At the moment, I’m really torn, and I need your help. Let me tell you what is going on. I read these statements and they can’t both be true, right?
“The continuous monitoring of the illegal Sky ECC communication service tool by investigators in three countries has provided invaluable insights into hundreds of millions of messages exchanged between criminals.”
“SKY ECC platform remains secure and no authorized Sky ECC device has been hacked.”
I’ll give you some more background and then you can help me decide.
It was reported today that Belgian police invaded 200 locations and arrested 48 people (this was a big headline in Belgium). Two of those people are suspected of being corrupt cops in the Antwerp police force. The police stated they were able to make these arrests because they were able to intercept and read messages on encrypted phones provided by SKY ECC.
Europol claims “invaluable insights”
Europol released a statement about the background of these actions, which started:
Judicial and law enforcement authorities in Belgium, France and the Netherlands have in close cooperation enabled major interventions to block the further use of encrypted communications by large-scale organised crime groups (OCGs), with the support of Europol and Eurojust. The continuous monitoring of the illegal Sky ECC communication service tool by investigators in the three countries involved has provided invaluable insights into hundreds of millions of messages exchanged between criminals.
It went on to describe the operations as "an essential part of the continuous effort of judiciary and law enforcement in the EU and third countries to disrupt the illegal use of encrypted communications".
SKY ECC says it “remains secure”
Sky ECC advertises itself as "most secure messaging platform you can buy", and has around 170,000 users worldwide.
In response to the articles published in the Dutch and Belgian press, SKY ECC let the public know that all allegations that Belgian and/or Dutch authorities have cracked or hacked SKY ECC encrypted communication software are false, stating:
SKY ECC is built on “zero-trust” security principles which assumes every request as a breach and verifies it by employing layers of security to protect its users’ messages. All SKY ECC communications are encrypted through private tunnels via private distributed networks. All messages are encrypted with today’s highest level of encryption.
Are you still with me? Now, if we think hard, there are some scenarios where both statements could be true. Maybe the police are talking about analysing unencrypted meta data, or had access to a limited number of decryption keys. Or maybe they had someone on the inside feeding them information. But those go out of the window when we read the Europol statement and find the sentence “By successfully unlocking the encryption of Sky ECC...”
Who can you trust?
"Who do we trust?" is an important question in many security and privacy related matters. It may be the way I was raised, but I tend to trust the police in these matters, even if not every police force is equipped to deal with modern cybercrimes.
Of course, there is a chance that whoever drafted the Europol statement made an error, or that "unlocking the encryption" is a deliberate red herring to protect another source. But I cannot overlook that Europol and Eurojust (European Union Agency for Criminal Justice Cooperation) happen to have an excellent track record in this field.
SKY ECC on the other hand has every reason to deny it has been breached. Proof that it has could prove to be destructive for a company whose customers are invested in trusting its equipment and services.
A third possibility
There is a third possibility too, raised in the SKY ECC statement. In it, the company says (my emphasis) "distributors in Belgium and the Netherlands brought to our attention that a fake phishing application falsely branded as SKY ECC was illegally created, modified and side-loaded onto unsecure devices, and security features of authorized SKY ECC phones were eliminated in these bogus devices which were then sold through unauthorized channels."
If the police hacked, or even created, an insecure imposter device they can monitor—one that fools potential criminals into believing they have the real thing—then it is possible for both sides to be telling at least a partial truth.
Is the proof in the pudding?
Arrests in these countries are not made lightly, so the police force must have had some information to go on. And the sheer number of arrests made leads us to believe that this was not the result of the police having access to one device (one server may be a more likely option, or many fake devices).
As you can tell, I seem to have made up my mind along the way. But we appreciate your thoughts on the matter.
If any side decides to reveal more information, we will keep you updated.
Stay safe, everyone!