Police hack PGP server with 3.6 million messages from organized crime BlackBerrys
For privacy advocates; store encryption keys in the TPM and/or TEE?
Custom PGP BlackBerry smartphones allegedly used by criminal gangs for secure messaging have suffered a setback
Dutch police say they've managed to crack data held on a private server protected by end-to-end encryption, as part of an investigation into the alleged sale of secure BlackBerry devices linked to organized crime.
The country's national police service last week revealed it had analyzed 7TB of data that was partially encrypted with PGP privacy and authentication software on a Canada-based server.
Now with "access to 3.6 million encrypted messages within organized crime", the police said the information is being used in investigations into multiple crime rings involved in assassinations, armed robbery, drug trafficking, and money laundering.
Since last spring, the Dutch and Canadian police have been cooperating to identify customers of Netherlands-based tech company Ennetcom. Toronto police seized Ennetcom's main server last year and presented a copy of it to the Dutch police in September 2016.
Charging about €1,500 ($1,600) per device, Ennetcom sold custom PGP BlackBerry smartphones, often with the camera and microphone removed, offering end-to-end messaging encryption.
These custom PGP BlackBerry devices are strongly linked to organized crime rings, which rely on the encryption to theoretically thwart surveillance from the authorities.
The Netherlands Forensics Institute, together with the Dutch police, has been using a dedicated, forensic search engine called Hansken to analyze the BlackBerry messages' metadata, which was not encrypted.
By the end of last year, the Dutch police were able to identify more than 1,000 users of Ennetcom's custom BlackBerry devices and their aliases.
As reported by Motherboard, a September 2016 filing by a Canadian court revealed that the Dutch police were able to decrypt the PGP-encrypted messages because the Dutch investigators may have found the decryption keys on the seized server itself.
The Dutch police's server raid could be seen as yet another example of the Dutch government's back-and-forth stance on digital privacy. The police search also raises questions over how relevant digital backdoors may be as authorities find resources to expand their powers of surveillance.
Despite its hack on Ennetcom's server, the Dutch are generally known for supporting a citizen's right to privacy.
In December 2015, the Dutch government voted to give financial support to three open-source programs to improve data security across the web at a time when other countries were pressuring large tech companies to grant national governments special access, or backdoors, to their customers' data.
But the Dutch police have been pushing forward on with its own digital strategies that could be used to breach privacy without the tech companies' help.
In addition to its strategies in the Ennetcom hack, the police force now exploits zero-day bugs, in a similar fashion to the methods allegedly exposed by the recent CIA leaks, for official investigations without involving tech manufacturers.