The Rise and Fall of Encrypted Phone Companies: Lessons from Sky ECC, EncroChat, Phantom Secure, and Others

11 de October de 2024
secure phones

In recent years, encrypted phone companies have flourished, offering devices designed to protect privacy and ensure secure communications. However, companies like Sky ECC, EncroChat, Phantom Secure, Ciphr, Ghost, and others have fallen victim to hacking, dismantling, and collapse due to vulnerabilities, mainly caused by centralized servers and Mobile Device Management (MDM) systems.

These companies promised total security, but their structural errors revealed the inherent weakness of centralizing security, exposing thousands of users when their systems were infiltrated.

1. Sky ECC: The “Unbreakable” That Fell

Sky ECC was hacked in 2021 by European security agencies, who exploited the use of centralized servers to compromise the network. This massive attack was facilitated by relying on a centrally controlled infrastructure, allowing authorities to intercept millions of messages, effectively dismantling the service.

2. EncroChat: The Biggest Encrypted Phone Hack

EncroChat suffered a devastating attack in 2020 when French and Dutch authorities infected their servers with malware, successfully decrypting real-time communications. EncroChat also depended on centralized servers, which allowed law enforcement to access the data traffic and compromise the network.

3. Phantom Secure: The Precedent-Setting Case

In 2018, Phantom Secure was dismantled after authorities discovered their use of MDM systems to remotely manage users’ devices. This system, while useful for company administrators, allowed security agencies to gain access to device data since they could alter configurations and, in some cases, remotely delete or modify information.

Why Centralized Servers and MDM Are a Mistake

The fall of these companies is not just the result of the technology they used, but of the centralized architecture they relied on. The key problem lies in the centralization of two crucial elements: servers and MDM.

1. The Problem with Centralized Servers

Centralized servers are single points of failure that concentrate all user communications and data. This creates a scenario where, if an attacker (or in the cases of Sky ECC and EncroChat, law enforcement) compromises the server, they can gain access to all the information transmitted across the network.

  • Ease of Interception: Centralized servers allow any entity that gains access to intercept encryption keys and communications. Even the best encryption measures are useless if authorities can introduce malware directly into the server.
  • Single Points of Failure: Once a server is compromised, the entire network is exposed. This is exactly what happened with EncroChat and Sky ECC, where authorities gained access to millions of private messages in real time.

2. The Danger of MDM (Mobile Device Management)

MDM is a remote device management solution that allows companies to control and administer devices from a centralized point. While useful for managing fleets of devices in traditional businesses, MDM is a bad idea for encrypted phones due to the following reasons:

  • External Control: By using MDM, the company providing the encrypted phone has the ability to remotely access users’ devices. This can include the ability to delete messages, modify security settings, install software updates, or even erase content at their discretion. This goes against the fundamental principle of privacy since it means that an external entity has total control over your device.
  • Ease for Attackers or Authorities: MDM becomes an entry point for attackers or authorities to access the device. In the case of Phantom Secure, the FBI leveraged access provided by the MDM to remotely control users’ devices. Once MDM systems are compromised, hackers or law enforcement can take full control of the devices, breaking the security these phones were supposed to provide.
  • Trust in the Company: When a user buys a phone with MDM, they are blindly trusting the provider company to maintain their privacy. But as we’ve seen in these cases, a court order, hacking, or any other type of external pressure can lead the company to hand over data or give up control of the devices. External and centralized control is the antithesis of true privacy.

An MDM Centralizes Security

The main reason why MDM is a bad idea for encrypted phones is that it centralizes security. Device management should be in the hands of users, not in the hands of an external entity that can be manipulated, hacked, or simply forced to hand over data under legal pressure. The concept of decentralized security means that each user has total and exclusive control over their keys, data, and devices without relying on a third party as an intermediary.

What Should a Truly Secure Encrypted Phone Do?

To avoid the mistakes made by companies like Sky ECC, EncroChat, Phantom Secure, and others, encrypted phones must adopt a decentralized architecture, where:

  • Encryption keys are generated and stored locally on the user’s device, not on a server controlled by the company.
  • No MDM system or remote control of devices exists, leaving total control in the user’s hands.
  • Communications are peer-to-peer, avoiding any centralized server that stores or processes sensitive data.
  • The source code is auditable so that users and the community can verify the integrity of the technology.

The future of encrypted phone security depends on companies’ ability to decentralize their systems and return control to users. Only then can they avoid the fate of Sky ECC, EncroChat, and Phantom Secure.

Conclusion: Lessons for the Future

The fall of encrypted phone companies teaches us that real security cannot rely on centralized systems or external control through MDM. The use of centralized servers and technologies creates single points of failure that, when compromised, expose all users.

To ensure total privacy and security, encrypted phones must adopt decentralized systems, with no centralized control points, and give users full control over their devices and keys. Only then will they achieve true privacy and avoid the same fate as Sky ECC, EncroChat, and others.

About The Author

antiforensicphone

See author's posts

More Stories

president secure phone

How World Leaders Protect Their Mobile Communications: Lessons in Mobile Security

23 de October de 2024
secure phone

“How Pegasus Spyware Exposed World Leaders’ Mobile Security Vulnerabilities – The Urgent Need for Secure and Encrypted Phones”

23 de October de 2024
Vpn security

The Use of VPNs to Secure Connections: Do They Really Protect Your Privacy?

17 de October de 2024