European Parliament: MEPs, staffers have their emails cracked, should demand change

The French website Mediapart reports that at the European Parliament in Strasbourg, a technically skilled person managed to intercept 14 Members of the European Parliament and their staffers using trivial tools. (Original article behind paywall, English version, report by Der Spiegel in German.)

[Update: I’ve changed “hacked” to “crack” in the title. As you’ll be aware, “hack” refers to a clever solution to a problem, while “crack” refers to a malicious attack.]

Based on the information in the article, it appears that the attacker set up a basic man-in-the-middle attack, using a laptop to act as a network connection point for the email client software on the victims’ mobile phones. In this scenario, the victims’ phones probably displayed a certificate warning, which they ignored.

This incident highlights just how shoddy the Parliament’s IT infrastructure is. It’s up to the Parliament’s IT administration to fix this, and it’s up to the MEPs to demand change. Der Spiegel says that MEPs who wanted to use encryption were actually kept from doing so by the Parliament’s IT services. If true, that would be rather discouraging, to put it mildly.

Educating people not to ignore certificate warnings might help. But it’s hardly a solution. To actually improve the situation, MEPs should demand that the Parliament’s IT services give them reliable, secure end-to-end encryption on their devices.

It goes without saying that in order to be secure, such encryption technology needs to be fully auditable, and thus needs to be Free Software. The Parliament’s IT services should take a look at GnuPG and the clients that use it, for a start.