Skip to main content
banner image
venafi logo

Crypto AG Revelations—Who Can You Trust to Manage Your Encryption Backdoor?

Crypto AG Revelations—Who Can You Trust to Manage Your Encryption Backdoor?

Crypto AG backdoors
February 17, 2020 | Guest Blogger: Kim Crawley

News broke on February 11th that stunned the world. Crypto AG, a company trusted by government agencies and other public sector entities worldwide for nearly a century was owned by the Central Intelligence Agency. The CIA used Crypto AG to acquire highly sensitive and often classified data on foreign governments across continents. 
 

The company’s origins date back to 1920, so a hundred years ago! As AB Cryptoteknik, it started in Stockholm, Sweden by making cryptograph machines, back when cryptography was all mechanical. By 1952, the company had moved to Switzerland for tax reasons and restarted as Crypto AG. The company started working with digital cryptography as soon as the technology became available. By the 1960s, they had large European corporate clients like Siemens, Ericsson, and Kongsberg. In June 1970, Crypto AG was secretly purchased by the CIA and West Germany’s BND intelligence agency, well into the Cold War.
 

Operation Theasurus commenced shortly thereafter, to be renamed Rubicon in the 80s. By the early 90s, BND considered their role in Crypto AG and Rubicon to be too risky, so they backed out, making the CIA the sole owner of the company. Through the first dozen or so years of the 21st century, Crypto AG sold cryptographic equipment and services to a whopping 120 countries, including India, Pakistan, and Iran. But to the possible frustration of the CIA’s espionnage objectives, China and the former Soviet Union were never clients.
 

A CIA report about the matter said, “It was the intelligence coup of the century. Foreign governments were paying good money to the US and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries.”
 

Rubicon was effectively one giant backdoor for American intelligence. The CIA is of course an entity of the United States. And the United States is a member of the Five Eyes intelligence alliance, with the other “four eyes” being Canada, the UK, Australia, and New Zealand. So those are likely the other countries Crypto AG shared intelligence with.
 

By 2018, Crypto AG was liquidated and its assets were sold to other companies.
 

The Crypto AG scandal involves intelligence agencies and many public sector entities. But even if you’re in a private sector company of any size, the news should concern you.

 

Backdoors are a huge concern to everyone’s information security, private sector companies included. They’re deliberate vulnerabilities, designed so that other entities can access data without a user’s knowledge. They can be in hardware, software, and networking devices. They can exist everywhere from video game consoles to mobile devices, to servers to telecommunications infrastructure. Many government agencies have argued that they consider backdoors necessary for intelligence and law enforcement in order to protect their citizens and investigate crime. Here’s one of many examples. In 2014, former FBI Director James Comey said in a speech at the Brookings Institution:
 

“Encryption isn’t just a technical feature; it’s a marketing pitch. But it will have very serious consequences for law enforcement and national security agencies at all levels. Sophisticated criminals will come to count on these means of evading detection. It’s the equivalent of a closet that can’t be opened. A safe that can’t be cracked. And my question is, at what cost...
 

We’re seeing more and more cases where we believe significant evidence is on that phone or a laptop, but we can’t crack the password. If this becomes the norm, I would suggest to you that homicide cases could be stalled, suspects could walk free, and child exploitation might not be discovered or prosecuted. Justice may be denied, because of a locked phone or an encrypted hard drive.”
 

But even if backdoors may make life easier for the cops, they threaten everyone’s security. Any backdoor weaken encryption as a whole. Bruce Schneier knows this well. As he has written on his blog:
 

“Strong encryption means unbreakable encryption. Any weakness in encryption will be exploited—by hackers, by criminals and by foreign governments. Many of the hacks that make the news can be attributed to weak or—even worse—nonexistent encryption.
 

The FBI wants the ability to bypass encryption in the course of criminal investigations. This is known as a ‘backdoor,’ because it's a way at the encrypted information that bypasses the normal encryption mechanisms. I am sympathetic to such claims, but as a technologist I can tell you that there is no way to give the FBI that capability without weakening the encryption against all adversaries. This is crucial to understand. I can't build an access technology that only works with proper legal authorization, or only for people with a particular citizenship or the proper morality. The technology just doesn't work that way.
 

If a backdoor exists, then anyone can exploit it. All it takes is knowledge of the backdoor and the capability to exploit it. And while it might temporarily be a secret, it's a fragile secret. Backdoors are how everyone attacks computer systems.”
 

Here’s one of many ways that backdoors have threatened cybersecurity already. The National Security Agency knew about the EternalBlue exploit for years, but inevitably it became public knowledge and posted on WikiLeaks. WannaCry and other catastrophic malware exploited the notorious Windows SMB vulnerability, costing companies countless millions in lost data, lost productivity, and ransom payment attempts.
 

Kevin Bocek, VP Security Strategy & Threat Intelligence for Venafi has advice for organizations which may be concerned about government backdoors in their encryption equipment:
 

“The only way organisations can be confident that their encryption is fit for purpose and does not possess any backdoors is by ensuring they have complete visibility and control over every single machine identity in use across their network and that they disable any that are not in use or not needed. (By machine identity, I mean the encryption keys and certificate that enable and secure private machine to machine communications.) Once all the identities have been discovered, they need to automate the process so that whenever a new identity is created then you know about it—this will stop third parties inserting their own backdoors without your knowledge. This enables organisations to spot signs of possible identity misuse, and quickly act to revoke and replace compromised identities.” 
 

Organizations across industries of all sizes must watch out for backdoors and do their best to encrypt their data properly.
 

Related posts

 

 

Like this blog? We think you will love this.
top-encryption-threats-financial-sector-faces
Featured Blog

Top Financial Services Encryption Threats and Insight from a Former Hacker! [Encryption Digest #65]

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS MIM For Dummies
eBook

TLS Machine Identity Management for Dummies

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more