PGP, or Pretty Good Privacy, an open source end-to-end encryption standard that can be used to cryptographically sign emails, files, documents, or entire disk partitions in order to protect them from being spied on.
You'll be surprised to know how the police actually decrypted those PGP messages.
In April last year, the Dutch Police arrested a 36-year-old man on suspicion of money laundering and involvement in selling customized BlackBerry Phones with the secure PGP-encrypted network to criminals that were involved in organized crimes.
At the time, the police also seized a server belonging to Ennetcom, the company owned by Danny Manupassa, which contains data of end-to-end encrypted communications belong to a large number of criminal groups.
Later, in January this year, the Dutch investigators claimed they could decrypt emails stored on PGP-encrypted BlackBerry devices using commercially available tools, but that only applied to phones in possession of authorities.
However, the latest news concerns reading all of the encrypted messages that were on the seized server.
Dutch police said they have accessed to the contents of 3.6 Million messages stored on that server, and that they even have managed to decrypt a number of messages, despite supposedly being protected with end-to-end encryption, announced Openbaar Ministerie (the Public Prosecution Service) in a press release on Thursday.
Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM
Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.Supercharge Your Skills
Decrypting messages gave authorities access to evidence for dozens of criminal investigations into assassinations, drug trafficking, money laundering, armed robbery, attempted murder and other organized crime, which can lead to significant, decisive breakthroughs in criminal matters.
But the question remains:
How did the Police Decrypt the PGP-encrypted Messages?
Ennetcom sold some 20,000 encrypted BlackBerry phones that came preloaded with a number of security features, including PGP email, which apparently means that the email content should be protected even if it's intercepted or if authorities search its server.
However, the Dutch authorities discovered that the Ennetcom PGP BlackBerry devices routed user communications through its own infrastructure, a Canadian court filing reads.
And here the blunder comes into play: The "keys" for the PGP encryption system were generated by the company's server, rather by the device.
As a result, the Dutch authorities noticed that the keys to decrypt the PGP encrypted messages on the Ennetcom PGP BlackBerry devices are also stored on Ennetcom's BlackBerry Enterprise Servers.
The authorities then discovered a total of 7TB of data on the central server of Ennetcom in Canada and found that it was possible to read encrypted messages on the server.
In response to the Openbaar Ministerie press release, Ennetcom announced on its website that "the public prosecution has done these seizures under false pretenses," based on suspicion of money laundering with the excuse as if all the phone customers are criminals.