Brussels and a run of European governments, France loud among them, have spent the past few years treating strong encryption as a problem to be solved.
The argument behind proposals like Chat Control is that the state needs a way to scan private messages to keep people safe and that it can be trusted to hold that kind of access without abusing it or losing control of it.
But France just handed that argument an awkward rebuttal. Tchap, the messenger the French government built for its own civil servants, got breached.
France’s National Cybersecurity Agency, ANSSI, detected the compromise on June 7, and DINUM, the digital affairs directorate that runs the platform, blocked the account involved and published an incident notice.
The intrusion broke neither the encryption nor the servers. Someone hijacked a legitimate user account, which is all an attacker needs when any one credential is a key to the same building.
That detail is the part the backdoor crowd keeps refusing to absorb. The encryption on Tchap did its job. DINUM says private conversations stay end-to-end encrypted even when an account is impersonated and that the attacker could reach only the unencrypted public chat rooms any authenticated user is able to find.
Security researchers were quick to note what that reassurance skips over. An attacker wearing a real user’s identity can see whatever that account sees in the moment, private rooms included.
A government backdoor is exactly that, an access path bolted on beside working encryption and France just demonstrated it cannot keep one of those paths shut for a single weekend.
DINUM has notified CNIL, the French data protection regulator, because personal information may have surfaced in whatever the attacker viewed. The directorate described its handling of the intrusion in a press release.
“At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker’s persistent access and allow for a thorough analysis of the data they were able to access. The investigation continues, including the study of event logs, to identify the conversations that the attacker was able to access and the nature of the exfiltrated data,” DINUM said.
The directorate also pushed responsibility back toward its own users, reminding them where the safe lines were supposed to be.
“A message has been sent to all Tchap users reminding them that a public chat room can be found and joined by any user and that its content is not encrypted. In accordance with Tchap’s terms of service, no personal, sensitive, or confidential information should be exchanged in public chat rooms: such exchanges should be reserved for private chat rooms.”
Hellbound and Down 