will integrate with third-party email clients for added convenience.
On the subject of Silent Circle, the underlying voice and IM protocol used by Pryvate is Phil Zimmermann’s ZRTP perfect forward secrecy encryption. Other features is IP shielding whereby uses can bypass VoIP and IM blocking without giving away their real IP address – the app tunnels across the Internet using Pryvate’s own UK Jersey-based servers.
The security is based on 4096-bit encryption, with AES 256-bit key management. Complex mini PKI design with perfect forward secrecy design.
Telegram
Launched by two Germany-based brothers in 2013 Telegram’s distinctiveness is its multi-platform support, including not only and Android and iPhone but Windows Phone as well as Windows OS X and even Linux. With the ability to handle a wide range of attachments, it looks more like a cloud messaging system replacing email as well as secure messaging for groups up to 200 users with unlimited broadcasting.
Telegram differs from the other apps, starting with the fact that users are discoverable by user name and not only number. This means that contacts don’t ever have to know a phone number when using Telegram, a mode of communication closer to a social network. The platform is also open to abuse, if that’s the correct term, including reportedly being used by jihadists for propaganda purposes, which exploit its broadcasting capability. Security is based on MTProto protocol, 256-bit symmetric AES encryption, RSA 2048 encryption and Diffie–Hellman secure key exchange
Ceerus
Ceerus is a new secure Android voice, video and messaging app from UK startup SQR Systems, designed to secure voice and video as well as messaging, Ceerus is a step up in from some of the free apps looked here in that it can scale to departmental, enterprise, and government use and can cite a British defence giant as a trial customer
Gilph
Gliph is a secure messaging service on Android and iOS that you can use on all of your computing devices on Android app on your smartphone or as the desktop app. Another key feature is “Real Delete,” which lets you permanently delete a message from both the sending and receiving device, as well as the Gliph server, whenever you choose. You can also attach a pseudonym to your main account at any time, so you can use a screen name for personal chatting and switch back to your real name for professional communications.
Wicker
Wickr (available for Android and iOS) provides a host of security features. The secure messaging app that not only features end-to-end encryption for all messages, it also lets you set an expiration date for every message you send after which it gets automatically deleted. It also lets you remove metadata from individual messages, such as the time it was sent, as well as geo-location data.
It’s fair to say that police and intelligence services are now worried about the improved security on offer from these apps, which risks making them favoured software for terrorists and criminals. That said, they are not impregnable. Using competent encryption secures the communication channel but does not necessarily secure the device itself. There are other ways to sniff communications than breaking encryption.