The intelligence agencies of Germany and the US were secretly gathering information on foreign governments for decades through the control of a Swiss-based firm, according to reports.
Crypto AG had been supplying encryption devices to more than 120 governments during the Cold War and up to this century, reported the Washington Post, German broadcaster ZDF and Swiss channel SRF. The devices had been manufactured so that intelligence agencies could crack codes used to hide messages from Iran, Pakistan and India among others.
Crypto AG was founded in 1940 and was bought by the CIA in 1951 during the Cold War. The CIA partnered with the German BND intelligence agency to design devices that could decrypt and read all messages sent by the company's customers. The device used weakened encryption rather than a backdoor.
In leaked documents, the CIA said it had pulled off "the intelligence coup of the century”. The aim of the project was to gain access to sensitive communications from allies and adversaries. However, the then Soviet Union and China were dubious about the company and did not use the devices.
According to a classified internal CIA history, an operation that was originally called Thesaurus and later Rubicon, the devices supplied around 40 percent of all the foreign communications that US intelligence analysts processed for information.
While spying on other countries, the company made millions for the CIA and the BND.
“Foreign governments were paying good money to the US and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries,” the article said.
The five or six could be a reference to the Five Eyes intelligence sharing partnership of which the UK is a member. Through the device, they were able to spy on Iran during the 1979 hostage crisis as well as send intelligence about Argentina to the UK in the 1982 Falklands War.
In the nineties, the BND withdrew from Crypto AG, while the CIA held onto control to least 2008. Crypto AG was wound up in 2018, and its assets were acquired by two other companies: CyOne Security and Crypto International. Both firms have denied any ongoing involvement and connection to the CIA.
Kevin Bocek, VP security strategy & threat intelligence at Venafi, told SC Media UK that the Crypto AG revelations should be hugely concerning to all of us.
“Government mandated backdoors will allow cyber-criminals to undermine all types of private, secure communications and weaken the power of encryption – ultimately, if you create this power for government, then it will soon work its way into the wrong hands. We have already seen this with EternalBlue and the Ukranian power station hack,” he said.
“The only way organisations can be confident that their encryption is fit for purpose and does not possess any backdoors is by ensuring they have complete visibility and control over every single machine identity – ie the encryption keys and certificate that enable and secure private machine to machine communications – in use across their network and that they disable any that are not in use or not needed.”