UK spookhaus GCHQ can crack end-to-end encryption, claims Australian A-G

Antipodean not-backdoors plan will mirror UK Investigatory Powers Act, ensure law of land trumps laws of mathematics


British signals intelligence agency Government Communications Headquarters (GCHQ) can crack end-to-end encrypted messages sent using WhatsApp and Signal, according to Australian attorney-general George Brandis.

Brandis made the claim speaking to the Australian Broadcasting Corporation's AM program, on the occasion of Australia announcing it would adopt laws mirroring the UK's Investigatory Powers Act. Brandis said the proposed law will place “an obligation on device manufacturers and service providers to provide appropriate assistance to intelligence and law enforcement on a warranted basis where it is necessary to interdict or in the case of a crime that may have been committed.”

Asked how Australia's proposed regime would allow local authorities to read messages sent with either WhatsApp or Signal, Brandis said “Last Wednesday I met with the chief cryptographer at GCHQ ... And he assured me that this was feasible.”

Brandis is infamous for being unable to articulate an accurate or comprehensible definition of “metadata” when asked to do so during a live television interview, so his understanding of cryptographic concerns cannot be trusted without qualification, which The Register is seeking.

But there's no doubt about the intent of Australia's proposed laws, as Brandis later said in a joint appearance with prime minister Malcolm Turnbull that Australia's law enforcement agencies want access to encrypted traffic for three reasons.

The first is that Brandis says Australia already has mechanisms to allow law enforcement authorities to intercept electronic communications. Extending that power to encrypted traffic just brings that power up to date, he argues.

The second is that the Australian Federal Police says it has seen “rapid growth in the amount of encrypted traffic from around three per cent a couple of years ago to now over 55, 60 per cent of all traffic.”

Lastly, Turnbull said that encrypted messaging services are used by ordinary citizens, they are also used “ … by people who seek to do us harm. They're being used by terrorists, they're being used by drug traffickers, they're being used by paedophile rings.”

Bad people using encryption means the law needs to be modernised, with a definitely-not-a-backdoor that sees device makers and service providers co-operate with Australia in as-yet-unspecified ways to provide access to end-to-end encrypted messages when warrants are produced.

Pushed on how encrypted messages could be read when service providers don't hold the keys necessary decryption, and Turnbull had this to say:

Well, the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable but the only laws that applies in Australia is the law of Australia.

Your Sydney-based correspondent looks forward to an attempt at repealing gravity so we can see if the laws of Australia override the laws of physics, too.

But we digress.

Brandis and Turnbull said the law will reach Parliament “in the Spring sessions” which commence on August 8th. Just what it will compel device-makers and service providers to do has not been revealed, nor has how Australia will access messages sent using services based offshore. Turnbull said “I'm not suggesting this is not without some difficulty” but hinted that in discussions at last week's G20 Leaders' Summit the participants agreed that member nations should be able to rely on colleagues to sort things out with companies resident in their respective jurisdictions. ®


Other stories you might like

  • Police lab wants your happy childhood pictures to train AI to detect child abuse
    Like the Hotdog, Not Hotdog app but more Kidnapped, Not Kidnapped

    Updated Australia's federal police and Monash University are asking netizens to send in snaps of their younger selves to train a machine-learning algorithm to spot child abuse in photographs.

    Researchers are looking to collect images of people aged 17 and under in safe scenarios; they don't want any nudity, even if it's a relatively innocuous picture like a child taking a bath. The crowdsourcing campaign, dubbed My Pictures Matter, is open to those aged 18 and above, who can consent to having their photographs be used for research purposes.

    All the images will be amassed into a dataset managed by Monash academics in an attempt to train an AI model to tell the difference between a minor in a normal environment and an exploitative, unsafe situation. The software could, in theory, help law enforcement better automatically and rapidly pinpoint child sex abuse material (aka CSAM) in among thousands upon thousands of photographs under investigation, avoiding having human analysts inspect every single snap.

    Continue reading
  • Australian digital driving licenses can be defaced in minutes
    Brute force attack leaves the license wide open for undetectable alteration, but back end data remains unchanged

    An Australian digital driver's license (DDL) implementation that officials claimed is more secure than a physical license has been shown to easily defaced, but authorities insist the credential remains secure.

    New South Wales, Australia's most populous state, launched its DDL program in 2019, and as of 2021 officials there said that slightly more than half of the state's eight million people use the "Service NSW" app that displays the DDL and offers access to many other government services.

    Now, a security researcher at cybersecurity company Dvuln claims he was able to brute force his way into the app with nothing but a Python script and a consumer laptop. Once inside, he found numerous security flaws that made it simple to alter the DDL stored in the app. 

    Continue reading
  • Protecting data now as the quantum era approaches
    Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering

    Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.

    It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.

    A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • China offering ten nations help to run their cyber-defenses and networks
    Sure, they’re small Pacific nations, but they’re in very strategic locations

    China has begun talking to ten nations in the South Pacific with an offer to help them improve their network infrastructure, cyber security, digital forensics and other capabilities – all with the help of Chinese tech vendors.

    Newswire Reuters broke the news of China’s ambitions after seeing a draft agreement that China’s foreign minister Wang Yi is reportedly tabling on a tour of Pacific nations this week and next.

    The draft agreement proposes assistance with data governance, training local police, and mapping the marine environment. Supply of customs management applications, possible funding of data links to island nations, and cyber-security assistance are also reportedly on the table.

    Continue reading
  • Europe proposes tackling child abuse by killing privacy, strong encryption
    If we're gonna go through this again, can we just literally go back in time?

    Proposed European regulations that purport to curb child abuse by imposing mass surveillance would be a "disaster" for digital privacy and strong encryption, say cybersecurity experts.

    A number of options have been put forward for lawmakers to mull that aim to encourage or ensure online service providers and messaging apps tackle the "detection, removal, and reporting of previously-known and new child sexual abuse material and grooming."

    These options range from voluntary detection and reporting of child sexual abuse material (CSAM) and grooming, to legally mandating that service providers find and report such material using whatever detection technology they wish — essentially scanning all private communications and, if necessary, breaking end-to-end (E2E) encryption for everyone.

    Continue reading
  • Facebook deliberately took down Australian government pages during pay-for-news negotiations: report
    Whistleblowers say takedowns were used as leverage, Facebook disagrees

    Facebook whistleblowers have alleged that the company deliberately took down the presences of Australian government and emergency services organizations during negotiations on the nation's landmark pay-to-link-to-news laws.

    In early 2021, Australia negotiated with Facebook and Google over the News Media Bargaining Code which required both to pay local news outlets for the right to link to their content. Google opposed the Code and embedded links to documents detailing its objections on its home page. Facebook said the Code was so unworkable that it would be forced to stop sharing news links in Australia – and demonstrated the effect by making it impossible for Australians to post such links.

    But Facebook's actions also prevented sharing links to organizations like charities or Australia's Bureau of Meteorology in order to improve its negotiating position, according to a Wall Street Journal report that cites documents provided by whistleblowers.

    Continue reading

Biting the hand that feeds IT © 1998–2022