When you’re a nation state, secure communications are key to protecting your sovereignty and keeping your best laid plans under wraps. For the USA, this requirement led to the development of a series of secure telephony networks over the years. John McMaster found himself interested in investigating the workings of the STU-III secure telephone, and set out to replicate the secure keys used with this system.
[John] had a particular affinity for the STU-III for its method of encrypting phone calls. A physical device known as a Crypto Ignition Key had to be inserted into the telephone, and turned with a satisfying clunk to enable encryption. This physical key contains digital encryption keys that, in combination with those in the telephone, are used to encrypt the call. The tactile interface gives very clear feedback to the user about securing the communication channel. Wishing to learn more, John began to research the system further and attempted to source some hardware to tinker with.
As John explains in his Hackaday Superconference talk embeded below, he was able to source a civilian-model STU-III handset but the keys proved difficult to find. As carriers of encryption keys, it’s likely that most were destroyed as per security protocol when reaching their expiry date. However, after laying his hands on a broken key, he was able to create a CAD model and produce a mechanically compatible prototype that would fit in the slot and turn correctly.
Due to the rarity of keys, destructive reverse engineering wasn’t practical, so other methods were used. Thanks to the use of the STU-III in military contexts, the keys have a National Stock Number that pointed towards parallel EEPROMs from AMD. Armed with the datasheet and X-rays of encryption keys from the Crypto Museum, it was possible to figure out a rough pinout for the key. With this information in hand, a circuit board was produced and combined with an EEPROM and a 3D print to produce a key that could replicate the functionality of the original.
Like most projects, it didn’t work first time. The printed key had issues with the quality of the teeth and flushing of the support material, which was solved by simply removing them entirely and relying on the circuit board to index to the relevant pins. Testing was performed using a PKS-703 key reader, which itself was an incredibly rare piece of hardware. In combination with a logic analyzer, it revealed that a couple of the write pins were lined up backwards. Once this was fixed, the key worked and could be programmed with a set of encryption keys. Once inserted into the STU-III and turned, the telephone sprung to life!
Despite this success, there’s still a long way to go before John can start making secured phone calls with the STU-III. Only having one phone, he’s limited to how much he can do — ideally, a pair is needed in order to experiment further. He is also trying to make it easier for others to tinker with this hardware which involves the development of a circuit board to allow keys to be read and reprogrammed with a standard EEPROM writer. He’s also begun reverse engineering of the STU-III’s internals. As a bit of fun, John went as far as to reproduce some promotional swag from the project that spawned the STU-III, showing off his Future Secure Voice System mug and T-shirt.
Reverse engineering national security devices certainly comes with its own unique set of challenges, but John has proven he’s more than up to the task. We look forward to seeing the crypto community hack deeper into this hardware, and can’t wait to see hackers making calls over the venerable STU-III!