Encrypted Phone Firm 'Sky': Someone Sold Compromised Versions of Our App

Sky ECC, an encrypted phone company whose users include criminals, claims someone created a fake version of its communication app, loaded that onto phones, and then sold those phones through "unauthorized channels," a representative for the company told Motherboard.

Sky ECC is responding to media reports Tuesday that said law enforcement agencies had managed to crack Sky's communication platform at the end of last year, and authorities had obtained suspects' thought-to-be-secure messages in real-time. The company is claiming to Motherboard, essentially, that law enforcement or someone else advertised and sold phones loaded with counterfeit apps. Then, seemingly, law enforcement observed criminal activity on these compromised devices, allowing them to make the arrests that were reported Tuesday.

"SKY ECC authorized distributors in Belgium and the Netherlands brought to our attention that a fake phishing application falsely branded as SKY ECC was illegally created, modified and side-loaded onto unsecure devices, and security features of authorized SKY ECC phones were eliminated in these bogus devices which were then sold through unauthorized channels," Sky told Motherboard in a statement. Motherboard has not been able to verify Sky's claims.

Although the details were sparse, Beglian publication De Standaard reported that "investigators managed to crack the code of the encrypted message service 'Sky ECC,'" and that after capturing tens of thousands of live messages, hundreds of investigators carried out arrests and searches simultaneously across the country on Tuesday morning. On Wednesday after the publication of this piece, the Belgian Federal Police published a press release suggesting the operation was much larger in scope, capturing around one billion messages, with nearly half of those being decrypted. The press release did not explain the method used to capture the messages.

According to Sky, the company "maintains, after thorough investigation, that all such allegations are false," regarding the hacking or cracking of its service, adding "no authorized Sky ECC device has been hacked."

"SKY ECC did not authorize or cooperate with the investigative authorities or those involved with the distribution of the fake phishing application," the statement continued, adding that Sky is "pursuing legal action against the offending individuals for impersonation, false lights [sic], trademark infringement, injurious falsehood, defamation, and fraud."

Sky is part of the turbulent encrypted phone industry, where companies sell customized phones, sometimes with the microphone or GPS functionality removed, and their own apps installed for sending encrypted messages. The devices are traditionally expensive, costing thousands of dollars for an annual subscription, and are often distributed by resellers based in different countries.

The market is also heavily, but not exclusively, used by members of serious organized crime, including hitmen, drug traffickers, and weapon smugglers. In response, law enforcement agencies have steadily increased the frequency and sophistication of operations against such companies. In 2016, Dutch authorities leveraged a flaw in the encrypted messaging implementation of a firm called Ennetcom to obtain users' message content. The FBI and international partners targeted Canadian firm Phantom Secure and arrested its creator, Vincent Ramos in 2018. And last year French law enforcement dramatically used Encrochat's update mechanism to push malware onto customers phones themselves and siphon off message content.

If Sky's characterization of the operation is accurate, it bears more resemblance to an oft-overlooked investigation by the DEA into a network of encrypted BlackBerry devices. In 2010, an undercover agent sold a drug trafficker a number of BlackBerry devices; the DEA, however, held onto the encryption keys, which would ordinarily be private, in order to read messages sent by the phones.

Often when authorities take down one of these platforms, criminal users migrate to another. In its statement, Sky added that it "firmly denies any allegation that it is the 'platform of choice for criminals'."

In the statement, the company's CEO Jean-François Eap, positioned the company as a legitimate firm.

"The platform exists for the prevention of identity theft and hacking, the protection of personal privacy rights, and the secure operation of legitimate personal and business affairs. With the global rise of corporate espionage, cybercrime and malicious data breaches, privacy and protection of information is the foundation of the effective functioning for many industries including legal, public health, vaccine supply chains, manufacturers, celebrities and many more," he said.

The statement added that Sky "experienced temporary interruptions in connection with its servers," but did not explain what may have caused the outage.

The Belgian Federal Police did not respond to a request for comment.

Update: This piece has been updated to include more information released by the Belgian Federal Police after publication.

Clarification: A sentence has been changed from saying the app was installed specifically on Sky phones, to phones in general. Sky told Motherboard the company’s phones would not have allowed the installation of the fake app.

Subscribe to our cybersecurity podcast CYBER, here.