Skip to main content
Osmond van Hemert
  1. Blog/

The Crypto AG Revelation — When Your Encryption Vendor Is the Intelligence Agency

·1017 words·5 mins
Security Cybersecurity
Osmond van Hemert
Author
Osmond van Hemert
Table of Contents
Cybersecurity Landscape - This article is part of a series.
Part : Post-Quantum Cryptography — The Migration Clock Is Ticking
Part : Secure by Design — CISA's Push Is Finally Gaining Real Traction
Part : EU ChatControl Is Back — And It's Still a Terrible Idea for Encryption
Part : CUPS Overflows — A Critical Linux Printing Vulnerability Nobody Saw Coming
Part : NIST Finalizes Post-Quantum Cryptography Standards — Time to Start Planning
Part : The CrowdStrike Outage — When a Security Update Takes Down the World
Part : regreSSHion — A Wake-Up Call Hiding in Plain Sight
Part : Microsoft Delays Recall — When Security Concerns Actually Win
Part : RSA Conference 2024 — AI Meets Cybersecurity, For Better and Worse
Part : Terrapin Attack — SSH Isn't As Bulletproof As We Thought
Part : Google Rolls Out Passkeys — The Beginning of the End for Passwords
Part : The US National Cybersecurity Strategy — Software Liability Is Coming
Part : 26 Million Requests Per Second — Cloudflare and the Mantis Botnet
Part : Heroku's Security Breach — A Wake-Up Call for Platform Trust
Part : Lapsus$ Breaches Okta and Microsoft — The Identity Provider Nightmare
Part : HermeticWiper and the New Reality of Cyber Warfare
Part : OWASP Top 10 2021 — The Security Landscape Has Shifted
Part : OMIGOD — When Your Cloud Provider Installs Vulnerable Agents Without Telling You
Part : Signal's Explosive Growth — What WhatsApp's Privacy Blunder Means for Messaging
Part : NSA and CISA Sound the Alarm on Known Vulnerabilities — And We Should Listen
Part : The Pandemic IoT Boom — More Devices, More Risk, Same Old Problems
Part : Apple and Google's Exposure Notification API — Privacy Engineering at Scale
Part : Zoom's Security Reckoning — When Rapid Growth Exposes Technical Debt
Part : This Article
Part : The NSA Found a Critical Windows Crypto Bug — And That's Actually Good News

Two days ago, the Washington Post and German broadcaster ZDF published what might be the most significant intelligence story in years. For decades, the CIA and German BND secretly owned Crypto AG, a Swiss company that sold encryption equipment to over 120 countries. The devices were rigged — the intelligence agencies could read the encrypted communications of their customers. Governments, militaries, and diplomats around the world were paying good money for equipment that was designed to betray them.

The operation, codenamed “Thesaurus” and later “Rubicon,” ran from 1970 until at least 2018. Let that sink in. Nearly fifty years of compromised encryption, sold by a “neutral” Swiss company that was actually a front for Western intelligence services.

The Technical Mechanics of Betrayal
#

The beauty — if you can call it that — of the operation was its subtlety. Crypto AG didn’t sell devices that didn’t encrypt. They sold devices that encrypted and included a hidden channel that allowed the CIA and BND to recover the plaintext. The specific techniques evolved over the decades, but the general approach involved weakening the random number generation or including covert parameters in the key exchange that only the agencies knew how to exploit.

In the mechanical cipher era, this meant manipulating the cipher wheels. In the electronic era, it meant embedding weaknesses in the algorithms that weren’t detectable through black-box testing. The devices appeared to work perfectly — messages were encrypted and decrypted as expected. You’d need access to the source code or detailed hardware schematics to spot the backdoor, and Crypto AG controlled both.

This is a masterclass in supply chain compromise, executed at a scale and duration that dwarfs anything we’ve seen in the software world. It makes the Juniper Networks backdoor discovered in 2015 look like amateur hour.

Supply Chain Trust Is the Fundamental Problem
#

For those of us building software systems, the Crypto AG story is a vivid illustration of a problem we grapple with daily: how do you trust your supply chain? Every application we build stands on a tower of dependencies — operating systems, compilers, libraries, hardware, and cloud services — that we largely take on faith.

Ken Thompson laid this out in his 1984 Turing Award lecture, “Reflections on Trusting Trust.” He demonstrated that a compiler could be modified to insert a backdoor into any program it compiled, including future versions of itself, with no trace in the source code. Crypto AG proves that this isn’t just a theoretical exercise — it’s a strategy that intelligence agencies will pursue for decades.

In the modern software ecosystem, we’re arguably more vulnerable than Crypto AG’s customers were. Consider:

  • npm, PyPI, and other package registries host hundreds of thousands of packages, many maintained by anonymous individuals
  • Cloud providers manage the hardware and hypervisors our code runs on
  • CI/CD pipelines execute arbitrary code with access to our secrets
  • Hardware manufacturers control the firmware and microcode in our processors

We perform audits, we review code, we use reproducible builds where we can. But the honest truth is that the complexity of modern systems makes comprehensive verification effectively impossible.

The Open Source Angle
#

One argument you’ll hear is that open source solves this problem — with enough eyes, all bugs are shallow, and backdoors can’t hide in public code. There’s some truth to this. An open-source encryption library is harder to backdoor than a proprietary black-box device. But “harder” isn’t “impossible.”

The OpenSSL Heartbleed vulnerability persisted for two years in one of the most widely-used open source projects in the world. It wasn’t a deliberate backdoor (as far as we know), but it demonstrated that critical code can go unreviewed for extended periods. The Debian OpenSSL fiasco of 2008, where a well-meaning maintainer accidentally crippled the random number generator, showed how easy it is to introduce cryptographic weaknesses without malice.

If we can’t reliably catch accidental cryptographic weaknesses in open source code, catching deliberate, cleverly-designed ones is even harder. The Crypto AG engineers who implemented the backdoors were skilled cryptographers who understood exactly how to introduce weaknesses that would survive casual review.

What This Means for Security Architecture
#

The practical takeaway isn’t to throw up your hands and declare all encryption compromised. It’s to design systems with the assumption that any single component might be compromised. Defense in depth isn’t just a buzzword — it’s the only rational response to a world where your encryption vendor might be owned by an intelligence agency.

Specifically:

  1. Layer your encryption. Don’t rely on a single encryption implementation. TLS for transport plus application-layer encryption using a different library gives you resilience against compromise of either one.
  2. Diversify your trust. Use components from different vendors, different countries, different development teams. A backdoor in one is less useful if it’s wrapped in another layer the adversary can’t break.
  3. Verify where you can. Reproducible builds, binary verification, and periodic audits of critical dependencies aren’t paranoia — they’re hygiene.
  4. Assume breach. Design your systems so that compromise of any single component limits the blast radius. Segment networks, rotate keys, minimize data retention.

My Take
#

I’ve been in this industry long enough to not be shocked by intelligence agencies doing intelligence agency things. What strikes me about the Crypto AG story isn’t the betrayal itself — it’s the duration and scale. Fifty years. Over a hundred countries. And it only came to light because journalists did the digging.

As software engineers, we’re building the infrastructure that societies depend on. The Crypto AG revelation should make us deeply uncomfortable about the trust assumptions baked into our systems. Not because we should suspect every dependency of being a CIA front, but because it proves that sustained, sophisticated supply chain compromises are not theoretical.

The next time someone tells you that your threat model is too paranoid, point them to Crypto AG. A Swiss company that sold encryption to governments for half a century, and it was all a lie. Sometimes paranoia is just good engineering.

This post is part of my ongoing series examining security in practice — real incidents with real lessons for working engineers.

Cybersecurity Landscape - This article is part of a series.
Part : Post-Quantum Cryptography — The Migration Clock Is Ticking
Part : Secure by Design — CISA's Push Is Finally Gaining Real Traction
Part : EU ChatControl Is Back — And It's Still a Terrible Idea for Encryption
Part : CUPS Overflows — A Critical Linux Printing Vulnerability Nobody Saw Coming
Part : NIST Finalizes Post-Quantum Cryptography Standards — Time to Start Planning
Part : The CrowdStrike Outage — When a Security Update Takes Down the World
Part : regreSSHion — A Wake-Up Call Hiding in Plain Sight
Part : Microsoft Delays Recall — When Security Concerns Actually Win
Part : RSA Conference 2024 — AI Meets Cybersecurity, For Better and Worse
Part : Terrapin Attack — SSH Isn't As Bulletproof As We Thought
Part : Google Rolls Out Passkeys — The Beginning of the End for Passwords
Part : The US National Cybersecurity Strategy — Software Liability Is Coming
Part : 26 Million Requests Per Second — Cloudflare and the Mantis Botnet
Part : Heroku's Security Breach — A Wake-Up Call for Platform Trust
Part : Lapsus$ Breaches Okta and Microsoft — The Identity Provider Nightmare
Part : HermeticWiper and the New Reality of Cyber Warfare
Part : OWASP Top 10 2021 — The Security Landscape Has Shifted
Part : OMIGOD — When Your Cloud Provider Installs Vulnerable Agents Without Telling You
Part : Signal's Explosive Growth — What WhatsApp's Privacy Blunder Means for Messaging
Part : NSA and CISA Sound the Alarm on Known Vulnerabilities — And We Should Listen
Part : The Pandemic IoT Boom — More Devices, More Risk, Same Old Problems
Part : Apple and Google's Exposure Notification API — Privacy Engineering at Scale
Part : Zoom's Security Reckoning — When Rapid Growth Exposes Technical Debt
Part : This Article
Part : The NSA Found a Critical Windows Crypto Bug — And That's Actually Good News