© François LAFITE / OVHcloud

Police EncroChat cryptophone hacking implant did not work properly and frequently failed

Surveillance operation against EncroChat encrypted phone network had repeated technical failures

A surveillance operation that covertly harvested text messages from an encrypted phone network allegedly used by criminals and drug dealers relied on technology that frequently failed and often stopped working.

A senior technical officer at the National Crime Agency (NCA) disclosed to the Old Bailey that French-designed software implants used to extract supposedly encrypted text messages from the EncroChat cryptophone network were unreliable.

French police accessed millions of supposedly encrypted messages and photographs from EncroChat phones in multiple countries in a hacking operation between March and June 2020.

The European police agency, Europol, shared copies of data extracted from around 6,000 UK-based EncroChat phones with the UK’s National Crime Agency.

Luke Shrimpton, senior technical officer at the NCA, and forensic expert Duncan Campbell disclosed in a joint report that the French implant had technical problems, during a trial at London’s Old Bailey over an alleged drug-related conspiracy to murder.

“In broad and general terms, we agree that records show that the implant and processing system were not reliable, in that the implants frequently and often stopped working, unless or until restarted,” according to an extract of the report read out in court.

The experts said French secrecy laws meant it was impossible to say why the interception technology did not work reliably.

“By reason of French secrecy laws, neither of us has any knowledge of how the implants or the implant processing system were designed or operated, nor why they broke down,” they said in the report.

Murder conspiracy alleged

The experts were giving evidence during the trial at London’s Central Criminal Court of Paul Fontaine, 36, who is accused of conspiring with others to supply a firearm used to murder Abdullahi Mahmoud in 2020.

Fontaine, of the Pembury Estate in the London Borough of Hackney, is also accused of conspiring with co-defendant in the case, Frankie Sinclair, 34, of Cardiff, to procure a handgun and ammunition.

The gun was allegedly intended for the murder of a second man, Keiron Hasson, said to be a rival of Sinclair, in a “revenge attack”.

Sinclair has admitted involvement in the supply of cocaine and heroin, but denies other charges against him. Fontaine has denied all charges.

Fontaine used the EncroChat handle “Usualwolf” and Sinclair used the handle “Nudetrain”, the court heard.

Prosecution – EncroChat data reliable

Luke Shrimpton, a senior technical expert at the National Crime Agency, began work to build an implant to penetrate the encrypted phone network by reverse-engineering EncroChat technology, the court heard.

But the French Gendarmerie developed their own implant, which broke the encrypted phone network in April 2020, before work on the NCA implant was complete.

Shrimpton was responsible for managing the distribution of EncroChat material from the NCA to other police forces, as part of an operation codenamed Operation Venetic.

He told the court that although the French implant was unreliable, there was nothing unreliable or inaccurate in the data or images presented to the court, and there was no evidence of misattribution of any EncroChat data.

Prosecution barrister Kevin Dent QC said Shrimpton had conducted a number of checks on EncroChat data and had uncovered no anomalies and no inconsistencies. “Although repeatedly asked, he had no concerns about the data,” he said.

Dent told the jury that messages extracted from EncroChat phones matched events that were going on in real life. “There is no evidence of inaccuracy, but evidence of accuracy, time and time again,” he said.  

Implants ‘fell down’

Forensic expert Duncan Campbell, instructed by Fontaine’s defence team, told the court that the implant was put together “at the last minute” and it was still not working days before the police operation was launched.

“Looking across a large set of data, the first round of implants never worked. They fell down within hours or a few days, and they all had to be re-run for that reason, as the NCA has said in this case and in other evidence,” said Campbell.

Questioned by Arlette Piercy, representing Fontaine, Campbell said: “Failures were frequent from the start. Data was frequently lost or was missing for significant periods, including in this case.”

Some features of the implant never worked, and others appeared not to work as intended or were designed wrongly, Campbell told the court.

After each implant failure, batches of hundreds or even a thousand messages were added to the data by an unknown source or an unknown method, he said.

Two-stage extraction

The court heard that the implant, uploaded by French police as a software update to EncroChat handsets, worked in two stages.

During phase one, the implant extracted data, messages and images stored on the infected EncroChat phones in a database known as Realm.

Phase two, which started almost immediately after phase one, sent live data, message locations and passwords back from the phone.

Campbell said phase one “appeared much more accurate and much more consistent” and contained built-in checks that made it possible to check the reliability of the data collected.

“In phase two, the opposite is true,” he said. “It is very difficult to show that anything is reliable. And it is compounded by the fact that the implants break down continually. They fall over.”

He said four components of the implant did not work, and neither he nor Shrimpton knew how the French had got them to work.

Unique dilemma

The court heard the techniques used to acquire and process data before it reached the NCA were a French national security secret.

“The situation with the EncroChat material has created a unique dilemma for everyone working in the field of forensic computer evidence,” said Campbell under cross-examination by prosecution barrister Kevin Dent QC.

“Never before has a body of such serious cases had to be tried where there has been no access to and no possibility of following the internally well-respected 25-year-old principles of computer-based digital evidence,” he added.

“None of us in the field have ever seen a case where there is no possibility of checking original data. And that is creating a problem for everyone. You have the real-world data but also have data that has emerged from behind a wall of complete secrecy,” he said. “The situation is unprecedented.”

Rules of digital evidence

Campbell said the principles of digital evidence laid down by the Association of Chief Police Officers 25 years ago are followed robustly by the NCA and every police force during operations in the UK.

Principle three requires police forces to create an audit trail of all the processes applied to digital evidence, which would allow an independent third party to examine the processes and achieve the same results.

“That is of great importance to digital evidence because digital evidence can be changed without the possibility of detection,” he said.

Police officers take digital images of devices immediately and digitally certify them so that they can’t be accidentally or deliberately changed before the evidence reaches the court.

“You have an unprecedented schism, unique, I think, in everyone’s experience in Operation Venetic,” said Campbell.

The NCA is in the middle, doing everything by the book, but before data reaches the NCA “nothing is known, nothing is checkable. None of the principles are known to have been followed. We are left in the dark,” he added.

The court heard that Shrimpton had not been trained in the principles.

Campbell said he “completely disputed” statements by Shrimpton, who accepted the implant was unreliable but said the data it collected was reliable.

“We cannot form a view of whether we can trust the French design of the implant or the quality standards they have,” he said. “It does not mean that the French are untrustworthy. It does not mean that the French are trustworthy. It means we simply cannot tell.”

Usualwolf failures

An analysis of EncroChat messages sent by Usualwolf showed that the implant had failed more than 20 times, the court heard.

Campbell said the scale of the failures implied design failure or data processing failure, or both, in the technology used by the French.

“The immense scale and frequency of the failures calls into question the reliability of the implant data if it cannot be confirmed or supported independently,” he said.

Campbell said he fundamentally differed with Shrimpton on reliability where nothing is known about where the information was obtained.

“We agree that you can compare things that we have to get information on reliability. But we do not agree you can base reliability on something where you do not know where it began, who was involved and how it was handled before it was handled over to you,” he said.

Encrypted images

Campbell said he and Shrimpton agreed there was a problem generally with Venetic data because sometimes images such as photographs appeared in the data without an authentication key, known as an HMAC or hash key.

In other cases, HMAC keys were found in Operation Venetic data without an accompanying image. In the case of Usualwolf, there were a dozen “orphan keys” which did not belong to any picture.

Shrimpton told the court that he agreed with Campbell’s findings on orphan keys but, in his opinion, it did not raise questions about reliability.

Campbell said if you have an image without a key, or a key without an image, “you have no idea what is going on”.

“You can’t make a statement, in my opinion, about reliability or unreliability when the correct position is that you don’t know,” he said.

Campbell said he and Shrimpton believed extra images were added to the data by the French processing operations, but they could only make “intelligent guesses” as to what was going on.

Misattribution

Campbell said he had drawn Shrimpton’s attention to a “completely impossible” set of data in a separate EncroChat case.

Drawing an analogy, he said it was as if he had exchanged messages with the court clerk, but the messages were not found in Campbell’s phone or the clerk’s phone but in a phone belonging to one of the legal counsel sitting at the back of the court.

Campbell said Shrimpton had suggested that during the life of an EncroChat device it was possible for the username of the device to be changed.

“[Shrimpton] suggested that the original username had been moved to another device and after a week or two a different user had established on the device concerned,” he said.

Campbell said he found the explanation plausible but there was no proof of the cause.

“Discovering this class of error is very worrying. Particularly if it related to the data processing operated in France, it would indicate an exceptionally poor standard of computer programming,” he said.

Campbell said that if Shrimpton’s explanation was correct, it would be a less serious error, but still an error of misattribution.

“The problem we had was that neither of us had the original data to go back and check the French record and see what it really said was the real truth,” said Campbell.

Message clusters

The court heard that an analysis of the data suggested that the implant was conducting a previously undisclosed third phase of interception alongside phase one and phase two, that caused clusters of messages to appear in EncroChat data.

“My first concern was that the French were running data in a way that they had not told the NCA,” said Campbell.

Shrimpton made an “intelligent best guess” that it was something that might be expected, said Campbell.

But Campbell said he disagreed and this type of data collection had not been described by the French.

The clusters “are of a lower level of reliability than other data,” said Campbell. “They come from a process that either of us, from our different experience can only guess at.”

Time stamps

Campbell told the court that the times recorded on EncroChat messages could potentially be changed by computer programmes that altered or deleted the contents of storage.

“Timing of sequencing of EncroChat messages can be incorrect because of delays in the system that collects the messages, because timers on the phone devices were not accurately set or deliberately not set correctly,” he said.

But he pointed out that it was not possible to check that the data had been processed correctly because there was no “raw data” available to the court.

Prosecution: implant gathered accurate data

Kevin Dent QC for the prosecution asked Campbell how it was possible for the implant to retrieve an image made up of two million bits of data from an EncroChat phone, and to assemble it correctly if the implant was not sending accurate data.

What you don’t necessarily know, Campbell told the court, is whether the image came from the EncroChat device concerned and how many images were missing or mismatched.

Campbell agreed that in the case of an image taken from a phone which matched real-life objects belonging to the phone user that were in police possession there would be “no anxieties about the chain of evidence”.

He told the court: “Accuracy is different from reliability. The implant demonstrably produces some accurate images.”

Campbell said he had developed a technical test with Shrimpton that shows whether images had been correctly attributed to the right EncroChat phone, by checking if the certification key was present in the phone. This provides a “copper-bottomed test”.

“Consistency is a measure of accuracy. You can only say something is accurate if you compare against something else. That is the fundamental point we have made. If you have nothing original you have nothing to compare it to,” he said.

Campbell told the court that in his joint report with Shrimpton he looked at matches between the Usualwolf and Nudetrain EncroChat handles.

“On a small sample set we had matches 44% of the time. I would ask what is the missing data, where it has gone, and so on,” he said.

Dent asked Campbell whether, when there was more than one copy of a message, “was there a single word or letter of difference in any of the messages?”.

“By definition, no, that is the central misunderstanding here,” Campbell told the court. “You are asking me when I or Mr Shrimpton program a computer to find matches, do we ever find non-matches. And the answer is we never do because we told our computers to find matches.”

Beyond reasonable probability

“If the implant is not collecting reliable accurate data, is there any way that it can put together what appears to be a coherent conversation?” asked Dent.

“It is beyond reasonable probability to imagine that a series of random accidents would produce a coherent conversation,” said Campbell. “You are completely right to say that is an unbelievable possibility in itself.”

Dent put it to Campbell that he did not argue that any of the images and data obtained in the current case were inaccurate. “I can only test for accuracy and where accuracy is found it is described. I cannot test for inaccuracy,” Campbell replied.

“When you have got a message that matches, that is accurate. When you have a picture that matches, that is accurate,” he added. “When you have no matches, you simply have to say nothing because you have no original to compare it with. You also have no test reports and no explanations that you can bring to bear.”

Gold standard

Campbell told the judge it would be possible to identify inaccuracies by comparing NCA EncroChat data with the “gold standard” EncroChat data held by the French police, if the French had made it available.

Campbell said it would also be possible to test the data obtained from an EncroChat user for inaccuracy by comparing it to the contents of the user’s EncroChat phone, if it was seized by the police. “That is not just the gold standard, if you like, that is the platinum standard,” he said.

“From my experience in many of these situations, the most unlikely thing would be a sentence changing meaning – that, in my experience and every other digital forensics person’s, would have to be human tampering. I am not suggesting that,” he said.

More common errors would be mis-sorting messages according to dates. Individual messages might be accurate but have the wrong time stamps, or the data might mix up who is communicating with who.

The National Crime Agency followed “documented and checkable” procedures to process the EncroChat data in the form received from the French, Campbell told the court.

Where mistakes had appeared in the “end product” for trial, they were as a result of mistakes by police forces that received EncroChat data from the NCA, and not the NCA itself, said Campbell.

“Some of the officers, but by no means all of them, who handled the material were not fully trained in the methods,” said Campbell.

Evidence 'accurate and reliable'

Dent, quoting from Campbell’s website, told the jury that Campbell had forged a career exposing unlawful and immoral government surveillance operations. Campbell had ignored or downplayed all the evidence in this case, which shows the EncroChat evidence is accurate and reliable, he said.

“You are on a campaign here and this is part of your campaign,” Dent said.

Campbell told the court that he disagreed entirely and that the description was not a summary of his role and did not relate to his work as an expert witness.

Arlette Piercy, representing Fontaine, told the court that the NCA’s Luke Shrimpton and “the allegedly partisan” Campbell had produced a joint report which contained “58 points of agreement”.

“I don’t believe that you can get a slip of paper between our opinions apart from one matter of reliability. That is because we are driven by data, driven by the science,” said Campbell.

Reliability of implant and data

Summing up, Dent argued that the reliability of the data and the reliability of the implant were two separate things.

“The fact that the implant does not always collect data has no bearing on whether the messages and the data collected are correct,” he said.

Dent argued that Campbell was “all-out blazing” against EncroChat evidence and had even started talking about the burden of proof until his Lordship intervened – “an outrageous thing for an expert to do”.

Dent said Shrimpton was a careful witness, who when it emerged there was an anomaly in relation to EncroTalk – a voice communication service in EncroChat – said he would like to do more work before coming to a conclusion.

“That is the hallmark of someone who is independent trying to give you an independent opinion,” he said. “That was not the approach of Mr Campbell, who wanted to tell you how awful this implant was and that all of the messages and images were unreliable,” he said.

Campbell was forced to concede that that images attributed to the EncroChat handle Nudetrain were reliable and that it would be daft to say otherwise, said Dent.

Campbell said there was the possibility of misattribution or mis-sorting of data, but Dent said it was “clearly not sensible” that anyone apart from Frankie Sinclair would take a photograph of Frankie Sinclair’s breakfast or Frankie Sinclair’s shorts.

It was suggested that the French police might have altered EncroChat data, said Dent, but it was ridiculous to suggest that the French High Tech Crime Unit had an interest in Sinclair.

“Mr Campbell preferred to be in a data bubble,” said Dent. “He did not want to look at real evidence. He preferred to look at keys, message clusters and who knows what else.”

Civil liberties

Arlette Piercy, representing Fontaine, told the jury to look at the demeanour of Shrimpton during his evidence. It was difficult to reconcile his work for the NCA on Operation Venetic with his role as an independent scientist.

“You might think he was never going to say the data was unreliable,” she said. “How can he possibly be described as independent?”

The prosecution threw at Campbell “that most heinous of crimes that he spent over 40 years fighting for civil liberties”, she said. “I would not mind that on my gravestone.”

She asked the jury whether Dent, in his closing remarks, was still trying to get his head around EncroChat, or whether he was willfully misunderstanding what Campbell was saying.

“EncroChat is new, novel and highly controversial,” she said. “You might think the British establishment is putting a lot of faith in the French in getting this data. A package [of data] is what it says on the tin. It means to present something in an attractive or advantageous way,” she said.

Who chose what to put in the data packages supplied by the French, why or how, how accurately they were put together, no one knows.

No one is suggesting bad faith by the French, but “the lack of a clear continuity trail is the enemy of certainty and reliability”.

“Apparently none of that matters with data from the French. We just have to assume the French got it right,” she said. “Even the prosecution don’t know how the hack works.”

A crown cell-site expert had earlier showed the jury a map, showing the locations of the EncroChat phone Usualwolf and Paul Fontaine’s phone.

“It turned out the wrong data had been added to the wrong map, mislabelled and misattributed,” she said.

From Wyatt Earp to James Bond

James Walker, representing Sinclair, said the case against Sinclair was based entirely on EncroChat messages.

“You were told that the trial was about conspiracy to murder,” he told the jury. “Here you are at the beginning of week five, no guns and no murder.”

Kieron Hassan was named as the target, but there was no single act of violence against him, he told the jury.

Sinclair was meant to have bought a Walther PKK gun, of the type used by James Bond, and a “rusty” Colt 45, that could have been used by Wyatt Earp, but no guns have been produced in the case, only photographs.

“Without the weapons being physically examined, you can’t see whether it’s real or a replica,” said Walker.

Crimes were committed against Sinclair. His friend was attacked and his mother was “shot up” at her house.

“The text and the language are nothing more than bravado, just rhetoric,” he told the court. “Individuals who sell drugs have to be seen to react. It’s about being seen to react, being seen to save face.”

It was the opposite of conspiracy, said Walker. Sinclair had been warned not to go to the police, but reported the attack against his mother “to the local bobby”.

“The Crown’s case is that he was armed, sees his friend hacked, but where is his intent? He had a Walther PKK and a Colt. He could have blown Kieron Hassan away. What does he do? He calls the police.”

The case continues.

Read more on Database software

SearchCIO
SearchSecurity
SearchNetworking
SearchDataCenter
SearchDataManagement
Close