Tech

Customer Data From Encrypted Phone Company Ciphr Has Been Dumped Online

The industry for so-called encrypted or secure phones is a lively one. Several firms sell custom BlackBerry or Android devices that may come pre-loaded with tools such as PGP email for sending messages, and some of these companies’ products have allegedly been used by organized crime.

But it’s also a competitive market. Customer data from one company, including email addresses and unique IMEI numbers from users’ phones, is now available online for anyone to dig into, and Ciphr, the victim company, claims the data dump was the work of a competitor.

Videos by VICE

“All Ciphr emails/servers have been compromised. Below is a list of some examples,” the site showcasing the data reads. Visitors can also use a search box to filter through the emails and IMEIs.

Ciphr offers encrypted email, text messages, and secure storage for BlackBerry 10 and Samsung Knox devices; Knox being Samsung’s security platform. Communications are routed through Ciphr’s own servers.

Two sources with Ciphr devices told Motherboard their data was included on the website, and the second source said the data contained details for other Ciphr users they knew. One of the sources also provided an alleged message from Ciphr sent to victims.

“We are contacting you today to inform you about a recent attempt to discredit the security of the Ciphr system,” the message reads. Ciphr claims almost all of the posted user details were for expired accounts but included a small list of active ones, and said the event was “NOT a security breach.” Ciphr says the content of users’ messages has not been affected.

Regardless of phrasing, in the alleged message Ciphr points to a rival company, claiming it was behind the publication of the customer data.

“Our rapid growth has caught the attention of competitors seeking to slow us down by way of slander, blocking and DDOS [distributed denial of service attacks],” it reads. Ciphr points specifically to SkySecure, the firm behind SkyECC, which makes similar, custom BlackBerry devices.

“We were shocked that any company in this industry would release information to the public under any circumstance,” the message reads, and adds that Ciphr will issue replacement phones to victims.

A spokesperson for SkySecure denied the company had any involvement in the data dump.

“We had nothing to do with this malicious attack on Ciphr,” the spokesperson said. “Our sympathies [go] out to Ciphr and we hope they can close any security exposures quickly.” Ciphr did not respond to a request for comment.

Read more: Russian Hackers ‘Fancy Bear’ Targeted French Presidential Candidate Macron

Other secure phone companies have responded to the incident too. PGPSure described it as “fake news,” writing in a blog post, “We guarantee that this again is a dirty game of SkySecure.”

Some companies that provide secure phones have been targeted by law enforcement. Last year Dutch and Canadian investigators took down one called Ennetcom, and have allegedly decrypted a large number of user messages. Dutch authorities said organised crime groups, such as those allegedly involved in assassinations, armed robbery, and drug trafficking were using Ennetcom devices.

The website hosting the Ciphr data spells out what law enforcement agencies might be able to do with the customer information. “Police can retrieve the IMEI/MEID of an associated Ciphr email […] Using the IMEI/MEID police can triangulate the location of the device via cellular network towers […] Using this information it is possible to geolocate the device’s exact location and history,” the website reads.

As for one of the Ciphr users, they just want more information. “People spent a lot of money on these devices and we have a right to know,” one told Motherboard.

Update: This piece has been updated to include comment from SkySecure.

Subscribe to Science Solved It, Motherboard’s new show about the greatest mysteries that were solved by science.