Russian software used by Swiss federal departments raises security concerns
An iPhone and PC decryption system used by two Swiss federal institutions is linked to a Russian company active in the field of digital investigations. Experts point out the cybersecurity risks.
The decryption system, ElcomSoft, is a privately owned company headquartered in Moscow, Russia. The company is active in the field of digital investigations. It produces software usually used by forensic experts as well as private companies to recover passwords and decrypt mobile phones and computers.
An investigation by the Italian language service of the Swiss public broadcaster, RSI, revealed that this Russian application is also used by the Swiss Federal Police and Armasuisse. At a time when cyber-attacks from Moscow are a cause for concern, experts warn of the risks involved.
Prague or Moscow?
At first glance of the company website, it states that ElcomSoft is based in Prague, in the Czech Republic. But actually, the company headquarters is in in Moscow. The Russian address was deleted from the company website after the war in Ukraine. Using the internet active website, Wayback MachineExternal link, RSI discovered that in November 2021, just a few months prior to the large-scale invasion into Ukraine by the Russian army, the company’s headquarters was listed in Moscow.
The company is still currently active in Moscow. RSI found corroborating information from the Russian trade register. On LinkedIn, the associated employees, programmers and even the CEO of ElcomSoft RSI tracked down are residents of the Russian Federation.
ElcomSoft was founded in the 1990s. The company’s website writes that it, “offers solutions for criminal and law enforcement agencies, in the field of computer forensics, mobile and cloud”. In fact among its product offers is a software to recover passwords and access password-locked mobile phones or computers. This software can be used to break into iPhones or PC.
Swiss federal departments confirm it uses ElcomSoft software
On ElcomSoft’s website, RSI reports that its tools are used by ‘most companies’ on the Fortune 500 list, as well as by ‘military units, foreign governments and all major accounting firms’.
At least that is what the company claims. We also found the Federal Office of Police (Fedpol) and the Federal Armaments Office (Armasuisse) among the customers. Armasuisse replied to a request by RSI by e-mail explaining that it had indeed ‘purchased the software from this manufacturer for testing purposes’. However, it did not specify what kind of testing or how the product is used.
However, the Swiss Federal Police initially denied RSI a response, citing security concerns.
Using the Transparency Act, RSI was able to receive confirmation that the Swiss Federal Police ‘purchased licences for 4 products from the company ElcomSoft in 2024’. The Swiss Federal Police specified that it only uses the products ‘offline’ (i.e. not connected to the network) and that over the past several years it has ‘purchased equivalent products whose names have been changed’.
Software tantamount to a weapon
For Sebastien Fanti, technologies expert and former data protection delegate in canton Valais, the use of this kind of software raises serious issues for national cybersecurity. “This is a Russian company, which deals with the development of forensic products for surveillance. It is a company that is therefore subject to Russian law,’ Fanti explains, “it is possible that the authorities and intelligence services in Moscow can access the results of investigations that are carried out through this software.”
Fanti is not reassured by the fact that the programme would be used ‘offline’ by the Swiss Federal Police. “It is worrying that at any given moment this software makes contact with any network that someone can access and repatriate all the data,” he says. “What are the guarantees that there is no ‘backdoor’? Nothing,” says Fanti. The backdoor that Fanti is referring to are “secret ports used to access computers are usually a default installation often used for maintenance purposes”. He explains how these backdoors can be used other ways: “Backdoors can be installed to be sure that the software will not be used against its own country”.
Fanti believes that countries “have to choose partners very carefully. Nations cannot take risks. Trusted partners who work in a country where respect for the law and democratic rules is guaranteed should be favoured. This is not the case with Russia.” For the expert, this surveillance software “is a weapon. And it should be treated as such.”
Concerns in the Swiss Federal Palace
The use of this software also raises questions under the dome of the Swiss Federal Palace. For parliamentarian, member of the security policy commission and computer scientist by profession, Gerhard Andrey, there is reason for concern. “This is a real tool for hacking an iPhone. If we are too dependent on foreign tools and companies that are based in countries that are problematic for us, such as Russia, for example, or China, this is a problem in general,” says Andrey. This is obviously the case for this software, which is very sensitive as it is used to hack into Apple computers or devices, he says.
For Andrey, the fact that it is used ‘offline’ i.e. disconnected from the network is not synonymous with 100 % security. “In general, these kinds of applications should not be used connected to the internet, because it would be very complicated and very dangerous for security issues,” he says.
One issue Andrey points out are regularly occurring software updates: “there are obviously updates coming from somewhere. If it is a service provider that is not in Switzerland, then to do this data transfer you need to have good security management on the software”.
In the early 2000s, ElcomSoft made headlines in the US when one of its programmers was arrested for offences related to US copyright law. The man was later released and acquitted years later.
More recently, the company is making headlines after suing a competitor in Russia on the basis of stealing code used to infiltrate iPhones. As reported by Forbes, the legal dispute revealed a weakness and possible vulnerability in Apple’s iOS 16 operating system. It is unclear whether if the latest Apple’s iOS 17 update has resolved the problem. On ElcomSoft’s site, however, it states that its ‘Forensic Toolkit’ application works with all iPhone and iPad versions, including iOS 17.
Suspicion of espionage
The CEO and co-founder of ElcomSoft is Vladimir Katalov, a mathematician and graduate of the Moscow Institute of Engineering and Physics. From 1987 to 1989 he was a sergeant in the Soviet army. Katalov was interrogated in the United States in 2011 by two US government employees. In an interview by ForbesExternal link, he explained that the agents wanted information on whether his company was linked to the Kremlin and whether its software had ‘backdoors’ that could have allowed Moscow agents access to American networks.
They also allegedly asked him to hand over a list of clients as well as the source code. Katalov denied having any connections to Moscow intelligence or that there were any hidden vulnerabilities in his products.
Over the years, ElcomSoft sold products to companies and police forces in the US. ElcomSofts customers included the Air National Guard, among others. RSI contacted the US Air National Guard, however, they denied using ElcomSoft software. To date, we do not know how many companies and institutions in the US use these products. The FBI recently warned about the cybersecurity risks of using applications produced in Russia.
RSI states that it contacted ElcomSoft and initially received an answer from CEO Vladimir Katalov, who said he would be willing to be interviewed. However, RSI writes that he has not yet responded.
Adapted for web: Julien Furrer (RTS)/Adapted from French with DeepL/amva
In compliance with the JTI standards
More: SWI swissinfo.ch certified by the Journalism Trust Initiative
You can find an overview of ongoing debates with our journalists here . Please join us!
If you want to start a conversation about a topic raised in this article or want to report factual errors, email us at english@swissinfo.ch.