Russian software used by Swiss federal departments raises security concerns

The decryption system, ElcomSoft, is a privately owned company headquartered in Moscow, Russia. The company is active in the field of digital investigations. It produces software usually used by forensic experts as well as private companies to recover passwords and decrypt mobile phones and computers.

An investigation by the Italian language service of the Swiss public broadcaster, RSI, revealed that this Russian application is also used by the Swiss Federal Police and Armasuisse. At a time when cyber-attacks from Moscow are a cause for concern, experts warn of the risks involved.

Prague or Moscow?

At first glance of the company website, it states that ElcomSoft is based in Prague, in the Czech Republic. But actually, the company headquarters is in in Moscow. The Russian address was deleted from the company website after the war in Ukraine. Using the internet active website, Wayback MachineExternal link, RSI discovered that in November 2021, just a few months prior to the large-scale invasion into Ukraine by the Russian army, the company’s headquarters was listed in Moscow.

The company is still currently active in Moscow. RSI found corroborating information from the Russian trade register. On LinkedIn, the associated employees, programmers and even the CEO of ElcomSoft RSI tracked down are residents of the Russian Federation.

ElcomSoft was founded in the 1990s. The company’s website writes that it, “offers solutions for criminal and law enforcement agencies, in the field of computer forensics, mobile and cloud”. In fact among its product offers is a software to recover passwords and access password-locked mobile phones or computers. This software can be used to break into iPhones or PC.

Swiss federal departments confirm it uses ElcomSoft software

On ElcomSoft’s website, RSI reports that its tools are used by ‘most companies’ on the Fortune 500 list, as well as by ‘military units, foreign governments and all major accounting firms’.

At least that is what the company claims. We also found the Federal Office of Police (Fedpol) and the Federal Armaments Office (Armasuisse) among the customers. Armasuisse replied to a request by RSI by e-mail explaining that it had indeed ‘purchased the software from this manufacturer for testing purposes’. However, it did not specify what kind of testing or how the product is used.

However, the Swiss Federal Police initially denied RSI a response, citing security concerns.

Using the Transparency Act, RSI was able to receive confirmation that the Swiss Federal Police ‘purchased licences for 4 products from the company ElcomSoft in 2024’. The Swiss Federal Police specified that it only uses the products ‘offline’ (i.e. not connected to the network) and that over the past several years it has ‘purchased equivalent products whose names have been changed’.

Software tantamount to a weapon

For Sebastien Fanti, technologies expert and former data protection delegate in canton Valais, the use of this kind of software raises serious issues for national cybersecurity. “This is a Russian company, which deals with the development of forensic products for surveillance. It is a company that is therefore subject to Russian law,’ Fanti explains, “it is possible that the authorities and intelligence services in Moscow can access the results of investigations that are carried out through this software.”

Fanti is not reassured by the fact that the programme would be used ‘offline’ by the Swiss Federal Police. “It is worrying that at any given moment this software makes contact with any network that someone can access and repatriate all the data,” he says. “What are the guarantees that there is no ‘backdoor’? Nothing,” says Fanti. The backdoor that Fanti is referring to are “secret ports used to access computers are usually a default installation often used for maintenance purposes”. He explains how these backdoors can be used other ways: “Backdoors can be installed to be sure that the software will not be used against its own country”.

Fanti believes that countries “have to choose partners very carefully. Nations cannot take risks. Trusted partners who work in a country where respect for the law and democratic rules is guaranteed should be favoured. This is not the case with Russia.” For the expert, this surveillance software “is a weapon. And it should be treated as such.”

Concerns in the Swiss Federal Palace

The use of this software also raises questions under the dome of the Swiss Federal Palace. For parliamentarian, member of the security policy commission and computer scientist by profession, Gerhard Andrey, there is reason for concern. “This is a real tool for hacking an iPhone. If we are too dependent on foreign tools and companies that are based in countries that are problematic for us, such as Russia, for example, or China, this is a problem in general,” says Andrey. This is obviously the case for this software, which is very sensitive as it is used to hack into Apple computers or devices, he says.

For Andrey, the fact that it is used ‘offline’ i.e. disconnected from the network is not synonymous with 100 % security. “In general, these kinds of applications should not be used connected to the internet, because it would be very complicated and very dangerous for security issues,” he says.

One issue Andrey points out are regularly occurring software updates: “there are obviously updates coming from somewhere. If it is a service provider that is not in Switzerland, then to do this data transfer you need to have good security management on the software”.

Adapted for web: Julien Furrer (RTS)/Adapted from French with DeepL/amva