Why We Should Talk About The Operation Carwash Messages
On 9 June 2019, The Intercept published excerpts allegedly taken from 650,000 Telegram messages obtained from the account of Sérgio Moro, Brazil’s Minister of Justice and Public Security. Moro rose to prominence as the no-nonsense judge assigned to Operation Carwash—the bribery and corruption investigation that saw former President Luiz Inácio Lula da Silva convicted and imprisoned for money laundering and passive corruption.
Download NOW our Free Whitepaper
The alleged messages between then-presiding Judge Moro and lead prosecutor Deltan Dallagnol painted a picture of secret meetings with prosecutors and fellow Supreme Court judges, colluding with prosecutors to ensure Lula’s conviction, and even called into question the case’s evidence. In testimony before the Federal Senate’s Constitution and Justice Committee, Moro stated the messages were an “act of revenge” and “partially or completely altered.”
The operational security and national security implications of this case go far beyond judicial ethics and possible damage to Moro’s credibility and his political career.
- Brazil’s Federal Police Department, which oversees counterintelligence investigations, is part of the Ministry of Justice and Public Security.
- Minister of Justice and Public Security is a cabinet-level position, making this one of the most high-profile messaging account hacks to-date.
- As its minister, Moro has access to highly sensitive and classified information.
It Started with a Voicemail Hack
According to ZDNet, hackers exploited the same voicemail hack previously used to hijack Israeli WhatsApp accounts in 2018.
The attackers request a code from Telegram, which is intended to help users add their accounts to a new device. This is standard usability feature for consumer messaging apps. The bad actor then spoofs their target’s phone number and retrieves the code from their voicemail.
Voicemail hacks are old hat. News of the World, a now-defunct British tabloid, infamously used these back in 2005. The basic principle is shockingly simple. An attacker dials your wireless number or spoofs it, correctly guesses your PIN code, and gains access to your voicemails.
We don’t know how this happened – whether the attackers guessed Moro’s PIN, had access to insider information, stole his wallet – the opportunities for potential data protection and privacy breach are endless.
What we do know is that most of us have lousy PIN code habits. We use easy to remember combinations like “123456” or publicly available information like our birthdays or anniversary. When we choose strong PINs, we write them down on sticky notes and carry them in our wallets—prime targets for pickpockets—or we change them to something that we can actually remember. When we don’t take data encryption seriously, we make ourselves easy targets.
In other words, we make ourselves vulnerable to a breach of our personal data
Keep in mind that any online account is only as secure as the weakest password on your reset account. If you secure your email account with a FIDO2 key but allow a voicemail reset code, that pin code is the weak link.
Maybe Moro picked the wrong pin. Perhaps he followed best practices. We will most likely never know.
Regardless, Telegram’s easy-to-use phone swap feature and Moro’s voicemail security aren’t the most significant problems.
The real problem is how we, as consumers, perceive these products as safe despite our often-lacking understanding of their security features and options. Take, for example, WhatsApp encryption.
Consumer Messaging Apps and Personal, Operational, and National Security
For the average consumer, encrypted messaging apps WhatsApp and Telegram are both safe options for communicating with friends and family. However, despite WhatsApp’s default end-to-end encryption and Telegram’s optional encryption for one-to-one chats, these free apps are not intended for use with highly sensitive information. For confidential information, a specially designed encrypted messenger is more suitable.
In Telegram’s FAQs, they actually advise anyone concerned about their personal security to use Secret Chats, an encrypted chat that’s only available for one-to-one conversations, with a self-destruct timer. Users should also enable two-factor verification and set a strong password. They also mention that they “cannot protect you from your own mother, or IT department” – or anyone else with physical access to your device. Data encryption is only as secure as your device is.
The question is, given Telegram’s recommendation, why was Moro exchanging messages with a prosecutor on 7 December 2015 that weren’t end-to-end encrypted when his chosen app offered optional end-to-end encryption for one-to-one messages in 2013? Was he not concerned about a potential data protection breach? Or maybe he assumed data encryption wasn’t necessary?
Maybe he logically assumed all his messages were protected. After all, these apps advertise that they are private, secure, and encrypted. Given their security-centered marketing approach, which includes using highly technical terms like end-to-end data encryption in their literature – such as ‘WhatsApp encryption’, would a reasonable person think they need to enable end-to-end data encryption on a per-conversation basis? Probably not.
However, there’s a bigger question.
Should high-risk personnel like judges involved in high-profile cases, intelligence analysts, diplomats, and senior officials use consumer messaging apps?
Given the WhatsApp-Pegasus issue we saw earlier this year, multiple hacks into Telegram accounts belonging to activists in Iran and Russia, Moro’s case, and the highly publicized incident involving former Puerto Rico Governor Ricardo Rosselló, we believe these apps pose an increasing threat to the personal security of these individuals through their data encryption issues, metadata collection and location sharing capabilities. If they’re used for sensitive or classified information, they may also be a threat to both operational and national security.
A Hypothetical Scenario
It’s three in the morning. Matt, a senior official, is sending explicit messages to a sex worker and schedules a “date.” It’s not their first. In public, Matt is a devoted husband and father of three. He’s a pillar of the community and well-known for his conservative family values.
A foreign power finds him via the messaging app’s contact search function. They hijack his account.
With messages and questionable photos in hand, they discretely approach Matt and threaten to publish everything unless he shares classified information. He does.
This is the modern version of a 1950s-style honey trap. It all started with sensitive personal information shared via a consumer messaging app. The blackmail material is not even classified.
Start a Conversation
At Adeya, we firmly believe that consumer messaging apps do not belong in the workplace. They lack the end-to-end and at-rest data encryption, audit trails, logs, and controls required by most enterprises, industry regulators, and governments.
As the WhatsApp-Pegasus incident and now Moro’s case illustrate, consumer messaging apps are not safe for high-profile or high-risk individuals, including cabinet ministers and human rights activists. Yet, French Prime Minister Édouard Philippe and French President Emmanuel Macron both openly use consumer messaging apps, WhatsApp and Telegram respectively. They’re in good company. Officials in the UK, the US, and Australia all use consumer messaging apps, and rely on things like WhatsApp encryption, in the workplace.
It’s time for security and IT professionals to start talking about the risks associated with consumer messaging apps. Instead of discussing encryption protocols and the differences between end-to-end and at-rest data encryption, we need to have a frank talk with end-users about Paul Manafort, Ricardo Rosselló, and Sérgio Moro.
Keep the narrative simple.
Paul Manafort exchanged sensitive information over WhatsApp. Prosecutors used his messages as evidence during his trial. He’s now serving seven and a half years in prison.
Ricardo Rosselló and members of his administration used a Telegram group chat for what he called “locker room” talk. When his constituents learned that their leaders had made distasteful jokes about overflowing morgues after a hurricane, protestors drove him out of office. He resigned in disgrace.
Sérgio Moro’s chat with a prosecutor hurt his reputation. It does not matter whether or not the messages were substantially altered. Their existence calls into question his greatest judicial achievement. Although he remains in office, Operation Car Wash’s prosecutors now argue Lula should be released from prison.
If during these talks someone mentions their project team uses WhatsApp, Telegram, or another unapproved messaging app at work, give us a call. We’ll help you transition your workplace from uncontrollable shadow IT to a secure communications and collaborations platform, approved for use in your unique security environment.
To find out more about national security issues and consumer messaging apps in compliance with data protection, download our free whitepaper: The CLOUD Backdoor to National Secrets and Other Sensitive Data.