Encrypted messaging service eavesdropped on by police, users arrested
After eavesdropping on yet another encrypted messaging service for five months, law enforcement agencies decided to shut down the service that was popular among members of organized crime groups.
The service called Exclu claims to use the “most secure encryption protocols”, as well as end-to-end encryption to ensure that only the sender and the person they’re communicating with can read what’s sent, not even Exclu itself.
That these claims were not entirely true can be concluded after 42 arrests on Friday February 3, 2023 In the Netherlands, Belgium, and Germany. Among the arrested were not only users of the messaging service, but also the owners and operators of Exclu.
Exclu
Exclu was an app marketed as an end-to-end-encrypted messaging service and users paid €500 (roughly $540) for three months’ use. The police estimate there were some 3000 users, most of them involved in criminal activities and many of them part of organized crime groups.
Exclu joins a list of encrypted messaging services—including Ennetcom, Encrochat, and Sky ECC—that eventually saw a lot of their users getting arrested. And let’s not forget the fake An0m service that was set up and run by law enforcement in a sting operation.
You’d almost recommend criminals to save themselves some money and use WhatsApp or Signal, but maybe it’s better this way.
Broken how?
Assuming that the Exclu operators knew what they were doing, how is it possible that law enforcement could listen in on end-to end encrypted messages?
Options that are available to various levels of law enforcement include, but are not limited to:
- Eavesdropping on unencrypted or misconfigured communications of a suspect’s contact.
- Collecting unencrypted metadata to characterize the encrypted data.
- Detaining the suspect indefinitely until they “voluntarily” decrypt the device.
- Grabbing unencrypted data at rest.
- Eavesdropping on other channels where the suspect describes the encrypted data.
I think the most important clue can be found in the statement by the German department of justice (Generalstaatsanwalt). It says the investigation, which was initiated in 2020, came about after finding a “Cyberbunker” in Germany’s TrabenTrarbach, where the messaging service was hosted and operated from. Seizing a server or copying the contents of a server could provide the investigators with enough data at rest, clues about weaknesses in the encryption routine, or even encryption keys to enable eavesdropping on all or same conversations.
In the case of Ennetcom, the Dutch police managed to decrypt a number of messages stored on a server found in Canada, despite a similar claim that messages supposedly were being protected with end-to-end encryption. The Dutch police were contacted in 2020 by German police to assist in the investigation, and have had quite a lot of experience with this kind of operation.
Encryption and law enforcement
Listening in on the conversations of people that you have no evidence against is not allowed in many countries. But in this case, the authorities had very good reason to assume that this was a service provided with the intention to enable organized crime.
The high fees may explain why many of the Exclu clientele operated on the wrong side of the law. Other parties that might have a vested interest in keeping their chat messages secret include government parties, journalists, security professionals, or lawyers. However, there are cheaper alternatives for legitimate secret-keeping that law enforcement does not target.
Thankfully, breaking encryption is not easy. Finding a way to break the encryption will depend on a flaw in the implementation. Usually, eavesdropping will depend on a possibility to intercept messages before the encryption on the sender’s end or after the encryption on the receiver’s end. Or finding one or more keys on a server.
We don’t just report on encryption—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.