Dhaka ISIS Cell COMSEC

If you guessed “mobile messenger” you win

Jihadi Promotion of Threema

The Times of India has revealed which messenger was used by the Dhaka attackers to communicate with, and send photos too, ISIS Central from inside the cafe – Threema. Threema is an interesting choice for terrorists because it is a paid app (on both Google Play Store and Apple App Store, although my money is on the attackers using Android devices.) Pirated copies of Threema are available on jihadi forums (along with instructions for side load installation), but installing random software off a web forum is a risky route to establishing a secure comms link.

The use of an encrypted messenger from inside the siege was not operationally critical. Once the cell got inside the cafe, the operation was a terrorist success. The benefit the messenger provided was giving ISIS media centers “exclusive” images of the carnage. These allowed ISIS to demonstrate a strong claim to the attack and promote their brand. The messenger app was maybe useful from a “terrorism as messaging” POV, but not necessarily critical for “terrorism as harming people.”

One strong possibility for this ISIS cell using Threema is that Bangladesh has been blocking social media and messengers for months. Threema is one of the remaining options that still works. Keep in mind that encryption was not an important criteria for the terrorists inside the cafe, Facebook or Twitter would have been just as capable of transmitting images to ISIS Central.

Why Threema?

Threema has anonymous user accounts and end to end encryption, but it is not exactly ideal for clandestine operatives facing a nation state adversary.

  • Threema is a paid app (although jihadi sources offer pirated versions). For a clandestine operative the options are either: install random pirated software off the Internet, or establish a linked trail to a Google Play Store account (and thus all the data that Google collects off Android devices.) A third option is to pay for Threema via Bitcoin at shop.threema.ch, although I’m not aware of any jihadi sources recommending this route.
  • User accounts are not linked to telephone numbers (unlike: Telegram, WhatsApp, Signal, LINE, and others). Anonymous accounts are a great feature (both LINE and Telegram allow connecting users anonymously, but still require a telephone number for an account.)
  • The end to end encryption is roughly analogous to the security model of PGP. Each user has a public/private key pair, and messages between users are encrypted with the corresponding public key.
  • There is no forward security (which means if the private key for a user is acquired by the adversary, they will be able to decrypt all of the messages sent to that user.)
  • There is no message auto-destruct timer. Old messages are kept around forever. This is great if you want to know what you said 6 months ago, but not great if you do not want someone else to know.

These things make Threema a bit of a mixed bag as a secure messenger. The encryption is certainly solid (as long as the keys are never compromised), and the users are anonymous (except to Threema GmbH), but the messages hang around forever (pros and cons.) For a terrorist, the problems with Threema would seem to out weight the benefits it offers. For everyone else, it is probably fine.

Jihadis Endorse Threema

There are plenty of sources for finding pirated copies of Threema specifically intended for jihadis. Here is one example:

It includes a guide to how to purchase Threema via the Google Play Store, but for the jihadi with a larger risk appetite (and no money or sense), there’s also a link to download a pirated version.

EFF Secure Messenger Scorecard: Not Entirely Useless

One of the most amusing things about Threema is that it is highly recommended by the old (defunct) EFF Secure Messenger Scorecard. A ranking which seemed to play an important role in the jihadi endorsement.

Basically none of these things matter when planning secure communications protocol

Anything that drives self identified militants towards outing themselves or installing malware is fine by me.

But, Why Threema?

Although personal preference very likely played a significant role in which messaging app the Dhaka cell chose, there is another important consideration. Bangladesh has been blocking numerous messaging apps for over a year. Except, for technical reasons, they have been unable to block Threema.

Banning Internet Services

For over a year Bangladesh has been battling encrypted messengers (as well as social media platforms) by ordering ISPs to block them. The list of blocked messenger services is quite long, although it doesn’t seem to include the old ISIS favourite – Telegram.

In general it seems that the bans have been inspired by both an attempt to censor information, as well as some desire to prevent terrorists using encrypted communications tools. The attempts at censorship have, as usual, been only partially successful. The attempt to prevent terrorists from using encrypted messengers has been, quite predictably, a total failure.

The Internet can provide a route around most censorship, if you try hard enough

Bangladesh Blocks…

There are articles about Bangladesh blocking social media and messenger apps going back to at least January 2015. We’ll start with the more recent blocks.

November 18, 2015.

Facebook, WhatsApp, Viber are blocked. Source. Source. The public reacts to the ban by teaching each other how to circumvent the blocks using proxies and VPNs. Similar to the public response when Turkey attempted to block Twitter in 2014 and 2015. The same response was prompted by Thailand’s attempt to censor YouTube in 2006 (and again in 2007.)

November 24, 2015.

Facebook Messenger, LINE, and Tango are also blocked. Source.

December 10, 2015.

Facebook is unblocked. Facebook Messenger remains blocked.

December 13, 2015.

Twitter, Skype, imo (a communications app) ordered blocked. Source.

May 20, 2016.

Wickr and Threema ordered blocked by the Bangladesh intelligence services. Source.

The BTRC chairman said even though they have ordered the blocking of Threema and Wickr but the technology of the IIG operating in Bangladesh was unable to block one of the messengers. He did not mention which one.

Due to technical limitations only one of them is actually blocked. It seems safe to assume that Threema remained functional.

Does Banning Encryption Stop Terrorists?

The conclusion that can be drawn from this is that terrorists are highly motivated to establish a secure communications channel. Attempts to limit the access of the general population to encrypted messengers don’t provide sufficient obstacles to hinder terrorists.

Blocking access to popular Internet service will cause the general population to learn how to evade those technical counter measures or to seek out alternatives. This has happened in, for example, Thailand, Brazil, Turkey and in Bangladesh.