Investigation: How Philips made a Dutch pocket telex “spyable” for the NSA
Encrypted, but not for America
Intelligence services fear that China will gain access to our secrets thanks to built-in back doors in Huawei equipment. The USA has had those back doors for a long time. At the end of the last century, for example, Philips made a difficult to crack pocket telex “spyable” for the NSA. A reconstruction.
By Huub Jaspers and Marcel Metze
Spring 2014. In a family restaurant in the woods around Eindhoven we find a source, let’s call him “Frank Molenaar”. The case on which he is going to provide us with information played in the mid-nineteen eighties. Yet he still wants to remain anonymous. The conversation takes place in a private dining room, without viewers or listeners. “What we are talking about was state secret at the time”, he explains, “public disclosure was punishable by imprisonment.” Is that still true? The General Intelligence and Security Service (AIVD) believes that the issue must remain secret for more than thirty years after that date. It rejects a request for disclosure. The then deputy director Marc Kuipers writes: “One of the (…) grounds for refusal is that the provision of the requested data must not harm national security. (…) The AIVD must be able to keep its sources, its working methods (…) and its current level of knowledge secret.”
This answer makes the story of “Frank Molenaar” all the more fascinating. It is about the NSA and how the US American eavesdropping service called in Philips to remove an encrypted pocket telex from the market. That pocket telex – a text device avant la lettre – was developed by the Dutch small business Text Lite. The encryption program that Text Lite had built in was difficult to crack even for the NSA. Something had to be done about it, the Americans thought.
What makes the issue even more fascinating is that the ANC would have used the pocket telex to transfer secret messages from Nelson Mandela – who was then imprisoned on Robben Island – from Zambia to London. Dutch activist Connie Braam had given the device to the ANC. This raises the question: has Philips helped the NSA to intercept Mandela?
Philips had been in contact with the NSA for some time. Subsidiary USFA – an abbreviation for Ultra Sonore Manufacturing Department – built cryptographic devices intended for sending and receiving encrypted diplomatic and military communications. But the development costs were high and sales outside the Netherlands were limited. That changed in 1977. That year, a USFA employee traveled to the NSA headquarters in Fort Meade, not far from Washington. What he discussed is unknown. What is certain is that it did not end with this one visit and that Philips USFA has since been on a leash of the NSA.
In addition to spying, the NSA also dealt with the development and construction of cryptographic machines and associated software. Shortly after the visit of the USFA employee, the NSA chose Philips as a subcontractor. The Dutch corporation was allowed to build a license for an NSA device for encrypted data transmission for the European NATO countries. Of course, that device contained an encryption program developed by the NSA itself, the so-called Walburn algorithm. Philips also installed another NSA encryption (Saville, developed by the NSA and the British GCHQ) in its new communication equipment for the Dutch army.
Since the alliance with the NSA, USFA had done significantly better commercially. So when the Americans presented themselves with a special request, Philips was open to that. According to “Frank Molenaar” – who was involved in the case in an undefined role – a secret meeting took place somewhere in the Netherlands in December 1984 where employees of both Philips and the NSA were present. The official language was English. The subject: a new encryption program for the PX-1000, the pocket telex that Text Lite had launched in 1983.
It was quickly clear to the Philips cryptographers that the new encryption was weaker than the encryption that Text Lite had built into the device, and would therefore be easier for the Americans to crack. They also understood the reason for this: a eavesdropping service must be able to eavesdrop, and therefore it is not in the interests of citizens and businesses to use devices that make it all that difficult.
The PX-1000 measured approximately twenty by ten centimeters and was equipped with a small display and a keyboard. You could type messages and send them as beeps via a normal telephone line to another PX-1000, which then made them text again – provided the owner had the correct encryption key. The device cost around a thousand guilders and would now be worth around 860 euros. By the time the NSA got wind of it, Text Lite had already sold quite a few of it, including to the Turkish army, in the Middle East and to Israel.
The company was still young, it was set up in 1981 as a producer of light newspapers – light bars with current advertising texts. The PX-1000 was an idea of technical director Hugo Krop. Krop had added ‘a very naughty feature’ to the PX-1000 on his own initiative, he said a few months before his death, in 2018. “Not because someone asked for it, but simply because it was possible.” In a hacker magazine from the USA he had read ‘how you could make the official Data Encryption Standard from America in about 1 K (1000 bits)’. There was just room for such a mini-file on the PX-1000 chip. …
Krop’s co-director Arie Hommel remembered how after the introduction of the PX-1000, Text Lite received signals that people in security circles were not happy with their beautiful device. “Occasionally someone from England came over from Scotland Yard to ask why and to whom we sold those things. They seemed to be bothered by it because they could not listen to them. And they were not the only ones. ”
The NSA was also not happy. The Americans did not contact Text Lite themselves, but engaged Philips for that job. Neither Hommel nor Krop remembered the date of the phone call from Eindhoven, but that must have been somewhere in 1984, before Text Lite went public (that happened in December, via a listing on the Amsterdam parallel market). Hommel: “We were asked to come to a Van der Valk hotel near Utrecht. That’s where the Philips people said extremely harshly: you have a product that contains encryption and we want to get rid of that. ”
According to Krop, their conversation partners were USFA employees. He confirmed Hommel’s description of the conversation: “They presented themselves with a proposal: a) how much money do you want, b) do you want to track down and buy back all devices and c) we will give you a new, at least as good, encryption key and then go we distribute that device. And by the way: this is not an offer that you can refuse. You just have to do it.” According to Arie Hommel, it was not clear that this offer was inspired by the NSA, but Hugo Krop suspected it. During a conversation with the radio program Argos, he spontaneously dropped: “Yes, if the NSA wants something, they will always get it done.”
The Text Lite directors agreed – partly enticed by an amount that according to Hommel was somewhere between thirty and forty million guilders. Philips took over the PX-1000 and tried to trace as many unsold copies as possible. It is not known whether copies have been retrieved that had already been sold. In 1990 the anti-militarist action group Onkruit occupied the USFA complex and thereby seized internal documents. It turned out that Philips resold twelve thousand PX-1000s, along with another twenty thousand chips with the DES-algorithm, to the American company Reynolds – which can no longer be traced and, according to various anonymous sources, has probably been a cover for the NSA. The selling price was around 16.5 million guilders – which roughly corresponds to the retail value.
It was a sad moment in Philips history. The corporation had once set up USFA at the request of the Dutch government. It had been warned in 1944 by its top cryptologist Colonel J. A. Verkuijl that the US had almost reached the point where it could crack the Swiss Hagelin coders used by the Netherlands.
Immediately after the war, Philips had advised the government to build its own cryptographic devices. That would reduce the chance of American hacks. By developing high-quality cryptographic technology itself, the Netherlands would also have the chance to be admitted to the exclusive group of countries that shared secret intelligence: the US, the United Kingdom and Canada (this club was later expanded to include Australia and New Zealand and became known under the nickname Five Eyes). …
The first secret telex was not ready for production until 1957. In 1962, USFA had won a NATO bid with its Ecolex IV telex, so that success seemed within reach. But competition from German (Siemens, AEG), British, Swedish / Swiss (Hagelin), Norwegian (SATK) and American sides was fierce. It had taken until 1977 – the year of the NSA alliance – for USFA to once again win a NATO bid, this time with the secret telex Aroflex. What had begun as an attempt to prevent American eavesdropping had ended in cryptological dependence on those same Americans.
Thanks to the stories of ‘Frank Molenaar’, from a few other anonymous sources and from the Text Lite directors Krop and Hommel, it is clear how the NSA, with the help of Philips, removed the overly encrypted PX-1000 from the market and replaced it with a new version PX-1000Cr. What they could not answer were two other questions: how much weaker was the new encryption of the PX-1000, and did the ANC actually use the device in communication between Mandela and ANC-London?
It took five years before we found the answers to those questions. Marc Simons and Paul Reuvers helped us analyze the weakened algorithm in the PX-1000Cr. They are the owners of a software company in Eindhoven and have set up a virtual “cryptomuseum” in their free time. They also collect as many old crypto devices as possible. Simons and Reuvers had copies of the original PX-1000 and the weakened PX-1000Cr. They succeeded in reading out the memories and schematically drawing out the encryption algorithms in both versions.
Bart Jacobs, professor of cyber security in Nijmegen, found an interested student, who only needed three months to come to the conclusion that the original version indeed contained the decryption algorithm. A second student would continue the research, but was offered a job even before graduating. The only man who could give a definitive answer is Cees Jansen, a mathematician and cryptographer who worked at USFA in the 1980s. However, he did not want to go into detail. After some insistence, Jansen appeared willing to look more closely at the algorithm scheme of the weakened PX-1000CR, as made by the men of the cryptomuseum, together with professor Bart Jacobs.
In an Argos radio broadcast, Jansen described this algorithm as “clearly weaker” and confirmed that the NSA should have been able to crack it much faster than the DES-algorithm in the original PX-1000. Our anonymous source “Frank Molenaar” had told us that this weakening amounted to a halving of the number of bits per encryption block: that made use of 64-bit blocks, the NSA backdoor used 32-bit blocks. Professor Bart Jacobs explains that this amounts to a weakening of 2 to power 32, or a factor of more than four billion. That is huge. Suppose the NSA computer had taken a year to crack a DES-message, that time would have been reduced to 0.007 – or seven thousandth – seconds via the weakened back door.
In 2010, the TV program Andere tijden dedicated a broadcast to Operation Vula. It had set up the ANC in the mid-1980s to steer diverted ANC fighters back into South Africa and to set up a communication line with Nelson Mandela. Mandela was still imprisoned on Robben Island at the time, but his release was already expected (eventually it only came in 1990). Andere tijden revealed that the Dutch anti-apartheid movement had played a role in Operation Vula in all sorts of ways.
Activist Connie Braam, eg, had acquired some copies of the original PX-1000 and gave them to the ANC. Were they used too? The man who knows all about this is the white South African writer Timothy Jenkin. At the time, he was responsible for the secret communication within the ANC. His famous escape in 1979 from a heavily guarded prison in Pretoria is currently being filmed with Daniel “Harry Potter” Radcliffe in the lead role. Jenkin confirms by telephone that the ANC has used the PX-1000. But only within Europe: “For communication between London and Amsterdam, and later also between London and Paris.” The PX-1000 turned out to be unsuitable for communication between Zambia and London and was therefore not used for messages from Mandela, says Jenkin. High-quality and interference-free lines were required to transfer the encrypted audio signals via the telephone without error. “We tested it. It worked well from a quiet hotel room, but not from public telephone booths.”
Has the NSA intercepted and cracked the ANC European PX-1000 communication? We do not know. Perhaps the answer will one day come from declassified NSA archives. And has the NSA benefited from the “back door” that Philips put in it? That too remains a mystery. Not long after the acquisition, Philips launched the new version of the PX-1000 in 1985 with the addition of “Cr” (for crypto) and the new, weaker algorithm. Text Lite took care of the production and also developed a successor: PX-2000 (1985), which was “backward compatible” with the PX-1000 and probably also contained the back door. The devices were also sold under license and under different brand names (Siemens, Alcatel, Ericsson) in a number of European countries, such as Germany, England, France, Austria and Sweden. It is not clear whether the back door was in it, it is possible that the manufacturers involved have replaced this with their own encryption algorithms. There was also a version for the Dutch government. The weakened algorithm was not there, the government had its own encryption developed for which the details are unknown to date.
In any case, one conclusion remains: since Edward Snowden’s revelations in 2013, we know that the NSA goes very far in monitoring global electronic communications. The story of the PX-1000 is not very important on a global scale. But it is significant that the NSA also spent quite a bit of money and energy back then to ensure that electronic communication devices could be monitored. There is no reason to believe that the service has stopped that.
One last question remains: who actually made that weakened algorithm, that back door in the PX-1000? At the end of the conversation in the family restaurant in the woods near Eindhoven, “Frank Molenaar” leans towards us. “I would just like to emphasize that this algorithm did not come from Philips,” he says. “It came from the USA, it came from the NSA.”