Reeds Solicitors: COMPLEX CRIME TEAM

Encrochat Hack

What does it mean for an EncroChat user

Encrypted phones, hacking, EncroChat, serious complex crime

 

Important Security Notice Date Issued: 2020-06-12 Date Viewed: 2020-06-13

Today we had our domains seized illegally by government entities. They repurposed our domain to launch an attack to compromise carbon units.

With control of our domain, they managed to launch a malware campaign against the carbon to weaken its security.

Due to the level of sophistication of the attack and the malware code, we can no longer guarantee the security of your device. We took immediate action on our network by disabling connectivity to combat the attack.

You are advised to power off and physically dispose of your device immediately. Period of compromise was about 30 minutes and the best we can ascertain was about 50% of the carbon devices in Europe (due to the Updater schedule).

What is EncroChat?

EncroChat was a European communication network and service provider. EncroChat offered its users the ability to send encrypted messages, make encrypted call (EncroTalk) and write encrypted notes (EncroNotes). This is achieved through specially modified Android phones running the Encro software which not only provided high levels of encryptions on the device, but also routed all data through a central server located in France, providing end-to-end encryption of calls and messages. The EncroChat phones (called ‘carbon units’) also provided a ‘panic wipe’ facility, where the phone could be wiped clean by the touch of button, or if an incorrect PIN was entered, and even allowed for the phone to be wiped remotely.

EncroChat made it relatively straightforward to acquire a ‘military grade’ encrypted phone and was designed to provide a user with complete privacy. Interest in this kind of service has grown considerably since the such incidents as the News of the World phone hacking scandal, and many celebrities and other high net worth individuals have been willing to pay for guaranteed privacy, as its userbase of 60,000 across Europe and 10,000 in the UK attests to.

What was the EncroChat hack?

The complete privacy provided by the EncroChat service has attracted a userbase that includes a criminal element, and for this reason it has been targeted by European police agencies for information gathering and surveillance. In May 2020 EncroChat became aware that there was a potential malware infection on a model of phone used as a popular carbon unit, the BQ Aquaris X2. The malware was causing problems with the panic wipe feature, and whilst Encrochat initially thought it was user error, when they were able to investigate an affected phone directly they quickly realized that their software had been compromised; the phone had been hacked. The phone itself being the target of the hack meant that the intruder could read messages before they were sent. EncroChat attempted to fight the intruders, but it quickly became clear that the hackers were so sophisticated that they could only be a government agency.

EncroChat shut down it’s service in June 2020.

Operation Venetic and Eternal

In April 2020 the NCA began Operation Venetic and the Metropolitan Police began Operation Eternal. These agencies obtained millions of text messages and images from the EncroChat network resulting in numerous arrests and the seizure of millions of pounds of drugs, cash and weapons.

It is clear that these agencies had been listening to much of the communications traffic on the EncroChat network for months before the hack was noticed and the service shut down. Whilst we have already seen over 700 arrests, it is clear that this is just the tip of the iceberg.

Dame Cressida Dick, the Metropolitan Police Commissioner, said: “this is just the beginning. We will be disrupting organised criminal networks as a result of these operations for weeks and months and possibly years to come.”

Nikki Holland, director of investigations at the NCA, said: “this is the broadest and deepest ever UK operation into serious organised crime.”

Whilst the current target is serious organised crime, it is thought that the NCA is sharing its intel with various other government agencies, such as HMRC, and so we would expect the scope of the investigations spawned by the EncroChat hack to widen over the coming months and years.

Can the data from the hack be used in court?

The first question that needs to be answered is: can the data obtained through the hacking of the carbon units be admitted in court? Unfortunately the answer is not yet clear.

Section 56(1) of the Investigatory Powers Act 2016 (IPA 2016) states that no interception evidence (which evidence that is the product of the hack would count as) can be relied on, as long as the interception is carried out in the UK and at least one of the parties to the communication is in the UK.

The question will be whether the hack took place in the UK. Information about the nature of the hack is scarce, and we are unlikley to get the full picture until the first cases go through the court system and the police are forced to disclose the methodology. On the information that we have right now, it appears that the hack itself took place on a French server by French authorities, and so on the face of it s.56(1) IPA 2016 would not apply. However, there is also suggestion that the malware was detected on the carbon units themselves, and it was this malware that provided access to the messages rather than access to the server itself. If this is correct, then there may be an argument that the relevant interception took place in the UK and as such s.56(1) IPA 2016 should apply.

The next question that needs to be asked is whether the authorities properly applied for, and had been granted, the appropriate judicial authority to hack the EncroChat servers and the user’s carbon devices.  As it was the French authorities undertaking the hack, it is as yet unclear as to whether the appropriate authority was in place. While this avenue of defence will of course be assessed in due course as these cases run through the courts, it is reasonable at this point to assume that the proper authority would have been in place.

The final question is that of attribution: will the police and the prosecution be able link the individual with the phone given the high level of privacy measures in place on the phone. This question can only be answered on a case by case basis, and may well turn on whether the phone was found in the possession of the individual or the police have photographs or other evidence of the device being used by the individual. It will be the job of the defendents’ represetatives to make the prosecution prove this beyond reasonable doubt.

 

What to do if you were an EncroChat user

If you were an EncroChat user then the most important action you can take is to assess the risk of being caught up in an investigation, determine the likely nature of that investigation and then create a plan of action for each eventuality. This can only be done with the help of an experienced professional with specific subject matter knowledge in this area of law and with EncroChat phones.

Preparation is an important part of any defence, and the more time spent getting the right advice before you are arrested, the better prepared you will be.

Julian Richards leads a team with unparalleled experience in complex investigations relying on large amount of computer and telecommunication evidence.

If you were an EncroChat user and have any concerns at all that you might be caught up in an investigation, contact us as soon as possible and we will help you plan for the possibility.

Contact Julian Richards through our contact page, or call him on 01865 260230.