Brief of EPS
At the end of 2019, the electrical industry of Serbia acquired encryption programs with the highest level of protection for 20 mobile phones and paid 227,000 euros, or 26.7 million dinars, for it. This can be seen on the basis of the tender documents and contracts that BIRN had access to.
The business of procuring encrypted phones was won by two companies previously little-known to the public, but with significant business in the field of security – IntellSec and Orbita Technologies.
In the text of the French portal Intelligence Online from June 2, IntellSec is mentioned as a company through which the Western espionage industry enters the market of the Western Balkans.
Referring to the contract on commercial secrecy, EPS refused to provide BIRN with information on what was the reason for this acquisition and who is using the specified equipment. In a letter dated October 1, 2021, they confirmed that the procurement was carried out without any changes.
BIRN sent a request for information to EPS in mid-September, and a complaint to the Commissioner on October 5, and in it we requested that the requested data be provided.
Experts interviewed by BIRN say that the equipment acquired by EPS is impenetrable and far more sophisticated than, for example, the Sky application used by members of the Veljko Belivuk clan.
This is supported by the price, which is almost five times higher – the most powerful version of Sky EEC is worth 2,200 euros, while the equipment purchased by EPSA exceeds 10,000 euros per encrypted phone.
Experts add that the encryption is done in such a way that it is practically impossible to intercept communication between these 20 encrypted phones.
Who uses encrypted phones?
Lawyer Rodoljub Šabić, former Commissioner for Information of Public Importance, tells BIRN that in this particular case, encrypted phones for EPS and software were paid for with public money “and in a very large amount, for the purpose of communication regarding the performance of work in the public interest”.
“In that context, the protection of privacy cannot possibly be the reason for this type of acquisition,” says Šabić, stating that “it would be useful to hear who, if not name them, at least by function”, the people who “charged” these encrypted phones.
“If possible, the situation where the resources of public companies are made available to people from other authorities or even political parties should be ruled out,” concludes Šabić.
The issue of using this type of technology became topical after it was learned that Veljko Belivuk’s criminal group used the Sky application.
This is why the Minister of the Interior, Aleksandar Vulin, threatened in March of this year that he would seek a ban on Sky and similar encrypted phones. “You simply cannot explain why you need it. Who are you hiding from and what are you hiding?” Vulin said then.
The system should be such that even the system administrator cannot hear the voice in a clear (non-encrypted) form”, the description reads, noting that data should be automatically deleted after each conversation. Calls between mobile phones in the system must be encrypted from one end to the other.
“Strong mutual authentication between correspondents at the beginning of establishing a connection between mobile phones” is required. This practically means that before the connection is established, the phones would “exchange passwords”, i.e. keys based on which they would be recognized. “The system should generate a new key for each session”.
The encrypted phone for EPS is expected to have the ability to “lock the screen with strong authentication, better than that provided by mobile phone manufacturers”.
“In the event of the disappearance of a mobile phone that is in this system, it should be possible for the administrator to send a command to remotely safely erase the contents of the phone,” the document states.
EPS required that “the system should support connection to the Internet through a proxy server in order to protect against malicious websites and malicious software”, to be easy to use, and that users do not have to change their communication habits.
The winning firms were required to provide installation, three levels of technical support, training for system administrators and end users.
The competition documentation states that encryption is performed on Samsung Galaxy phone models not older than 2017.
When asked if these encrypted devices are physically different from ordinary phones, Igor Franc, an expert in digital security, says that “the phone can be exactly the same.”
“I even think that it is intended here to use devices that are already in the possession of the user”.
He claims that encryption is only intended for devices with a SIM card, which in this case are phones and the Samsung Galaxy S4 tablet. This means that encryption does not apply to computers and laptops.
Although BIRN did not get an insight into the specific software used to lock the communication, experts from the company Data Solutions say that at first glance it is Thales’ CryptoSmart.
“The price is high because it is a program that requires permission from the French government and NATO. It is very possible that the hardware component itself as a base costs a lot, and that the phone number plays a smaller financial role”, says the company Data Solutions.
“Parallel security structure in EPS”
Pavle Grbović, president of the Movement of Free Citizens, stated at a press conference held on Monday, October 25, that in 2016 a parallel security structure was formed in the Electric Power Company of Serbia.
He said that monitoring equipment worth two million euros was purchased at the time and that 25 people from civil and military security services were employed.
Grbović said that in 2016, the Internal Control Sector was established in the EPS, whose members monitored dissidents, the opposition, and for two years the father of the President of Serbia, Anđelko Vučić.
Elektroprivreda Srbije assessed these allegations as “completely senseless and notorious lies”. They stated that the internal control service was formed and that it is “successfully working to detect various thefts and abuses within the EPS”.
Work with companies specializing in spy technology
The contract for the purchase of 20 encrypted telephones was signed on behalf of EPS by Milorad Grčić, member of SNS and president of the Obrenovac Municipal Board. He was left as the acting director of EPS in March 2016 and is still in that position today, although the Law on Public Enterprises does not allow the performance of the function of acting director for more than a year.
The tender received two offers, and the one submitted by IntellSec and Orbita Technologies AD was rated better. The second offer was submitted by QMS.
For four years now, IntellSec has been operating with special security equipment for state security institutions and is a partner of several foreign surveillance companies.
On the specialized intelligence site Intelligence Online, it is stated that the company was founded in 2017 by Milan Blagojević, an expert in intelligence systems.
Intellsec is registered in the Register of persons authorized to carry out the export and import of weapons and military equipment, it is a partner of the German companies Belkasoft, WillBurt, the British company Hiddentec, and interested in the Israeli anti-drone technology D-Fend Solutions, the Intelligence Online portal reports.
IntellSec on its home site points out that it deals with legal interception, geolocation, secret monitoring, recording of officers and more. For the purposes of digital forensics, it uses devices from the Israeli company Cellebrite, and offers phone decryption services to legal entities.
Another participant in the procurement is Orbita Technologies, for which this is the first and only victory in a tender.
Orbita, founded in the same year as IntellSec, is engaged in programming, according to data from the Agency for Economic Registers. They do not have an official website, so it is not known exactly what they offer, nor who their clients are.
In the Novi Beograd headquarters, the security of the building did not know about the mentioned company from the third floor. However, the inscription on the door of the apartment shows that the company actually exists.
The branch in Čačak is headed by Žarko Zagorac, once a technical advisor at the Krupnik company, which is one of the largest arms exporters. Neighbors whom we found on the ground floor of the building where the Čačan branch is located say that “neither enters nor leaves that bar”.
The winners of the tender refused to tell us who the end users of the encrypted phones in EPS are. “Everything I can say is publicly available,” says Milan Blagojević, owner of IntellSec. Orbit did not respond to our emails.
Lucrative jobs: From rosehip tea to selling weapons
Milan Blagojević, the owner of IntellSec, previously worked at Crony, Vizus and Roaming Electronics – the latter is owned by Nenad Kovač, better known in the media as Neša “Roaming”.
Blagojević worked at Crony from 2014 to 2017, where he was in charge of information security, according to his Linkedin profile. On the website of the Crony company, it is stated that it offers equipment for defense and security to the MUP, as well as military intelligence services – VBA, VOA.
The company Vizus, where Blagojević was a technical advisor, deals in non-specialized wholesale trade – from the resale of rosehip teas, through work uniforms, to equipment for digital forensics.
In the other company that won a job with EPS, Orbita Technologies, a 27 percent share is owned by a company owned by Milan Simović, who is also the owner of Krupnik and Krupnik International DOO, which are known for selling weapons and close cooperation with Krušik.
In 2015 and 2016, Krupnik entered the list of top 10 arms exporters, and in the following years signed contracts with Krušik on the sale of weapons to Saudi Arabia.
Experts: A clue remains, the police should have access to the key
Igor Franc, an expert in digital security and founder of the E-security association, tells BIRN that the software acquired by EPS has additional functionalities compared to some other encryption systems, such as Sky EEC.
“None of the data is stored on the phone. If someone downloads something from the Internet, as soon as they open it, it is automatically deleted after that. Nothing can be installed that is not explicitly specified, so you can create a whitelist of allowed apps and only those can be installed by the user.”
Franz claims that the encryption key is always with the company that produced the software.
“It is assumed that no one except possibly the manufacturer has access to the security software, the so-called ‘back door’, and only in the case of a police investigation does that door open.”
Dragan Simić from the company Cyber Security&Defence represents the side of privacy protection and says that systems and communication in public companies must be secured against intrusion, deletion of data, disconnection and abuse.
“I cannot know whether these resources will be used in the intended way or in some other way, and it would not be correct for me to claim something like that. Again, that possibility should not be ruled out.”
Simić adds that the police could retrieve the correspondence in the case of an investigation, because the software itself monitors it.
“The key is outside the device and is formed by the software itself, both in the outgoing code and in the incoming code. So there remains a written trace. The system is designed so that someone from the outside does not get in, but whoever has the key also has all the archives – logins, communication directions with exact user data and times and dates,” says Simić, who assumes that the police would have access to the key in the event of an investigation.
The views and opinions expressed in these articles are those of the source ForexIndustry.com and do not necessarily reflect the official position of ‘Fox on Law,’ which shall not be held liable for any inaccuracies presented. The information provided within this article is for general informational purposes only. While we try to keep the information up-to-date and correct, there are no representations or warranties, express or implied, about the completeness, accuracy, reliability, suitability or availability of the information in this article for any purpose.
This article is syndicated automatically through a third-party agency from ForexIndustry.com.
To view the original article at ForexIndustry.com, you can visit https://www.forexindustry.com/2023/03/05/encrypted-phones-for-eps/.