Wanted: Help to analyze (backdoored) Omnisec devices
Dear Cypherpunks Adrienne Fichter, Journalist of Republik (cf. https://republik.ch/), is searching for people who hep to analyze (backdoored) Omnisec devices, a former Zurich-based company which--like Crypto AG--was shown in Swiss media these days to have sold devices, which were backdoored, too. * * * Omnisec was dissolved two years ago; some articles in German: https://www.republik.ch/2020/11/26/das-innerste-auge-crypto-skandal-omnisec https://www.woz.ch/2048/geheimdienste/professor-maurer-und-die-nsa SRF / Swiss Public Broadcaster on it, from yesterday: https://www.srf.ch/play/tv/rundschau/video/theke-ueli-maurer?urn=urn:srf:vid... * * * German tweet, with her asking for action: https://twitter.com/adfichter/status/1331908267803553793 You find her contact details (besides Twitter) here: https://www.republik.ch/~adriennefichter Greets & happy hacking! --hernani -- https://vecirex.net
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, November 26, 2020 11:41 AM, Hernâni Marques <hernani@vecirex.net> wrote:
Dear Cypherpunks
Adrienne Fichter, Journalist of Republik, is searching for people who hep to analyze (backdoored) Omnisec devices, ... German tweet, with her asking for action:
it's a fax encryption/decryption hardware. would be interesting to look for methods of master key extraction. the attack surface looks pretty rich: https://www.inmarsat.com/wp-content/uploads/2013/10/Inmarsat_Using_Omnisec_5... another model to consider is the Omnisec 222, often code (and bugs) re-used across model families :) look for debug pads and surprise functionality, https://github.com/grandideastudio/jtagulator , https://github.com/usb-tools/Facedancer . might need to read flash memory directly: https://libreboot.org/docs/install/rpi_setup.html attack retrieved images with Ghidra and friends. if target is hard, try glitch attacks. https://tches.iacr.org/index.php/TCHES/article/view/7390 . sounds like fun! best regards,
more fun history: Controversy In relation to the above, it is worth noting that both the initial owner of Omnisec, Urs Ingold, and the first director, Pierre Schmid, are mentioned in the CIA documents about [Operation RUBICON](https://cryptomuseum.com/intel/cia/rubicon.htm), as being well-known by the American intelligence community, whatever that means [8](https://cryptomuseum.com/manuf/omnisec/index.htm#ref_8). Another name that turns up in relation to Omnisec, is Ueli Maurer, Professor at the ETH in Zürich, and between 1988 and 2015 technical advisor at Omnisec. Although he previously denied it, he now confirms that he was approached by the [NSA](https://cryptomuseum.com/intel/nsa/index.htm) in 1989, but had turned them down [10](https://cryptomuseum.com/manuf/omnisec/index.htm#ref_10)[11](https://cryptomuseum.com/manuf/omnisec/index.htm#ref_11). Further suggestions that he and/or his colleages might have cooperated with the intelligence services, are found in the [Operation RUBICON](https://cryptomuseum.com/intel/cia/rubicon.htm) documents [8](https://cryptomuseum.com/manuf/omnisec/index.htm#ref_8). In 1993, shortly after release of [Crypto AG](https://cryptomuseum.com/manuf/crypto/index.htm) sales representative [Hans Bühler](https://cryptomuseum.com/people/buehler/hans.htm) from an Iranian prison, 3 the Swiss Bundespolizei (BuPo) investigated the allegations that [Crypto AG equipment](https://cryptomuseum.com/crypto/hagelin/index.htm) might have been rigged by foreign intelligence services. Swiss military officials subsequently informed the [CIA](https://cryptomuseum.com/intel/cia/index.htm) that they had: "the ability to ensure that the official results of any investigation will show no manipulation of the gear" They also informed the [CIA](https://cryptomuseum.com/intel/cia/index.htm) that, should the investigation be subcontracted to the ETH in Zürich, they could handle four of the five cryptomathematicians who could become involved in the investigation. In other words: the ETH was in their pocket. - https://cryptomuseum.com/manuf/omnisec/index.htm
participants (2)
-
coderman -
Hernâni Marques