Hacker News new | past | comments | ask | show | jobs | submit login
NSA's Backdoor of the PX1000-Cr (cryptomuseum.com)
269 points by sohkamyung on Feb 17, 2022 | hide | past | favorite | 64 comments



author of the break here, ama.


I'm curious whether there is any info on the dev team who created the PX-1000 (where PC-1000Cr is implemented). Any more info on how the NSA got a backdoor inserted? There's [1] which gives a general overview.

This seems like a fascinating story, would be happy to read more!

[1] https://www.cryptomuseum.com/crypto/philips/px1000/nsa.htm


afaik the firmware was developed by philips ufsa[1] based on directions (test vectors?) by the NSA, lots of effort was put into making the algo run efficiently on the CPU in the px1000.

[1] https://www.cryptomuseum.com/crypto/philips/usfa.htm


also interesting might be this generic link unrelated to the NSA backdoor: https://cryptomuseum.com/crypto/philips/px1000/


A few of us have bought rebadged versions of these recently and we're looking to create a backend for them that accepts a call (probably via SIP / VoIP) and then demodulates the v.23 and does something useful with it.

Are you aware of anyone thats done this already? We're not desperate to support the encryption initially but I guess it would be nice too.

Thanks


sorry, no. but there is an emulator[1], so you can test the roms, or you can write your own code and test it without having the hw.

[1] https://github.com/iddq/sim68xx/tree/px1000


Nice, thanks


The SpanDSP library has low-speed FSK modem implementations (including Bell 202 and V.23). I've employed the 202 demodulator to listen in to some radio-based telemetry.

https://github.com/freeswitch/spandsp


What the heck is PX1000Cr???

I’ve been in tech for decades and have never heard of this. The link offers no actual explanation. Could you supply some background?

Edit: found this https://www.cryptomuseum.com/crypto/philips/px1000/nsa.htm


Ever heard of TRS-80 Model 100? Same thing, slightly different Japanese OEM.


The Model 100 is a completely different kind of device than the pocket telex.


How is it completely different kind of device? A completely different kind of mobile terminal with build in modem based on Japanese platform? PX1000 looks to be further evolution of Epson HX-20 design. With PX-2000 Philips didnt even try to manufacture locally anymore deferring to Seiko entirely. Or did you mean detailed architecture details, lcd, cpu arch and different OEM Kyocera?


I've got a pair of these somewhere, acquired domestically (USA) AFAIR. Assuming these are crypto-enabled, any easy way to tell what firmware is in them?

Edit: These are Text-Tells.


see the section "Different Versions" on this page: https://cryptomuseum.com/crypto/philips/px1000/


Cool job, that brought back a lot of memories.


How do we know it's a backdoor and not a technical error?


I slipped and accidentally leaked plaintext in the crypto stream!


if you read the linked page, you will see the story and how the nsa replaced the DES algorithm with a completely new algorithm.


I knew the director of Textlite, Hugo Krop. He was active as an investor as well, a coke junk and went around with a body guard with a gun at all times driving a black armored (so he claimed) Mercedes.

Textlite was the brand used for the LED light bars which they designed and manufactured, and which were a runaway success.

The PX-1000 was his brainchild too, but it never got the market adoption that they were hoping for.

More information [1], [2].

Weird but interesting character. Hugo had a bit of a lifestyle problem (to put it mildly) and when Textlite cratered he went into all kinds of really shady deals, one of which was a fund that ostensibly grew trees in Latin America.

Eventually he went to jail [3] because it turned out that those forests of trees didn't exist. He died recently (in 2018).

I have a lot of funny and some not so funny stories about Hugo, he wasn't the nicest man due to his habit but when sober and clean was smart and interesting to talk to and tuned in to trends that others only saw much later. You can think of the PX-1000 as an early version of what today would be called a cryptophone, a mobile way for people to communicate securely.

What is interesting is that in this particular context instead of the main use case highlighted being criminals the case of Nelson Mandela and his army of supporters is used to exemplify the power of such a device.

This was in the age when all information traveled in plaintext and to suddenly have someone sell a device that afforded 'pretty good privacy' was a thing that the intelligence services found hard to deal with.

[1] https://www.groene.nl/artikel/versleuteld-maar-niet-voor-ame...

[2] https://www.vpro.nl/argos/lees/onderwerpen/cryptoleaks/2020/...

[3] https://www.blikopdewereld.nl/economie/beleggersinfo/de-bele...


How did you become acquainted?


That's a very long story, the in-a-nutshell version: walking at night in Amsterdam I spotted two guys hauling an Apple II, disk drives, a monitor and a bunch of expansion cards out of the back of a car, I asked what they were doing and they said that they were making some kind of computer vision device (this was in 1984, I was 19 at the time, what they were building was an eye tracker), I asked if I could tag along and they said ok, after an hour or so it was clear they had no clue what they were doing (trying to write some basic program to talk to their frame grabber) so I coded the whole thing up without an assembler by poking the machine code into some free RAM. This led to a longer term relationship, the one guy was an optics genius called Michiel Kassies, the other a guy that knew a lot about hardware, Karl Jungbauer who worked for NikHef (the dutch institute for Nuclear Physics) in their hardware department and who moonlighted in the tech scene in Amsterdam in his free time. Michiel knew Hugo, and when Hugo got the proposal to invest in Jan Sloots' fake video compressor he asked me to look it over for him, which I did.

Hugo ended up investing in DadaData, a company founded by Jungbauer, a guy called Peter Domela-Nieuwenhuis and myself, after three weeks I realized these guys were more interested in their drugs than in running a business so I bailed out and founded MCS, which still continues today (though it has been renamed).

Over the years Hugo would come up with all kinds of weird ideas and occasionally he'd call. We lost touch prior to Greenmix, by which time his drug use became so bad that there we no more normal times.

It's pretty weird to see someone you respect initially slide off like that, I have always hated drugs and it made it pretty hard for me to be exposed to it without commenting on it and getting into arguments. Hugo really was a nice guy that lost it, his addiction to his dope and lifestyle eroded every sense of what was right and what wasn't. The path of destruction he left behind is a mile wide and even though he spent 12 months in jail I'm pretty sure there are lots of people around here that would happily piss on his grave.

Of course I'm sorry for all the investors that lost their money in his harebrained schemes, but I mostly pity his kid who saw his father slide down like that.

One of the funnier stories about Hugo: he was very much overweight and the doctor told him to get some exercise or that he'd die of a heart attack in short order. So he went bike shopping and picked out a very fancy racing bike. After 6 months of dutifully disappearing each day for two hours on his bike he complained that he didn't lose any weight. So I offered to ride with him to see what was going on. Hugo lived in Loosdrecht at the time, and from his house made a beeline to a pancake restaurant in Vreeland (a couple of km away from his house), where he ate two enormous pancakes, consumed copious amounts of expensive alcohol and then cycled leisurely back. So at least I understood why the weight loss program was a failure :), but he swore me to secrecy (which I am now breaking, but I don't think he'd mind).


Wow, very interesting - thanks for sharing. There are so many moments like these and they get lost in history...


What really bothers me - even after all those years - is that if not for the drugs these guys would have gone so much further than they did. They had every opportunity, the tools, the brains, the timing and they fucked it all up.


Kind of reminds me of Phil Katz. Brilliant guy, but a raging drunk. When he died, Wired or somebody interviewed the strippers at the strip club he used to go to, who said that he was very lonely and looking for someone to talk to.


Possibly. For some, substance abuse is one escape—one way of dealing with inner demons. There are other destructive, occupying things than substances that can stop talent and productive potential from yielding much at all


fascinating details, happy to have stirred up these memories!


I've been reading for a couple of hours on all of the stuff you guys have dug up on the pocket telex (and other interesting bits and pieces), very impressive. So much detail, this must have been a lot of work, and other than a couple of typos I can't find anything that doesn't match what I already knew about the device. It would be interesting to know who formed the software team from those days, I wished I recalled more names.

Above the offices in Amsterdam Zuidoost (Hogehilweg) they had this insanely extravagant bar. Looking back I think that the armed bodyguard must have been either coke-induced paranoia shining through or a sign that there was already more afoot that could not stand the light of day.


By the way, doesn't this page need an update now?

https://cryptomuseum.com/crypto/philips/index.htm

"The Philips version with encryption (PX-1000Cr) contained a much improved cryptographic algorithm."


Hi, Paul from Crypto Museum here. Thanks for bringing this to my attention. I missed that one when updating the stories.


You're welcome, if you want I can proofread the whole website, I noticed a few more typos as I was reading quite a lot there today.


The whole website would probably take a bit too long ;-) But please report any typos you find whilst reading to info@cryptomuseum.com That will land directly on my desk. Thanks, Paul


will do!


This story made my day. Thank you!


There is good reason to believe the weaknesses introduced by the NSA with the PX1000-cr algorithm were introduced as part of a series of multiple backdoors that cooperate together [2][3].

The equation system to be solved is rather huge (~20 megabytes when shown as ASCII text), therefore it is logical to assume the NSA required more efficient techniques to break it in the 1980s.

The fact that the first and last character, as well as the top bits in between, leak the keystream makes for an easy and cheap attack that amortizes the algebraic attack costs. Detection of key re-use is therefore trivial.

And since this is a stream cipher key reuse, it is cryptographically disastrous; an excellent illustration of this is the Venona project [1].The NSA has spent decades trying to recover plaintext from two-timepads, but in the Venona case they did not know which two messages shared the same key. This is significantly simpler with the PX1000-cr.

For Venona, it is a safe guess that the NSA developed a significant amount of HW capable of recovering plaintext from two plaintexts that have been XOR-ed together. This implies they may employ more costly algebraic or other attacks only on cryptograms with unique keys. This, I feel, is a critical insight: there is not a single backdoor here, but numerous ones that cooperate.

[1] https://en.wikipedia.org/wiki/Venona_project

[2] https://www.alchemistowl.org/pocorgtfo/pocorgtfo21.pdf

[3] https://www.ctrlc.hu/~stef/blog/posts/pocorgtfo_21_12_apocry...


> The equation system to be solved is rather huge (~20 megabytes when shown as ASCII text), therefore it is logical to assume the NSA required more efficient techniques to break it in the 1980s.

I would assume they're far more capable of building custom hardware to accomplish these attacks than needing to do all of them in software, especially in the 1980s.


Venona dumps are apparently still embarrassing enough that they're only being drip published still even today. I don't think the original Russian is declassified at all.


Series of vulnerabilities cooperate is a good idea even today. Easier to make them hard to spot and to look more like normal bugs and mistakes.


nice summary of my post! thank you very much


Fascinating person. This device really does feel ahead of it's time. What was his story for the period after the tree scam till his death?


I suspect you are in the wrong part of the thread so I'll answer you here.

I do not know, I lost contact with him and only read about him in the paper after that period.

He had some really unsavory characters hanging around him and that plus the drugs were the main reason for me to stop interaction with him. There are some rumors that the funds raised with Greenmix were used to finance drug transports, I have no clue if these are true or not but if they were it wouldn't surprise me even a little bit.


This is fascinating and a great bit of work by Stefan Marsiske. Loved the technical writeup in PoC||GTFO too. This quote from the TFA really shows just how difficult it was for the public to access decent cryptography at the time:

> In her book Operatie Vula, Conny Braam explains how one of her people met a guy, by the name of Floris, in a pub in Amsterdam, who allegedly had developed the PX-1000 [5]. From him they learned that the device had been taken off the market as its encryption was too strong. It had been replaced by a calculator but he suggested to find the older version with built-in crypto.

In all I would say it was a pretty good backdoor for the early 80s, showing how far ahead the NSA's internal understanding of cryptography was. I wonder if they would have anticipated the world we live in today where state-of-the-art cryptography is available and used by everyone on the Internet.


thank you! may i return the compliments? i love playing on cryptohack.org so many fun and educational challenges! kudos!


The algorithm itself looks pretty strong for time but weaker than DES having a 16 byte non-linear function in a cipher feedback loop without chaining. Due to the way the registers aren't randomised and the key is entered it leaks plain-text quite badly. The story here is that Stefan Marsiske studied the algorithm and wrote a cracker that can break a PX-1000Cr message in 4 seconds on a modern laptop, with just 17 characters of cipher-text. Some of the story speculates on the effect this backdoor may have had on anti-apartheid in the 80s and an anecdotal conclusion that a developer had tipped-off the movement about weakened cryptography and helped them revert to a secure version of the PX-1000.


Somewhere at NSA there must be an equivalent museum with the hardware that helps deciphering PX1000-Cr ciphertexts


If you're ever in the area, NSA's public museum is 100% worth a visit. Not surprisingly they skip over things that make them look bad, but it's really cool to be able to play with real enigma machines. They do have an exhibit on secure telecommunications hardware, although I don't remember if this device is included (IIRC it's mostly landlines and more modern cell phones)


> In this context it would be interesting to know whether the NSA had deliberately weakened the PX-1000's cipher, in order to monitor the ANC communications.

Honestly, that seems a little far fetched. This kind of thing seems like something that would be smart to do with no particular target in mind, with the idea that it could be opportunistically exploited later.

Anyone who goes out an buys a specialized encryption device, especially in the 80s, probably has a high likelihood of being up to things the authorities have an interest in.


for those willing to discount the revelation as cold-war era chicanery, a more recent example exists in the SPECK cipher fiasco where the community, frustrated by statist stonewalling and theatrical bloviation, basically told the NSA to pound sand down a rat hole and refused to incorporate the cipher into the kernel.

https://en.wikipedia.org/wiki/Speck_%28cipher%29


Yes, the NSA is fantastic at cryptography but doesn't understand the concept of broken trust.


A few of us have bought rebadged versions of these recently and we're looking to create a backend for them that accepts a call (probably via SIP / VoIP) and then demodulates the v.23 and does something useful with it.

Are you aware of anyone thats done this already?

Thanks


I love the design of these products https://cryptomuseum.com/crypto/philips/index.htm


Once upon a time Philips was a world renowned brand in electronics, extremely innovative and their gear was top notch. How it all went to hell I still don't fully understand, but in the late 80's or so their quality started going downhill and they seemed to make one bad move after another.

This stuff is from various eras but not all of the designs are theirs (though all the gear prior to and including the 'spendex 50' was in house design work.


Philips history in 6 chapters, written up by RF engineer with 30 years at Philips/NXP https://www.maximus-randd.com/technology-history.html TLDR Commodore level management. It ends with picking inferior but marginally cheaper third party components for TVs instead of using own internal products developed specifically for the role, in effect sinking R&D budget and destroying market leader position. WSP (World Standard Pinning) "standardization" story with management naive dreams of selling own products in Asia without cannibalizing home European market while simultaneously moving Consumer Hardware Development to Asia .. where all the hardware was thereafter designed with Asian parts first was priceless.

Philips TV division deciding to second source, skipping Philips Tuners division thus eroding own company market share and profit. Then in turn Philips Tuners division commissioning a cheaper clone of Philips MOPLL from Siemens with a huge minimal volume quota, consequently eroding Philips Semiconductors market share by 25% and forcing Tuner division to manufacture inferior products with already obsolete part. Just beautiful, <Chef's Kiss>, Pure genius!

> The most devastating development, however, was purely internal and of severe structural impact.


For those of us not really plugged into the crypto world: what is PX-1000Cr? Why is it important? Where is it used?


it's a pocket telex from the early 80ies, you can read more about the device here: https://www.cryptomuseum.com/crypto/philips/px1000/index.htm


How this would be different of what exists and is in use today?

Not to mention, the "holes"/"bugs" in the silicium and those in the running software stack. PPL tend to forget about the SDK too: "backdoor injectors for foreign and futur CPUs" aka compilers.


If it were built today you could expect all of the security features of the best phones on the market and of course far more powerful processors allowing for stronger crypto.

Essentially you'd be looking at a cryptophone.


Do we have any modern day equivalents to this I would like to see a standalone system that has no ability to connect to anything except an audio jack that you could hook to your existing cell phone to get secure coms out.


This is also a great commentary on the inherit untrustworthiness of for-profit corporations. From a capitalist perspective trading the security of your users for some early commercial advantage like those 1977 algos from the NSA is "worth it," and the cost is unseen (allowing backdoors) and never disclosed to the customer (dishonesty). There's no one watching this, no rules, and people like Nelson Mandela were victimized because of this. Whenever I meet someone who refuses to run secure systems on anything but FOSS, I respect that they accept that capitalism is a failure in this regard, and a huge one at that.

I have no idea what commercial products are secure now, and neither do you. That's a problem.


Philips made bank on incorporating NSA backdoored algo - NSA shell company bought out whole inventory of the "good" version of the product all at once.

"The remaining stock of 12,000 'old' PX-1000 units was bought by Philips, along with 20,000 firmware PROMs that had already been manufactured. Philips later sold them on to the NSA 1 along with 50 PXP-40 printers, for a total of NLG 16.6 million (more than EUR 7.5 million) [9]. Officially, the equipment was sold a company by the name of Reynolds which is believed to be an NSA front"

Comes down to about 600 Euro per device, and considering they were selling them at 1K Euro retail its a good price to get rid of whole batch all at once.

Nelson Mandela team was smart to use pre backdoor device.


Good thing that they don’t do this sort of thing anymore.


> Although he hasn't found the smoking gun (yet)

So the author is admitting to the title being fake news?


actually since large parts of my addendum blog post were quoted here, here is another quote:

> lets me conclude that the PX1000cr algorithm is indeed a confirmed backdoor.

I guess, me and the cryptomuseum people had a misunderstanding about this.


i mean an algebraic full key recovery out of 17 ciphertext chars is nothing else but catastrophic. and i'm sure this can be done much more efficiently.


Oh hi! And thanks for the clearup!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: