Crypto AG backdooring rumours were true, say German and Swiss news orgs after explosive docs leaked

One for the Cold War infosec veterans: CIA and BND literally owned the firm

Swiss cheese

Crypto AG wasn’t so much Swiss security as Swiss cheese, say German-language broadcasters today

Swiss encryption machine company Crypto AG was secretly owned by the CIA and a West Germany spy agency at the height of the Cold War, according to explosive revelations in Swiss and German media today.

Although rumours had swirled for decades around Crypto AG and the backdooring of its products by the West – cough, cough, NSA – and not forgetting careless remarks by former US prez Ronald Reagan, today’s publications by Swiss broadcaster SRF and German broadcaster ZDF confirm those old suspicions.

And who could forget that lovely list of words that caused Five Eyes’ spying machine Echelon to switch on? “Crypto AG”, along with “kill the president”, could summon the black ‘copters to your front door.

The encryption machine maker was secretly bought by a Liechtenstein front company that was 50/50 owned by the CIA and German spy agency the BND. The two nations agreed to let Swiss spies in on their secret, while only a tiny handful of top Crypto AG personnel knew about the intentional weakening of its products.

Operation Rubikon, as the Swiss and Germans called it, “was one of the boldest and most scandalous operations, because over a hundred states paid billions of dollars for their state secrets to be stolen,” Warwick University political science professor Richard Aldrich reportedly said.

Quoting from secret documents it says it obtained, ZDF said: “Certain people [at Crypto AG] knew something about the role that the Germans and Americans played in Crypto AG and were ready to protect this relationship.”

ZDF claimed today that through Crypto AG’s sales abroad, the NSA and West Germany’s BND spy agency were both able to spy upon hostile and allied countries alike, with spied-upon allies including NATO members Portugal, Spain and Ireland, among others.

Professor Alan Woodward of the University of Surrey was fascinated by today’s revelations, telling The Register: “The original suspicions were raised because Reagan went on TV and talked about diplomatic cables that had been encrypted using a Crypto AG C52 machine. I think it was Der Spiegel who ferreted out the allegations [in 1996, years before today’s revelations] by talking to certain Crypto AG staff.”

Woodward explained the old rumours to El Reg: “In essence, what had happened was not so much that there was a back door but that the CEO was passing the full tech specs to the NSA, which allowed them to use similar mechanisms to the Bombe used at Bletchley to break the codes. It’s one of the many reasons the story of Enigma was kept quiet for a lot longer than people thought it might otherwise have been.”

Infosec veteran Bruce Schneier guessed years ago that Crypto AG had been compromised, blogging in 2004 about the 1992 arrest of salesman Hans Buehler in Iran over allegations that Crypto AG knew its equipment was compromised. Schneier speculated: “It’s also possible that the NSA installed a ‘back door’ into the Iranian machines.”

I thought we knew this for decades

Today he shrugged off the news that it was true all along, telling The Register: “I thought we knew this for decades.”

On the Buehler arrest, described in detail in today’s story, ZDF said: “A Swiss secret service employee informed CIA that they would be able to control the result of the investigation [into Buehler’s arrest] so that it shows no tampering with the equipment.”

The Cold War-era backdooring of Crypto AG’s machines ended with the reunification of Germany in 1993, when the BND sold its 50 per cent shareholding to the CIA. In 2018, the company was split in half, with Crypto International Group AB acquiring its international business.

The Swedish-owned company that acquired the brand name and other assets in 2018 said in a statement today that it has “no connections to the CIA or the BND” and “never had”. According to Crypto International Group, it is a “different company” with a “different owner, different management and a different strategy” and found the reports very “distressing”. ®

Sponsored: Detecting cyber attacks as a small to medium business

READ MORE HERE