Encrypted phone firm Ciphr, a company in an industry that caters to serious organized criminals, has made a radical change to how its product can be used and sold, signaling an attempt by the company to distance themselves from, or perhaps cut off, their problematic customers.

The move is significant in that Ciphr is one of the few remaining established members of the encrypted phone industry after a cascading series of high profile law enforcement actions against its competitors. Some companies, such as Sky Secure, have also tried to clean up their act by banning resellers who they have identified as catering to criminal markets. 

“As we continue to focus on our core competencies as a software development company, we have made the decision to no longer support our Mobile Device Management (MDM/UEM) services,” a message sent by Ciphr to its resellers and seen by Motherboard reads. MDM is a tool for managing lots of phones at once, and can be used to install apps or block others. Ordinary companies often use MDM to keep their employees’ devices secure. For years Ciphr has used MDM to distribute its encrypted messaging tools. 

Do you work for Ciphr? Are you a user of its phones? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email [email protected].

Now, it is shifting that responsibility away from itself to individual resellers of the devices. The message says that for resellers to continue with new sales or renewals of customers’ subscriptions, they will need to run their own MDM solution. This essentially puts the management of customers much more in the hands of the resellers and not Ciphr. 

The message says that this policy will come into force Thursday. “Effective August 25th, 2022, our software will no longer be supported using our MDM solution,” the message reads. “If you choose not to host your own MDM you will not be able to activate new sales or renewals as of August 22nd, 2020,” it adds. 

The reason for Ciphr’s change, such as legally distancing itself from use of its products by criminals, is unclear. Ciphr has not responded to multiple emails sent over the past several weeks about this and related issues. Ciphr has previously responded to requests to comment for stories about its exit from certain markets.

“Next-level secure communication. The best app for encrypted messaging and calling,” Ciphr’s website reads. Motherboard has previously reported that Ciphr has been especially popular in Australia, where organized criminals have traditionally  used encrypted devices from companies that sometimes deliberately lean into serving such markets. After the FBI, Australian Federal Police, and European partners revealed that another encrypted phone company called Anom was secretly a law enforcement honeypot, Ciphr pulled out of the Australian market altogether, Motherboard previously reported. One criminal organization ran by a mastermind known as Mr. Blonde appears to have dodged the Anom honeypot because his associates were instead using Ciphr, the Sydney Morning Herald previously reported.

Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.

The message Ciphr sent to resellers caps off weeks of signs that the company was planning some sort of exit or change to its services. Weeks ago a website used by resellers of Ciphr became inaccessible, with vendors unable to log into the portal which allows them to renew customers subscriptions, according to a screenshot viewed by Motherboard at the time and a source with knowledge of the situation.

“HTTP ERROR: 404 — Compliance Issue, please contact support,” an error message displayed above the login page for Ciphr’s reseller portal read, according to the screenshot. Encrypted phone companies often use these password protected websites to let their resellers update customers' subscriptions or to sign up new users. The encrypted phone industry that Ciphr is part of often sells subscriptions to their services for thousands of dollars every six or 12 months. 

The source with knowledge of the situation said that some Ciphr users have moved to another company called SecureCrypt in response to the recent issues. Motherboard granted the source anonymity to speak more candidly about industry developments.

A former developer for Ciphr told Motherboard that even though they worked at the company for multiple years, they never saw the face of the company’s CTO. While other workers had their faces in their profile photos in chat programs, the CTO did not. 

“I have no idea what he looks like,” the developer said. The developer added they were not aware of who the sorts of people who bought Ciphr phones were before Motherboard alerted them to it earlier this year. Motherboard granted the developer anonymity to protect them from retaliation.

In 2018, the FBI shuttered Phantom Secure, a pioneer in the underground industry, and arrested its CEO Vincent Ramos. Various agencies were involved in a hack of Encrochat in 2020, and then Sky Secure last year. These companies, including Ciphr, have an especially heavy use among drug traffickers and other top tier criminals.

In 2017, someone created a website and dumped sensitive information about Ciphr users, including unique IMEI numbers and email addresses.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

This Is the Code the FBI Used to Wiretap the World

The FBI operation in which the agency intercepted messages from thousands of encrypted phones around the world was powered by cobbled together code. Motherboard has obtained that code and is now publishing sections of it that show how the FBI was able to create its honeypot. The code shows that the messages were secretly duplicated and sent to a “ghost” contact that was hidden from the users’ contact lists. This ghost user, in a way, was the FBI and its law enforcement partners, reading over the shoulder of organized criminals as they talked to each other.

Last year, the FBI and its international partners announced Operation Trojan Shield, in which the FBI secretly ran an encrypted phone company called Anom for years and used it to hoover up tens of millions of messages from Anom users. Anom was marketed to criminals, and ended up in the hands of over 300 criminal syndicates worldwide. The landmark operation has led to more than 1,000 arrests including alleged top tier drug traffickers and massive seizures of weapons, cash, narcotics, and luxury cars.

Motherboard has obtained this underlying code of the Anom app and is now publishing sections of it due to the public interest in understanding how law enforcement agencies are tackling the so-called Going Dark problem, where criminals use encryption to keep their communications out of the hands of the authorities. The code provides greater insight into the hurried nature of its development, the freely available online tools that Anom’s developers copied for their own purposes, and how the relevant section of code copied the messages as part of one of the largest law enforcement operations ever.

Do you know anything else about Anom? Were you a user? Did you work for the company? Did you work on the investigation? Are you defending an alleged Anom user? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email [email protected].

The key part of the Anom app is a section called “bot.”

The app uses XMPP to communicate, a long-established protocol for sending instant messages. On top of that, Anom wrapped messages in a layer of encryption. XMPP works by having each contact use a handle that in some way looks like an email address. For Anom, these included an XMPP account for the customer support channel that Anom users could contact. Another of these was bot.

Unlike the support channel, bot hid itself from Anom users’ contact lists and operated in the background, according to the code and to photos of active Anom devices obtained by Motherboard. In practice the app scrolled through the user’s list of contacts, and when it came across the bot account, the app filtered that out and removed it from view. 

That finding is corroborated by law enforcement files Motherboard obtained which say that bot was a hidden or “ghost” contact that made copies of Anom users’ messages.

Authorities have previously floated the idea of using a ghost contact to penetrate encrypted communications. In a November 2018 piece published on Lawfare, Ian Levy and Crispin Robinson, two senior officials from UK intelligence agency GCHQ, wrote that “It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call,” and “You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication.”

The code also shows that in the section that handles sending messages, the app attached location information to any message that is sent to bot. On top of that, the AndroidManifest.xml file in the app, which shows what permissions an app accesses, includes the permission for “ACCESS_FINE_LOCATION.” This confirms what Motherboard previously reported after reviewing thousands of pages of police files in an Anom-related investigation. Many of the intercepted Anom messages in those documents included the precise GPS location of the device at the time the message was sent. 

In some cases, police officers reported that the Anom system failed to record those GPS locations correctly, but that authorities believe the coordinates are generally reliable as they have in some cases been matched with other information such as photos, according to those police files.

A lot of the code for handling communications was apparently copied from an open source messaging app.

The code itself is messy, with large chunks commented out and the app repeatedly logging debug messages to the phone itself.

Cooper Quintin, a senior staff technologist at activist organization the Electronic Frontier Foundation (EFF), didn’t think it was unusual for developers to use other modules of code found online. But he did find it “bonkers” that the FBI used ordinary developers for this law enforcement operation.

“This would be like if Raytheon hired the fireworks company down the street to make missile primers, but didn’t tell them they were making missile primers,” he said in a phone call. “I would typically assume the FBI would want to keep tighter control on what they’re working on,” such as working with inhouse computer engineers who had security clearance and not bringing in people who are unknowingly taking down criminal organizations, he added. (One reason for the use of third-party developers was that Anom already existed as a company in its own right, with coders hired by the company’s creator who worked on an early version of the app, before the FBI became secretly involved in Anom’s management).

Recently courts in Europe and Australia have seen the next step of the Anom operation: the prosecution of these alleged criminals with Anom messages making up much of the evidence against them. Defense lawyers in Australia have started legal requests to obtain the code of the Anom app itself, arguing that access to the code is important to determine that the messages being presented in court by the prosecution are accurate. The Australian Federal Police (AFP) has refused to release the code. 

“Anybody who has been charged with an offence arising from messages that are alleged to have been made on the so called ‘Anom Platform’ has a clear and obvious interest in understanding how the device worked, how anyone was able to access these messages and most importantly whether the original accessing and subsequent dissemination of these messages to Australian authorities was lawful,” Jennifer Stefanac, an Australian solicitor who is defending some of the people arrested as part of Operation Ironside, the Australian authorities’ side of the Anom operation, told Motherboard in an email.

A second lawyer handling Anom related cases said they didn't think the Anom code would be of much relevance to defendants’ cases. A third said they saw why defendants may seek access to the code, but that they believed it shouldn’t be publicly available. 

When asked for comment, the San Diego FBI told Motherboard in a statement that “We appreciate the opportunity to provide feedback on potentially publishing portions of the Anom source code. We have significant concerns that releasing the entire source code would result in a number of situations not in the public interest like the exposure of sources and methods, as well as providing a playbook for others, to include criminal elements, to duplicate the application without the substantial time and resource investment necessary to create such an application. We believe producing snippets of the code could produce similar results.”

Motherboard is not publishing the full code of Anom. Motherboard believes the code contains identifying information on who worked on the app. Most of the people who worked on the Anom app were not aware it was secretly an FBI tool for surveilling organized crime, and exposing their identities could put them at serious risk. Motherboard will not be releasing the app publicly or distributing it further.

Motherboard previously obtained one of the Anom phones from the secondary market after the law enforcement operation was announced. In that case, the phone had a locked bootloader, meaning it was more difficult to extract files from the device. For this new analysis of the code, a source provided a copy of the Anom APK as a standalone file which Motherboard then decompiled. Motherboard granted multiple sources in this piece anonymity to protect them from retaliation. 

Decompiling an app is an everyday process used by reverse engineers to access the code used to construct an app. It can be used to fix problems with the software, find vulnerabilities, or generally to research how an app was put together. Two reverse engineering experts corroborated and elaborated upon Motherboard’s own analysis of the app.

Operation Trojan Shield has been widely successful. On top of the wave of arrests, authorities were also able to intervene using the messages and stop multiple planned murders. In June to mark the one year anniversary of the operation’s announcement, the AFP revealed it has shifted some of its focus to investigating thousands of people suspected of being linked to Italian organized crime in Australia and that it is working with international partners.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

LastPass, a popular password manager and two-factor authentication provider, has been hacked, again. This time, hackers managed to steal parts of the company’s source code, a move that does not pose an immediate risk to users but one that shines a bad light on a company that is responsible for guarding access to its customers' sensitive login credentials.

LastPass declined to tell Motherboard what product the source code theft impacted. An email LastPass sent to users and a blog post published on its website says “We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.”

Do you work for LastPass? Do you know anything else about this breach? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email [email protected].

In a statement, LastPass spokesperson Nikolett Bacso Albaum told Motherboard “We recently detected some unusual activity within portions of the LastPass development environment. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.”

LastPass offers various free and paid plans for its authentication products, and previously said it has over 20 million users. To use LastPass, customers set a “master password” which then grants a user access to the rest of their passwords stored with the service. 

Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.

This isn’t the first time hackers have successfully breached LastPass. Hackers targeted the company in 2015 and accessed email addresses, password reminders, and other user information.

On the latest breach, Albaum’s statement added that “In response, we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment,  implemented additional enhanced security measures, and see no further evidence of unauthorized activity.” 

Companies that provide authentication services are prime targets for hackers because gaining access to them might provide the ability to, or at least clues that would help, in then hacking other targets. In 2011 Chinese hackers broke into cybersecurity firm RSA and stole what WIRED described as the “crown jewels of cybersecurity”: the seeds that govern the two-factor authentication codes customers used to log into their systems.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

A new class-action lawsuit filed in California targets Otonomo, a data broker that harvests location data from tens of millions of vehicles around the world and then sells access to that information.

Otonomo says it has systems in place that protect peoples’ privacy. But in June last year, Motherboard published an investigation based on a set of Otonomo data and used the information to find where people likely lived, worked, and where else they drove. At the time, experts said that Otonomo could face legal consequences because of how it handles consent and its data. The new lawsuit focuses specifically on those issues.

“Defendant Otonomo Inc. is a data broker that secretly collects and sells real-time GPS location information from more than 50 million cars throughout the world, including from tens of thousands in California. This data allows Otonomo—and its paying clients—to easily pinpoint consumers’ precise locations at all times of day and gain specific insight about where they live, work, and worship, and who they associate with,” the lawsuit, filed by lawyers from Edelson PC, reads. Courthouse News first reported on the lawsuit.

Do you work for Otonomo? Do you know anything else about its dataset? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected].

The plaintiff in the case is Saman Mollaei, a citizen of California. The lawsuit does not explain how it came to the conclusion that Otonomo is tracking tens of thousands of people in California. Otonomo originally started in Israel and has an office in California.

Mollaei drives a 2020 BMW X3, and when the vehicle was delivered to him, it contained an electronic device that allowed Otonomo to track its real-time location, according to the lawsuit. Importantly, the lawsuit alleges that Mollaei did not provide consent for this tracking, adding that “At no time did Otonomo receive—or even seek—Plaintiff's consent to track his vehicle’s locations or movements using an electronic tracking device.”

More broadly, the lawsuit claims that Otonomo “never requests (or receives) consent from drivers before tracking them and selling their highly private and valuable GPS location information to its clients.” The lawsuit says that because Otonomo is “secretly” tracking vehicle locations, it has violated the California Invasion of Privacy Act (CIPA), which bans the use of an “electronic tracking device to determine the location or movement of a person” without consent.

As Motherboard previously reported, Otonomo has agreements with some car manufacturers to source location data from their vehicles. A February 2021 Otonomo presentation says that the company has partnerships with 16 OEMs with a total of over 40 million vehicles, and that Otonomo collects 4.3 billion data points a day. The company also sources data from navigation apps and satnavs which are used as a proxy for a vehicle’s location, given that they typically are placed inside a car. These are known as telemetry service providers (TSPs).

In turn, Otonomo sells its collected data. The presentation says that “thousands of organizations” have access to Otonomo’s data.

A source who works in a company that uses car location data previously told Motherboard that such data is “relatively easy to deanonymize.”

“I don't believe there's truly a way to anonymize this data, without completely modifying it and losing its value,” they added.

Motherboard previously obtained a spread of 10,000 location points from Otonomo through a feature on the company’s website that provided access to large samples of the information for free. A researcher independently collected data from Otonomo themselves as well, and provided Otonomo location data from California and Berlin to Motherboard. Among other things the data included a unique identifier Otonomo assigned to the device and its GPS coordinates. This allowed Motherboard to follow specific vehicles over time, and discover where the owners likely slept. 

Otonomo told Motherboard at the time that the freely available data was from TSPs and not OEMs. After Motherboard obtained the data, Otonomo made a change to its website meaning users had to request the data from Otonomo itself rather than the information being freely available to download.

Otonomo did not respond to a request for comment on the class action lawsuit.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.