The Berlin police fail to crack the mobile phone and laptop of a neo-Nazi. This is stated in the final report of the investigation team on arson and spraying in the Neukölln district. Federal authorities and companies have also chipped their teeth at the devices.
The investigation of a right-wing series of attacks in Berlin is made considerably more difficult by the encryption of devices that the police confiscated from suspects. This is stated in the final report of the “Fokus” investigation team. Accordingly, the police have asked several official and private agencies for help with decryption, each time unsuccessfully. The classified report has 72 pages, in a much shorter open version the explanations on digital forensics are missing. There is only a footnote stating that “work continues on the decryption of two encrypted devices of a suspect”.
For several years left-wing activists and projects in the Berlin district of Neukölln have been plagued by arson and spraying, while three members of the right-wing scene known to the police are suspected. Because the police were slow in investigating, Senator of the Interior Andreas Geisel (SPD) set up the “Fokus” investigation team over a year ago. “Independent” police officers were supposed to check the work of their colleagues. However, there is still no new evidence against the three main suspects Sebastian T., Tilo P. and Julian B. after the end of the new investigation.
“Using the greatest power reserves for password calculations”
During a house raid of Sebastian T. two years ago, the police confiscated a mobile phone and a laptop. The Haier brand phone was secured with a boot pin, details of the type of encryption used on the Samsung computer are blackened in the classified report.
First the Berlin State Office of Criminal Investigation had tried to decipher it. The Department 71 “Forensic Information and Communication Technology”, which is specialised in mobile forensics, is responsible for securing, examining and evaluating digital traces. After the department was unsuccessful “despite using the greatest power reserves for password calculations”, the investigators sent the devices to the Federal Criminal Police Office (BKA) in May 2018 with the request for support. For this purpose, the LKA had agreed a deadline for the “decryption attempt” with the public prosecutor’s office, which ended in March 2019. Then the BKA also returned the devices without accomplishing anything.
Subsequently, the telephone and laptop were handed over to a “company specialising in decryption”, whose name is also blackened. This is presumably not a service provider, but a manufacturer of corresponding technology. The text goes on to say that “software solutions” from this manufacturer are also used by other companies. Only a few weeks later, however, the unknown firm also had to inform the LKA that “it was not possible to decrypt this type of encryption”.
It is not clear which company tried to work on the devices, but the best known supplier in this field is the Israeli company Cellebrite, which also sells digital forensics applications to many German police authorities.
“Dictionary file” for brute force attack
Once again, the investigators turned to a federal authority. In Berlin it was “officially known” that the Central Office for Information Technology in the Security Sector (ZITiS), which was founded in 2017 and is located at the Federal Ministry of the Interior, has “the latest and most powerful technology” for breaking encryption.
In June 2019, Berlin officials therefore handed over the original mobile phone to the ZITiS in Munich. The laptop’s data had already been digitally transmitted to the ZITiS as hash data at the end of May, i.e. during the ongoing investigation by the decryption company.
The report of the ZITiS investigation team describes how the devices were to be decrypted with a brute force attack, i.e. the mass testing of passwords. But first, ZITiS had tried to analyse the firmware by means of reverse engineering.
For attacks with a high-performance computer, the LKA created a “dictionary file” with possible components of the passwords and sent it to ZITiS. It is based on unencrypted, confiscated evidence belonging to suspect T., including three mobile phones, SIM cards, various storage media and hard drives and other devices. After a later search, another mobile phone and a CD were added.
Six days for four digits
In October, the hacker authorities finally reported a “partial success” for the suspect’s telephone: they had managed to defeat a trial installation of “the same type of encryption” with a four-letter password. According to the report, however, it took the computer six days to do the job. The passwords for the mobile phone and laptop must have been more complex, because six months later, in April 2020, ZITiS stopped its efforts. Decryption was considered “very unlikely in the foreseeable future”.
The LKA had in the meantime heard about the recently established “decryption platform” at the EU police agency Europol. The department specialises in decrypting devices and also intends to use supercomputers for this purpose. However, a “request for support” by LKA Department 71 was answered in the negative, Europol therefore has less technical resources than the German ZITiS.
However, the Berlin investigators do not want to give up. In consultation with the public prosecutor’s office, the LKA contacted a body which was blacked out in the report and which is probably an authority. It is conceivable that it is located abroad.
One of the governmental specialists in cracking encrypted mobile phones is the U.S. Federal Bureau of Investigation (FBI), which has already been asked for assistance in foreign murder investigations. So it cannot be ruled out that the police will eventually obtain further evidence to bring the neo-Nazis to justice in Berlin-Neukölln.