Camp++ 0x7e5

A historical NSA backdoor
2021-08-28, 16:00–16:30, Guyon

The dutch built a device in the early 80ies which was able to DES encrypt and tranceive messages via phone lines. The NSA had them all bought up from the market and provided the manufacturer an updated firmware image with a different encryption algorithm.

I decompiled the firmware manually recovering the algorithm and with some help from phr3ak we even managed to have the firmware run in an emulator. The cryptanalysis of this algorithm is still ongoing work, but I'll present everything we have so far.

The device in question is the PX1000: