Activists Need to Watch Out for Fake Encryption Keys
An attacker could disrupt messages, or in more limited cases, perhaps read email contents.
Being absolutely sure the person you're talking to on the internet is who they say they are has been a pretty constant problem in security. Maybe a hacker took over your recipient's email account, or whipped up a fake identity to lure targets.
Recently, someone created a fake encryption key for a high profile Egyptian activist who works on information security issues. Although the individual case may not be that large of a threat generally, it does highlight a broader issue: the problem of authentication among activists online.
"Someone might use the wrong key," Ramy Raoof, the activist in question and senior research technologist at the Egyptian Initiative for Personal Rights (EIPR), told Motherboard in a Twitter direct message. Raoof has worked with Toronto University's Citizen Lab on documenting sophisticated phishing campaigns against NGOs and other targets.
On Wednesday, Raoof announced on Twitter and via email that he had spotted the fake PGP key online. Often, PGP users publish their keys on public servers so others can more easily find them. Raoof's legitimate key is on one of these servers, but at the start of March the fake one appeared.
Curiously, Raoof told Motherboard this key was created on the same day he announced a presentation on hacking operations targeting activists in Egypt.
"Super strange," Raoof said.
The actual threats that emerge from using a fake PGP key vary. In some cases, an individual trying to get in touch with Raoof may use the wrong key, and then Raoof just won't be able to decrypt the message. But there is another possibility: that whoever created the key will be able to decrypt messages, assuming that the attacker has access to Raoof's inbox or can somehow intercept the email, that is.
"Coupled with a sustained campaign of phishing attacks, generating fake PGP keys for well-known activists like Ramy could be an effective way to read into the first encrypted contact that the victims might attempt to make," Claudio Guarnieri, a technologist at Amnesty International, told Motherboard in an online chat.
This of course isn't the first time fake PGP keys have popped up. Last year, a wave of spoofed keys flooded public servers, although these weren't part of a targeted attack; the keys had seemingly been taken from a 2014 research project into implementation issues with PGP.
There's a chance the fake Raoof key is also more of a random act than a deliberate targeted campaign. But it's still a good reminder of how careful activists need to be online.