FACTS
I’ve got some attention writing about weak cryptography used in the wild. As we all know EncroChat or EncroMail ,depends how and who you want to be called, is focused on encryption, security and privacy and that’s true if you are using strong encryption. In this post I’ll write about EncroTalk (the secure calls service), I could write about phone security, mail servers but for now let’s focus just analysing one service at time.
EncroTalk
We’re gonna examine EncroTalk service. The website clearly states the following :
Encrypts all Voice over IP (VoIP) conversations using the ZRTP protocol and transmits them over a closed loop network. A subscriber can send an invite request to another user on our network and, if accepted, can contact them almost anywhere an Encrotalk user resides. We currently have users speaking globally to one another in countries like Australia or China talking securely and crystal clear to subscribers in Canada or South America.
They advertise a ZTRP and a closed network. While there is a ZRTP protocol and encryption there is no such thing like closed loop network, it’s all just marketing.
Servers
So all we know EncroChat is using 3 different locations for VoIP calls.
Let’s do a DNS query for server IPs :
* encrotalk.encrochat.ch has address 216.187.86.233
* encrotalk2.encrochat.ch has address 124.217.254.93
* encrotalk3.encrochat.ch has address 185.55.53.173
Now let’s examine servers, we’re gonna do a simple Nmap scan and see what results we get.
nmap 185.55.53.173 -Pn -P0 -sV -p5000–6000
Starting Nmap 6.47 ( http://nmap.org )
Nmap scan report for 185.55.53.173
Host is up (0.016s latency).
PORT STATE SERVICE
*** snip ***
5061/tcp open sip-tls
*** snip ***nmap 216.187.86.233 -Pn -P0 -sV -p5000–6000
Starting Nmap 6.47 ( http://nmap.org )
Nmap scan report for 216.187.86.233
Host is up (0.37s latency).
PORT STATE SERVICE
*** snip ***
5061/tcp open sip-tls
*** snip ***
So we found a 5061 port running, this is a default VoIP (SIP) for for TLS.
By now we know that they have ‘sip-tls’ on 3 different servers.
A SSL scan :
openssl s_client -connect 185.55.53.173:5061
CONNECTED(00000003)
depth=0 /CN=encrotalk2.encrochat.ch/ST=Panama/C=PA/O=EncroChat S.A./OU=voip
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=encrotalk2.encrochat.ch/ST=Panama/C=PA/O=EncroChat S.A./OU=voip
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=encrotalk2.encrochat.ch/ST=Panama/C=PA/O=EncroChat S.A./OU=voip
verify error:num=21:unable to verify the first certificate
verify return:1
— -
Certificate chain
0 s:/CN=encrotalk2.encrochat.ch/ST=Panama/C=PA/O=EncroChat S.A./OU=voip
i:/CN=EncroChat Root CA/ST=PA/C=PA/emailAddress=support@encrochat.network/O=EncroChat Root CA/OU=Certificate Authority
— -
Server certificate
— — -BEGIN CERTIFICATE — — -
MIIFjTCCA3WgAwIBAgIBCjANBgkqhkiG9w0BAQsFADCBnDEaMBgGA1UEAxMRRW5j
cm9DaGF0IFJvb3QgQ0ExCzAJBgNVBAgTAlBBMQswCQYDVQQGEwJQQTEoMCYGCSqG
SIb3DQEJARYZc3VwcG9ydEBlbmNyb2NoYXQubmV0d29yazEaMBgGA1UEChMRRW5j
cm9DaGF0IFJvb3QgQ0ExHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAe
Fw0xNTA1MTQwNTA0NDBaFw00MjA5MjkwNTA0NDBaMGgxIDAeBgNVBAMMF2VuY3Jv
dGFsazIuZW5jcm9jaGF0LmNoMQ8wDQYDVQQIDAZQYW5hbWExCzAJBgNVBAYTAlBB
MRcwFQYDVQQKDA5FbmNyb0NoYXQgUy5BLjENMAsGA1UECwwEdm9pcDCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBALpfoFj5KT9bfdOyOy/w4kU+Al5h9Pod
9/NqAtHtgkwHLicSz4dDtNDNzKHWdbMQm3OgIOTXLE/VSIPcpwZE2i30qW/ovy3p
UOmfMoHUBqeqTsWFnKpg3JfyDnXt4H4+Up7zFTcZv1wJbKQRE7j1Dre0chH3gvmK
/VMuAArd6bYJVtTKSkVFmFC+xKdSs/djEog6Ff633zwB2pFvWD2Uc5N272YgT8+R
rwW/6g8AZBx9oMdNWSVXCqHVsAblvK3W616zJCkXIANqT4h8Y2AuQdQhjIYHS6/N
njkWDdtzjevIqymFQrY52EloKQcYopNIWxjdDkD4Zi7PPUmZx1htcYPEsbzPHzC8
lO1V9SQTOdwX2eZG+Th/VeFUZqpQfym5Wwb6goR83JnMzX6jcOLZa+7siQ1ZsmVj
t762w4FXu+cMAOL7Opg8KJA4bkzXRq9hXCVmGZEzF7uxn5EdqsA9uEa5eBpRkGoF
dE5Sx6vIjJOIVMFtnTDcZ178K28ZcH31YO36H4Sq7t1f/kHc4tgMvhxhLzMChKSH
jWyzXPDMjWo0lJeclcCDV1ePMOYYJ13hUxNcpgGyzmBOI8ZDieVjDNtko9HQftQC
sJJs3ax3o+4M8NOWtXSVm2UHdHHhUYOKInJ15Z85oCwT+Eb0s1zywUmbkd/IJpnI
mOT9d2/AxkvzAgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIB
AJYPx6tQRWVgnN4nP/SDqrILJm3B6gTdgp2o1tv/Y0ZVX/8PPGIrBQadcgH5AIax
xRzPJtov+erkNrAs0NTxDdJ4ClXxan4CQh+h+m1UzxWsoHPhj2poRl1FgMRaUSYG
tXq5Edogt7PSkd9uSyVzfjJZ9LQk6G1iKf40CZhjTmemPMkEUhD9nA3kRSynfccU
T3Z3i2evJpVDFuu3fTqNIaXSTEcqOjl99DRw2uWzPl297BbrMHJMd6SsageXikzy
G0K56E799G9CL1DO3UTBOjhb+7+ngKGZAgyUs/ce2I4Be/G+5T/TH4ii7JF605oT
Y7XISgiISEaYIU/687TM+ok3eGAIANKstpiXJFWFjLrzD5N0+3cjrkqGOAZEi7Qm
m/5WiFZIlfziJ6gL6atqvSAa4StXMnPG2rHXnFtynnUgaVmQp1k1RloqzHN3jAcL
psaffwEiN5olICqhLBgDAzgDZMyY2dmJvKXQRi56sA+B6/GKsPHL5TySSkGMSD1Q
vgdOAEeidK+Timx0E5W33OKcGoZ2yxHP8rtNHYbPYZlF/8jxNttJ7ZGcIijuyRzz
6yvtRMglDaWpo+Rf2gPkjIsa6ZkbIjDyW2OyFKkQUZzCpSZ30oyJHXwpEjprZvjK
RMCYvlSoMwOHpGre8mCpRFZ/Bsay2FTdFfwDRh3zkJzy
— — -END CERTIFICATE — — -
subject=/CN=encrotalk2.encrochat.ch/ST=Panama/C=PA/O=EncroChat S.A./OU=voip
issuer=/CN=EncroChat Root CA/ST=PA/C=PA/emailAddress=support@encrochat.network/O=EncroChat Root CA/OU=Certificate Authority
— -
No client certificate CA names sent
— -
SSL handshake has read 1610 bytes and written 726 bytes
— -
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID: 5173BD2DF42BB9852D3B01A6ED8C7C9C9891F41952B02EDE6CA65210D64F1B13
Session-ID-ctx:
Master-Key: B886D52D4EBDEE632A56298D6EE8A7901CE5848E5A43577E7378E5A4CB4FD10EB7D69738F91D70B047620B54F8B5EEF8
Key-Arg : None
Start Time: 1459523645
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
— -Now before going further we need to analyse the public key of VoIP server. We’re going to do it by saving output from OpenSSL.
openssl x509 -in voip.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=EncroChat Root CA, ST=PA, C=PA/emailAddress=support@encrochat.network, O=EncroChat Root CA, OU=Certificate Authority
Validity
Not Before: May 14 05:04:40 2015 GMT
Not After : Sep 29 05:04:40 2042 GMT
Subject: CN=encrotalk2.encrochat.ch, ST=Panama, C=PA, O=EncroChat S.A., OU=voip
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:ba:5f:a0:58:f9:29:3f:5b:7d:d3:b2:3b:2f:f0:
e2:45:3e:02:5e:61:f4:fa:1d:f7:f3:6a:02:d1:ed:
82:4c:07:2e:27:12:cf:87:43:b4:d0:cd:cc:a1:d6:
75:b3:10:9b:73:a0:20:e4:d7:2c:4f:d5:48:83:dc:
a7:06:44:da:2d:f4:a9:6f:e8:bf:2d:e9:50:e9:9f:
32:81:d4:06:a7:aa:4e:c5:85:9c:aa:60:dc:97:f2:
0e:75:ed:e0:7e:3e:52:9e:f3:15:37:19:bf:5c:09:
6c:a4:11:13:b8:f5:0e:b7:b4:72:11:f7:82:f9:8a:
fd:53:2e:00:0a:dd:e9:b6:09:56:d4:ca:4a:45:45:
98:50:be:c4:a7:52:b3:f7:63:12:88:3a:15:fe:b7:
df:3c:01:da:91:6f:58:3d:94:73:93:76:ef:66:20:
4f:cf:91:af:05:bf:ea:0f:00:64:1c:7d:a0:c7:4d:
59:25:57:0a:a1:d5:b0:06:e5:bc:ad:d6:eb:5e:b3:
24:29:17:20:03:6a:4f:88:7c:63:60:2e:41:d4:21:
8c:86:07:4b:af:cd:9e:39:16:0d:db:73:8d:eb:c8:
ab:29:85:42:b6:39:d8:49:68:29:07:18:a2:93:48:
5b:18:dd:0e:40:f8:66:2e:cf:3d:49:99:c7:58:6d:
71:83:c4:b1:bc:cf:1f:30:bc:94:ed:55:f5:24:13:
39:dc:17:d9:e6:46:f9:38:7f:55:e1:54:66:aa:50:
7f:29:b9:5b:06:fa:82:84:7c:dc:99:cc:cd:7e:a3:
70:e2:d9:6b:ee:ec:89:0d:59:b2:65:63:b7:be:b6:
c3:81:57:bb:e7:0c:00:e2:fb:3a:98:3c:28:90:38:
6e:4c:d7:46:af:61:5c:25:66:19:91:33:17:bb:b1:
9f:91:1d:aa:c0:3d:b8:46:b9:78:1a:51:90:6a:05:
74:4e:52:c7:ab:c8:8c:93:88:54:c1:6d:9d:30:dc:
67:5e:fc:2b:6f:19:70:7d:f5:60:ed:fa:1f:84:aa:
ee:dd:5f:fe:41:dc:e2:d8:0c:be:1c:61:2f:33:02:
84:a4:87:8d:6c:b3:5c:f0:cc:8d:6a:34:94:97:9c:
95:c0:83:57:57:8f:30:e6:18:27:5d:e1:53:13:5c:
a6:01:b2:ce:60:4e:23:c6:43:89:e5:63:0c:db:64:
a3:d1:d0:7e:d4:02:b0:92:6c:dd:ac:77:a3:ee:0c:
f0:d3:96:b5:74:95:9b:65:07:74:71:e1:51:83:8a:
22:72:75:e5:9f:39:a0:2c:13:f8:46:f4:b3:5c:f2:
c1:49:9b:91:df:c8:26:99:c8:98:e4:fd:77:6f:c0:
c6:4b:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
96:0f:c7:ab:50:45:65:60:9c:de:27:3f:f4:83:aa:b2:0b:26:
6d:c1:ea:04:dd:82:9d:a8:d6:db:ff:63:46:55:5f:ff:0f:3c:
62:2b:05:06:9d:72:01:f9:00:86:b1:c5:1c:cf:26:da:2f:f9:
ea:e4:36:b0:2c:d0:d4:f1:0d:d2:78:0a:55:f1:6a:7e:02:42:
1f:a1:fa:6d:54:cf:15:ac:a0:73:e1:8f:6a:68:46:5d:45:80:
c4:5a:51:26:06:b5:7a:b9:11:da:20:b7:b3:d2:91:df:6e:4b:
25:73:7e:32:59:f4:b4:24:e8:6d:62:29:fe:34:09:98:63:4e:
67:a6:3c:c9:04:52:10:fd:9c:0d:e4:45:2c:a7:7d:c7:14:4f:
76:77:8b:67:af:26:95:43:16:eb:b7:7d:3a:8d:21:a5:d2:4c:
47:2a:3a:39:7d:f4:34:70:da:e5:b3:3e:5d:bd:ec:16:eb:30:
72:4c:77:a4:ac:6a:07:97:8a:4c:f2:1b:42:b9:e8:4e:fd:f4:
6f:42:2f:50:ce:dd:44:c1:3a:38:5b:fb:bf:a7:80:a1:99:02:
0c:94:b3:f7:1e:d8:8e:01:7b:f1:be:e5:3f:d3:1f:88:a2:ec:
91:7a:d3:9a:13:63:b5:c8:4a:08:88:48:46:98:21:4f:fa:f3:
b4:cc:fa:89:37:78:60:08:00:d2:ac:b6:98:97:24:55:85:8c:
ba:f3:0f:93:74:fb:77:23:ae:4a:86:38:06:44:8b:b4:26:9b:
fe:56:88:56:48:95:fc:e2:27:a8:0b:e9:ab:6a:bd:20:1a:e1:
2b:57:32:73:c6:da:b1:d7:9c:5b:72:9e:75:20:69:59:90:a7:
59:35:46:5a:2a:cc:73:77:8c:07:0b:a6:c6:9f:7f:01:22:37:
9a:25:20:2a:a1:2c:18:03:03:38:03:64:cc:98:d9:d9:89:bc:
a5:d0:46:2e:7a:b0:0f:81:eb:f1:8a:b0:f1:cb:e5:3c:92:4a:
41:8c:48:3d:50:be:07:4e:00:47:a2:74:af:93:8a:6c:74:13:
95:b7:dc:e2:9c:1a:86:76:cb:11:cf:f2:bb:4d:1d:86:cf:61:
99:45:ff:c8:f1:36:db:49:ed:91:9c:22:28:ee:c9:1c:f3:eb:
2b:ed:44:c8:25:0d:a5:a9:a3:e4:5f:da:03:e4:8c:8b:1a:e9:
99:1b:22:30:f2:5b:63:b2:14:a9:10:51:9c:c2:a5:26:77:d2:
8c:89:1d:7c:29:12:3a:6b:66:f8:ca:44:c0:98:be:54:a8:33:
03:87:a4:6a:de:f2:60:a9:44:56:7f:06:c6:b2:d8:54:dd:15:
fc:03:46:1d:f3:90:9c:f2That gives us pretty much all information we need. Now by examining the SSL Certificate we know the following :
- The root Certificate is signed by EncroChat Root CA in Panama.
- The server supports to SSLv3 connections.
- Certificate been issued on May 14 05:04:40 2015 GMT
- It will be valid until Sep 29 05:04:40 2042 GMT
- Certificate if for encrotalk2.encrochat.ch (CN, Common Name)
- Signature Algorithm is: sha256WithRSAEncryption
- DH (Diffie-Hellman) ?
Let’s start with SSLv3. The server allow us to use SSLv3. As we know SSLv3 is unsafe, the problems dates to 2014, the newest variant of PODDLE attacks exploits implementation flaws of CBC encryption mode in the TLS 1.0–1.2 protocols. The problem is this developer knew SSLv3 was unsafe (2014) but the certificate was generated in 2015 May.
Now I’m starting to have a suspicion that they are using some old software and there should be even more involved.
openssl s_client -connect encrotalk2.encrochat.ch:5061 -cipher “EDH”
error setting cipher listNope, no EDH/ECDH/etc.
Certificates
My eye catched a ‘sha256WithRSAEncryption’ line while analysing certificates.
So what’s is all about SHA-256 RSA encryption ?
The SHA1 crypto algorithm is weak, and getting weaker by days, the first signs dates 2005, while everybody is moving away from SHA1 - EncroChat are using it big time.
We got some information about their certificates, IPs, CAs and protocols, now let’s move and see what ciphers do they support. For this we will be using a nmap scanner.
nmap — script +ssl-enum-ciphers 124.217.254.93 -p 5061 -PnStarting Nmap 6.47 ( http://nmap.org )
Nmap scan report for 124.217.254.93
Host is up (0.37s latency).
PORT STATE SERVICE
5061/tcp open sip-tls
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA — strong
| TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA — broken
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA — broken
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA — broken
| TLS_ECDH_anon_WITH_RC4_128_SHA — broken
| TLS_RSA_WITH_3DES_EDE_CBC_SHA — strong
| TLS_RSA_WITH_AES_128_CBC_SHA — strong
| TLS_RSA_WITH_AES_256_CBC_SHA — strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA — strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA — strong
| TLS_RSA_WITH_RC4_128_SHA — strong
| TLS_RSA_WITH_SEED_CBC_SHA — strong
| compressors:
| NULL
|_ least strength: brokenNmap done: 1 IP address (1 host up) scanned in 18.80 seconds
Clearly the nmap scan says a lot, theres no need to prove something about weak cryptography being in use.
Last words
EncroChat services including Chat, Mail, PGP and voice are all using weak encryption, bad DH parameters or even none, this breaks PGP, ZRTP, chat you name it . Some of the services didn’t even used encryption, as username and passwords where transferred in clear text. There is still a lot of we didn’t touch, I think we just scratched surface.
Making a MITM attack or collecting data from EncroChat phones is easy and doesn’t require you to be a rocket scientist.
Regardless if your laughing with us or at us were just happy that your happy.
