Ghost In The Wire

Jamieson O'Reilly

Sep 24, 2024

Disclaimer

Dvuln does not support or condone any form of criminal activity, and we strongly discourage anyone from engaging in illegal actions.

While we recognise that some individuals may misuse secure communication tools for unlawful purposes, we believe that the actions of a few should not undermine the fundamental rights of the many.

Our aim is to highlight the importance of robust security practices and to demonstrate how vulnerabilities can compromise even the most secure systems (by their own claims).

In exposing these weaknesses, we hope to educate users—whether individuals, corporations, governments, or private entities—on the critical intersection between security and privacy.

Finally, a large amount of identifying information has intentionally been left out of this report.

Introduction

When you strip away morals, laws, ideologies and everything else in between, you’re left with pure, objective information.

I’m talking about the ones and zeros, the black and white with no shades of grey in-between.

Throughout history, those with greater access to, and control of information, were far better off than those with less, thus, is the significance of information superiority.

With that said, if information is power, then securing information means the difference between keeping power and losing it.

This report aims to objectively analyse the factors surrounding data security including observations made related to the recent global law enforcement operation “Kraken”.

Preface

On the early hours of September 17th 2024, around 700 members of the Australian Federal Police executed search warrants across four Australian states as part of a takedown effort along side global law enforcement from Canada, France, Iceland, Ireland, Italy, The Netherlands, Sweden and the USA.

While the execution was swift, and the scale of which information superiority was obtained - extensive, this was only possible due to a well orchestrated and well researched plan.

GhostChat had been in operation since 2015, but it wasn’t until 2022 when Europol established an international taskforce targeting the network and invited the Australian Federal Police to participate, who would eventually go on to infiltrate the network via regular software updates to the customer devices, which allows the AFP to record criminal communications.

In summary:

  • 9 Years of operations

  • 2 years of targeting

  • 6 months of tailored access

  • and 1 single attack path

Such is an excellent lesson in how quickly, security, or lack thereof can change the balance of information superiority.

The Evolution of the Encrypted Device Market

Before we delve into the specifics of GhostChat, it's important to understand the landscape that preceded it, as the encrypted device market has evolved over the last decade, with each iteration introducing new technologies and with these, new vulnerabilities.

This historical perspective provides the necessary foundation to:

  • Understand GhostChat's place in the evolution, and recognise how it fits into the broader landscape of encrypted communication services.

  • Identify recurring vulnerabilities, by observing how similar weaknesses have been exploited across different platforms and generations.

  • Open dialogue on the future of encrypted communications and their use among criminal enterprises.

History Lesson - The evolution of Encrypted device market

The encrypted device market has undergone several transformations, characterised by varying uses and combinations of existing technologies rather than entirely new inventions.

At Dvuln, we categorise this evolution into four distinct generations, each with unique traits and with those, unique vulnerabilities:

  • Generation 1: Centralised PGP BlackBerry Devices utilising Blackberry Enterprise Services (BES)

  • Generation 2: Android Devices with PGP Email and Blackberry’s UEM capabilities

  • Generation 3: Devices with E2EE that has moved away from e-mail to E2EE instant messaging and leveraging Blackberry’s UEM capabilities

  • Generation 4: Hardened, customised operating systems with Off-the-Shelf E2EE Apps such as Signal, Threema and others.

As developments and the wider use of additional encryption protocols, such as Signal's Diffie-Hellman X3DH key agreement protocol, have emerged, each generation has adapted to incorporate these advancements.

These protocols have enhanced security by providing features like perfect forward secrecy and resistance to various cryptographic attacks, influencing how encrypted communication platforms are designed.

By exploring each generation, we can better understand the shifting strategies of both secure communication providers and law enforcement agencies.

This evolution has also been documented by various Government agencies, such as mentioned in the New South Wales Crime Commission Annual Report 2022-23:

“In 2022-23, the encrypted criminal communications market in Australia changed at an unprecedented pace. SOC entities have largely ceased using traditional dedicated encrypted criminal communications devices (‘DECCDs’) due to concerns about the security, stability and accessibility of these platforms. DECCDs are increasingly being replaced with encrypted messaging communications applications, such as Threema, Signal and Wickr, which are installed on ‘hardened’ handsets with VPNs, secure operating systems and falsely subscribed SIM cards.”

Ref: https://www.parliament.nsw.gov.au/tp/files/187075/2022-23 Annual Report - New South Wales Crime Commission.pdf

As encrypted communication protocols become more sophisticated, the methods used by law enforcement to infiltrate these systems will also evolve.

Analysing Key Infiltrations: Lessons from Past Cases

Ennetcom (2016)

  • Generation: 1

  • Unique Traits: Centralised PGP email on BlackBerry devices managed via BES.

  • Users: Estimated 19,000 globally.

  • Method of Attack: Dutch authorities seized servers located in the Netherlands and Canada. Data recovery techniques were used to extract information from the servers.

  • Outcome: Access to millions of messages led to numerous arrests and the disruption of criminal activities.

  • Takeaway: Centralised server infrastructure presents significant vulnerabilities that can be exploited by law enforcement.

Ref: https://www.vice.com/en/article/dutch-cops-say-theyve-decrypted-pgp-messages-on-seized-server/

Ref: https://www.canlii.org/en/on/onsc/doc/2016/2016onsc5699/2016onsc5699.html?searchUrlHash=AAAAAQAIZW5uZXRjb20AAAAAAQ&resultIndex=1

PGP Safe (2016)

  • Generation: 1

  • Unique Traits: Centralised PGP email on BlackBerry devices.

  • Users: Estimated thousands.

  • Method of Attack: Dutch police gained access to the servers and were able to decrypt messages.

  • Outcome: Decryption of over 700,000 messages, aiding in multiple criminal investigations.

  • Takeaway: Centralised key management and server storage of messages are critical vulnerabilities.

Reference: https://e-justice.europa.eu/eclisearch/NL001/nl/ECLI:NL:GHARL:2022:10114.html?country-coded=NL&index=0&court=NL-GHARL&ascending=false&subject-coded=06&lang=lt

Phantom Secure (2018)

  • Generation: 1 & 2

  • Unique Traits: Modified BlackBerry and Android devices with PGP email, managed via UEM.

  • Users: Estimated 20,000 globally.

  • Method of Attack: Undercover operations and informants provided law enforcement with insights. The CEO was arrested, and the company's infrastructure was dismantled.

  • Outcome: Shutdown of the network and arrests of high-profile criminals.

    • No evidence suggests that messages were decrypted en masse; rather, the network was dismantled.

  • Takeaway: Leadership targeting and infiltration through human intelligence can compromise secure networks.

Reference: https://www.fbi.gov/news/stories/phantom-secure-takedown-031618


EncroChat (2020)

  • Generation: 3

  • Unique Traits: Custom Android devices with modified OS, providing encrypted messaging and calls.

  • Users: Approximately 60,000 globally, with around 10,000 in the UK.

  • Method of Attack: Law enforcement installed a malware implant on EncroChat devices via a server-level exploit, allowing them to read messages before encryption or after decryption.

  • Outcome: Access to millions of messages; over 1,000 arrests in the UK alone.

  • Takeaway: Endpoint compromise can bypass encryption, highlighting the importance of device security.

Reference: https://www.europol.europa.eu/media-press/newsroom/news/dismantling-encrypted-criminal-encrochat-communications-leads-to-over-6-500-arrests-and-close-to-eur-900-million-seized


Sky Global (Sky ECC) (2021)

  • Generation: 3

  • Unique Traits: Encrypted messaging services on modified devices, with claims of end-to-end encryption.

  • Users: Estimated 70,000 globally.

  • Method of Attack: Belgian and Dutch police infiltrated the network, possibly through server seizure and exploiting vulnerabilities.

  • Outcome: Decryption of messages led to numerous arrests and the disruption of criminal activities.

  • Takeaway: Even systems claiming advanced encryption can be vulnerable if infrastructure is compromised.

Reference: https://en.wikipedia.org/wiki/Shutdown_of_Sky_Global

ANOM (2021)

  • Generation: 3

  • Unique Traits: Devices with a hidden, purpose-built messaging app controlled by law enforcement.

  • Users: Approximately 12,000 devices distributed globally.

  • Method of Attack: Law enforcement distributed devices with a built-in backdoor, allowing them to monitor all communications.

  • Outcome: Over 800 arrests worldwide; significant drug and weapon seizures.

  • Takeaway: Supply chain compromise and leveraging trust within criminal networks can lead to widespread infiltration.

Reference: https://www.justice.gov/usao-sdca/pr/fbi-s-encrypted-phone-platform-infiltrated-hundreds-criminal-syndicates-result-massive

Reference: https://jade.io/article/973490?at.hl=xmpp

Exclu (2023)

  • Generation: 3

  • Unique Traits: Encrypted messaging app with claimed high-level security and some level of centralised device management.

  • Users: Estimated 3,000.

  • Method of Attack: German and Dutch authorities infiltrated the network. Details on how they cracked the encryption are limited due to ongoing legal proceedings.

  • Outcome: Over 120 arrests; seizures of drugs, weapons, and assets.

  • Takeaway: Law enforcement continues to develop techniques to infiltrate and dismantle encrypted networks, even when details are not publicly disclosed.

Reference: https://www.eurojust.europa.eu/news/new-strike-against-encrypted-criminal-communications-dismantling-exclu-tool

Ghost Chat (2024)

  • Generation: Transitioning from 3 to 4

  • Unique Traits: Encrypted messaging platform with high-level security claims, utilising custom encryption protocols, centralised device management, and beginning to incorporate off-the-shelf end-to-end encrypted (E2EE) apps like Signal and Threema.

  • Users: Estimated 3,000 globally.

  • Method of Attack: Law enforcement agencies infiltrated the network, potentially exploiting supply chain vulnerabilities associated with the platform's ability to push applications remotely to users' devices. Evidence suggests that Ghost Chat administrators could install apps upon user requests, introducing an attack vector for compromised or malicious software distribution.

  • Outcome: Over 120 arrests worldwide; significant seizures of drugs, weapons, and assets.

  • Takeaway: The transition between generations can introduce new vulnerabilities. The ability of administrators to remotely install applications creates a significant supply chain risk that can be exploited by adversaries.

Unveiling GhostChat's Vulnerabilities: Our Investigation

Following the takedown of GhostChat by international law enforcement agencies, Dvuln conducted an in-depth analysis to understand how the platform might have been compromised.

Leveraging our expertise in encryption protocols and adversary simulations, we aimed to identify potential weaknesses within GhostChat's systems that could have been exploited by both law enforcement and/or hackers.

Initial Reconnaissance

1. Expansion to Human Elements

Often times, organisations think about their attack surface in terms of IP addresses, servers, and other technical infrastructure.

While these account for a significant portion of an organisations attack surface, one area that often goes unchecked is the human side of a company’s attack surface.

This, far more dynamic side of the attack surface is increasingly targeted by criminals, law enforcement and nation-state threat actors.

Part of the reason that the human attack surface represents such value, is that every single business on the planet has their own unique team roles & dynamics.

In the context of GhostChat, without knowing anything outside of what was spoken about in the media there were some immediate assumptions we made.

Looking at the infographic from AFP’s public media releases something immediately stood out.

Where are the developers?

Whether intentionally or not, this didn’t seem to make sense.

On one hand, you have a global encrypted communications solution, with presumably thousands of high paying clients, and on the other, you have an alleged single person creating, and providing administration of the solution.

It could be true… but our experience tells us otherwise.

Building a working product like a mobile application requires many different skills including but not limited to:

  • Graphic design

  • Server administration

  • Mobile development skills (Java, Kotlin, Swift, React etc)

  • API design and development experience

  • The list goes on…

Working on this hunch, and taking the only information that was already public - we performed a simple search on public source-code collaboration platforms.

To our surprise, just 2 weeks prior to the global law enforcement raids, it appeared that someone involved in the development of APIs and web-portals for GhostChat had exposed not only their password, but critical API information related to a GhostChat development server as seen below.

2. Accessing the Development Server

Using the information from the publicly exposed source-code repository, we located the development server listed within the code and attempted to visit the URL directly - at which point we were presented with a login page and the endpoint /ghostnews/#auth/login

Suspecting this portal was not intended to be exposed to the public, we then changed the login endpoint to register and were presented with the functionality to sign-up for our own account as seen below.

Not only was the applications registration open to the public, there were also multiple other failings including but not limited to:

  • Exposed Spring Boot framework actuator APIs

  • Hardcoded API tokens

  • And API endpoints that required no authentication

For example, after analysing the front-end source code, the following endpoints were identified, all of which would allow any public, unauthenticated user to retrieve sensitive information from the GhostChat backend.

Printing all user accounts

The API endpoint /ghost-web/api/activity/request_accounts/0/10000 when requested returned a large body of data belonging to over 1000 GhostChat users.

The type of information returned for each user is detailed below.

  • licenceKey: A unique code assigned to the user for software activation and verification purposes.

  • pgpEmail: The user's PGP (Pretty Good Privacy) email address used for encrypted email communications.

  • stealthMode: A setting indicating whether stealth mode is enabled, which may hide app icons or notifications for privacy.

  • GId: The unique group or device identifier assigned to the user's account.

  • subscriptionExpiration: The date and time when the user's subscription is scheduled to expire.

  • resellerList: A list containing information about resellers associated with the user's account.

  • screenName: The display name or nickname chosen by the user within the application.

  • creationDate: The date and time when the user account was originally created.

  • userId: A unique identifier assigned to the user within the system for identification.

  • internetConnectivityReset: The scheduled interval for resetting or checking internet connectivity settings.

  • password: The password associated with the user's account for authentication (presumably their PGP mailbox).

  • sim: Information related to the SIM card associated with the user's device, such as the SIM number.

  • licenceExpiration: The date when the user's software license is set to expire.

  • supportGid: The group identifier used for support or customer service purposes related to the user's account.

  • portal: The specific portal URL or identifier that provides access to the user's account or services.

  • activated: A boolean value (true or false) indicating whether the user's account is currently active.

Listing all resellers

Similarly, the API endpoint /ghost-web/api/resellers/get_all_resellers allowed for any unauthenticated user to print all resellers in the system which included the following information.

  • totalInactiveUsers: The total number of users who are currently inactive or not using the service.

  • totalLicences: The total number of licenses that have been issued or are available.

  • resellerName: The name assigned to the reseller, possibly a unique identifier or code.

  • resellerUserName: The username associated with the reseller's account for authentication purposes.

  • activeEccIdList: A list of ECC IDs (unique identifiers) for devices or accounts that are currently active.

  • totalRenewal: The total number of licenses or subscriptions that have been renewed.

  • inActiveEccIdList: A list of ECC IDs that are currently inactive or not in use.

  • totalActiveUsers: The total number of users who are currently active and utilizing the service.

  • userId: A unique identifier assigned to the user or reseller within the system.

  • deletedUsers: The number of user accounts that have been deleted from the system.

  • licencesRemaining: The number of licenses remaining or available for allocation; a negative value may indicate over-allocation.

Listing SIM Card Information

Another exposed API endpoint allowed external users to list SIM Card coverage by SIM type. These were presumably the categories of SIMS managed and distributed by GhostChat and it’s resellers.

ESIM (Asia Pacific)

Australia,Cambodia,China,Indonesia,Laos,Macao,Malaysia,Singapore,South Korea,Taiwan,Thailand,Vietnam,Antigua and Barbuda,Anguilla,Albania

ESIM (Europe)

Austria,Belgium,Bulgaria,Croatia,Cyprus,Czechia,Denmark,Estonia,Finland,France,Germany,Greece,Hungary,Iceland,Ireland,Israel,Italy,Latvia,Lithuania,Luxembourg,Malta,Netherlands,Norway,Poland,Portugal,Romania,Slovakia,Slovenia,Spain,Sweden,Switzerland,Turkey,Ukraine,United Kingdom

ESIM (Global)

Albania,Algeria,Andorra,Armenia,Australia,Austria,Azerbaijan,Bangladesh,Belarus,Belgium,Bosnia and Herzegovina,Brazil,Bulgaria,Canada,China,Croatia,Cyprus,Czechia,Denmark,Egypt,Estonia,Faroe Islands,Finland,France,Georgia,Germany,Ghana,Gibraltar,Greece,Guernsey,Hong Kong,Hungary,Iceland,India,Indonesia,Ireland,Isle of Man,Israel,Italy,Kazakhstan,Kenya,Kuwait,Kyrgyzstan,Latvia,Liechtenstein,Lithuania,Luxembourg,Malaysia,Malta,Martinique,Moldova,Monaco,Montenegro,Morocco,Nepal,Netherlands,New Zealand,Nigeria,Macedonia,Norway,Pakistan,Philippines,Poland,Portugal,Qatar,Romania,Russia,Serbia,Singapore,Slovakia,Slovenia,South Korea,Spain,Sri Lanka,Sweden,Switzerland,Taiwan,Tanzania,Thailand,Tunisia,Turkey,Ukraine,United Kingdom,United States,Uzbekistan,Reunion,United Arab Emirates

SIM ROAMING COUNTRIES

Albania,Algeria,Anguilla,Antigua and Barbuda,Argentina,Armenia,Aruba,Australia,Austria,Azerbaijan,Bahamas,Bangladesh,Barbados,Belarus,Belgium,Bermuda,Bolivia,Bosnia and Herzegovina,Botswana,Brazil,British Indian Ocean Territory,Brunei Darussalam,Bulgaria,Cameroon,Canada,Cape Verde,Cayman Islands,Chile,China,Colombia,Congo,Costa Rica,Cote D'Ivoire,Croatia,Cyprus,Czech Republic,Denmark,Dominica,Dominican Republic,Ecuador,Egypt,El Salvador,Estonia,Faroe Islands,Fiji,Finland,France,French Guiana,Gabon,Georgia,Germany,Ghana,Gibraltar,Greece,Greenland,Grenada,Guadeloupe,Guatemala,Guinea-Bissau,Guyana,Honduras,Hong Kong,Hungary,Iceland,India,Indonesia,Ireland,Isle of Man,Israel,Italy,Jamaica,Japan,Jersey,Kazakhstan,Kenya,Kuwait,Latvia,Liechtenstein,Lithuania,Luxembourg,Macao,Madagascar,Malaysia,Malta,Mexico,Moldova,Serbia and Montenegro,Montserrat,Morocco,Mozambique,Myanmar,Netherlands,Netherlands Antilles,New Zealand,Nicaragua,Niger,Nigeria,Macedonia,Norway,Oman,Pakistan,Panama,Papua New Guinea,Paraguay,Peru,Philippines,Poland,Portugal,Puerto Rico,Qatar,Reunion,Romania,Russian Federation,RWANDA,Saint Lucia,Saint Vincent and the Grenadines,Samoa,Saudi Arabia,Seychelles,Singapore,Slovakia,South Africa,Spain,Sri Lanka,Suriname,Sweden,Switzerland,Slovenia,South Korea,Taiwan,Tajikistan,Tanzania,Thailand,Tonga,Trinidad and Tobago,Tunisia,Turkey,Turks and Caicos Islands,Uganda,Ukraine,United Arab Emirates,United Kingdom,United States,Uruguay,Uzbekistan,Venezuela,Vietnam,British Virgin Islands,Yemen,Zambia,Eswatini

Internal Support Messages

Furthermore, various other APIs were exposed including an API designed to retrieve customer support messages that were sent from GhostChat users and directed at GhostChat’s administering user(s).

While these messages provide insights into the backend operations of GhostChat, they also shed light on the poor design choices representing failures in both operational and threat modelling security.

One of the more interesting observations was the number of users requesting administrators to install various applications on their devices remotely.

This suggests that GhostChat administrator user(s) had the capability to remotely install applications on end-user devices, introducing a significant supply chain vulnerability - one that may have been exploited by authorities as suggested by the AFP’s media statement:

“The administrator regularly pushed out software updates, just like the ones needed for normal mobile phones. But the AFP was able to modify those updates, which basically infected the devices, enabling the AFP to access the content on devices in Australia.”

Reference: https://www.afp.gov.au/news-centre/media-release/afp-operation-kraken-charges-alleged-head-global-organised-crime-app

In addition to the above, this also suggests a gradual evolution of the GhostChat service from a generation 3 offering, to a generation 4 - an evolution that authorities were able to prevent.

Remote software updates or backdoor deployment by-design?

During our analysis, we identified multiple server infrastructure components associated with Ghost Chat.

To comprehend how the administrators might have remotely interacted with customer devices—particularly for performing actions such as application updates—we examined the cloud-facing infrastructure in greater detail.

Several servers stood out as significant in this context.

Notably, the domain bes.ghostlock.biz and an additional server with the IP address 51.254.104.58 were observed hosting BlackBerry UEM and BlackBerry BES services as seen below.

Ref: https://www.shodan.io/host/51.254.104.58

What is BlackBerry UEM/BES?

BlackBerry Unified Endpoint Management (UEM) is a platform that provides centralised management and security for devices, applications, and content across multiple operating systems.

It allows administrators to manage mobile devices, enforce security policies, and deploy applications remotely.

BlackBerry Enterprise Server (BES) is an earlier iteration focused on managing BlackBerry devices, providing email and application services. BES and UEM are critical components in enterprise environments for device management.

These platforms offer several capabilities that are pertinent to our analysis:

  • Remote Device Management - Administrators can control devices remotely, enforce policies, and push applications or updates.

  • Application Deployment - Ability to install, update, or remove applications on devices without user intervention.

  • Security Policies - Enforcement of security configurations, including encryption, authentication settings, and compliance requirements.

  • Unified Management Console - Provides a centralised interface for managing all connected devices and services.

Implications for Ghost Chat

The use of BlackBerry UEM/BES within Ghost Chat's infrastructure had significant security implications.

While these platforms offer powerful tools for device management and security enforcement, they also introduce potential vulnerabilities when not properly secured.

The centralised control afforded by UEM/BES gave Ghost Chat administrators extensive authority over user devices.

This included the capability to remotely push software updates and applications.

If the UEM/BES infrastructure were compromised—whether through vulnerabilities, misconfigurations, or warranted access— people with access could exploit these capabilities to infiltrate user devices.

In the context of Ghost Chat, media reports suggest that law enforcement agencies might have exploited this very functionality.

By gaining access to the UEM/BES servers, authorities could have been able to hijack the software update mechanism and backdoored updates could have then pushed to user devices, enabling the interception of encrypted communications without the users' knowledge.

Assessing Ghost Chat's Vulnerabilities

Our analysis highlighted several areas where Ghost Chat's security measures were insufficient as listed below.

  • Exposed Development Environment

    The public availability of the development server and code repository introduced significant risks.

  • Unprotected APIs

    Failure to implement proper authentication and authorisation controls on APIs allowed unauthorised data access.

  • Supply Chain Vulnerability

    The ability of administrators to remotely install applications without stringent security checks introduced significant risks.

  • Centralised Control Risks

    Centralised mechanisms for app deployment created a single point of failure.

  • Lack of Application Verification

    There appeared to be insufficient processes for verifying the integrity and security of apps before deployment.

  • Insufficient User Awareness

    Users may not have been fully aware of the risks associated with requesting and installing additional apps.

The Irony of GhostChat's Security Marketing Claims

GhostChat's marketing prominently featured security claims such as the following.

"With constant independent expert oversight, we are certain that our system is as secure as it can possibly be. We frequently have our protocols peer-reviewed by leading industry experts and constantly upgrade our systems to improve the security of our users."

These statements were designed to build confidence for potential users by emphasising a commitment to the most robust security standards and continuous improvement.

However, the reality starkly contrasts these weak promises, revealing an ironic opposite one.

Despite claims of rigorous security measures and expert oversight, GhostChat exhibited fundamental security flaws that would have been easily identifiable and preventable.

The inadvertent leakage of developer passwords to the public is a glaring oversight that compromises the entire security infrastructure.

Additionally, the development and deployment of APIs without proper authentication mechanisms represents a critical failure that even the most junior developers would have picked up.

If this tells us anything, it’s that in Australia - even criminal telco’s have terrible APIs.

The Future of Encrypted Communication Platforms: Generation 4 and Beyond

As we have observed through the evolution of encrypted communication platforms, each generation introduces new technologies aimed at enhancing security and privacy.

Generation 4 represents the latest advancements, characterised by a shift towards greater decentralisation and the use of hardened operating systems.

At Dvuln, we have spent the last decade finding unique ways to attack even the most secure targets ranging from enterprise to government agencies (legally).

With that said, we are aware of potential vulnerabilities and methods that could be used to compromise even the most advanced secure communication systems, including Generation 4 platforms and beyond.

However, we believe it would be irresponsible to disclose such information publicly, as it could aid malicious actors.

Instead, we will provide guidance to our clients and partners privately, helping them to better protect their secure communications and understand their individual threat models.

Secure. By. Design

Give your users the security they deserve