13 — Historical Incidents

Relevant events where cryptography was broken, sabotaged, misused, or where entire systems fell. Each incident: context, root cause, impact, lessons.


1. Zimmermann Telegram (1917)

Context: Arthur Zimmermann (German Foreign Secretary) proposes an alliance with Mexico against the US in WWI.

Crypto: Nomenclator codes 13040 and 0075. The British (Room 40) deciphered them via the capture of partial codebooks + analysis.

Impact: Publication brings the US into WWI in Apr 1917. A wartime inflection point.

Lesson: Diplomatic codes without rotation are vulnerable to capture + cryptanalysis; trivial political impact > technical impact.


2. Enigma (1932–1945)

Already covered in 03-classical.md. Historical summary:

  • The Poles (Rejewski) read it from 1932.
  • Transferred to Bletchley in Jul 1939.
  • Throughout WWII: Bletchley read ~10% of traffic at any given moment; much more during periods of better crib supply.
  • Shortened the war by an estimated 2 years.

Lesson: electromechanical machines with weak indicator systems are breakable; the operator's operational security matters as much as the algorithm.


3. Venona Project (1942–1980)

Context: The KGB and GRU use OTP for diplomatic/espionage traffic. The volume exceeds the Soviet capacity to generate random pads.

Error: ~1942–1945, pads are duplicated across messages. Cell B in Moscow sends the same pad to New York and Washington.

Break: Meredith Gardner (US SIS) discovers the repetition (1946). Two-time-pad analysis deciphers ~3000 messages.

Revelations:

  • Identity of Alger Hiss, the Rosenbergs, Klaus Fuchs.
  • Soviet espionage operation against the Manhattan Project.
  • ~349 American citizens identified as agents.

Status: Program classified until 1995.

Lesson: a reused OTP is not an OTP. Without logistical discipline, perfect secrecy becomes an XOR pad shorter-than-the-message, cryptanalyzable.


4. Crypto AG / Operation Rubicon (1970–2018)

Context: Crypto AG (CAG), a Swiss company founded by Boris Hagelin (~1952). Sells cryptographic machines to governments worldwide.

Covert operation:

  • In 1970, the CIA + BND (West Germany) secretly buy CAG.
  • Operations: Thesaurus (original NSA cooperation), then Minerva (CIA), and Operation Rubicon (BND/CIA).
  • Machines sold had deliberately weakened algorithms or backdoors.

Adoption:

  • 130+ countries used CAG, including Argentina, Brazil, the Vatican, Libya, Iran, Iraq, Pakistan, South Korea.

Intelligence extracted:

  • ~40% of American signals intelligence in some periods.
  • Camp David negotiations (EgyptIsraelUS 1978) with Egypt using CAG.
  • Falklands/Malvinas crisis (1982) — Argentinians using CAG, the British reading.
  • Iran-Iraq War (1980–1988).
  • The BND withdrew in 1993; the CIA continued until the sale of CAG in 2018.

Revelation: Washington Post + ZDF + SRF (Feb 2020) publish a joint investigation with documents.

Impact: Swiss reputation (neutrality) shaken. Diplomatic fallout. Confirmed decades of suspicions (Snowden, Wikileaks had already hinted at it).

Lesson: Do not trust a black-box cryptography vendor. Kerckhoffs's principle applies: the algorithm must be public and verifiable.


5. CRYPTO Wars (1990s)

Context: The US classifies strong cryptography as munitions (US Munitions List); export controls.

Events:

  • PGP 1991 (Zimmermann) → criminal investigation for export without a license (1993–1996, closed without prosecution).
  • Clipper chip (1993) — Clinton administration proposal: a chip with mandatory key escrow (LEAF — Law Enforcement Access Field). Broken by Matt Blaze in 1994 (forge LEAF). Abandoned 1996.
  • Export grade crypto: 40-bit symmetric, 512-bit RSA allowed. Forced weakened design in SSL.
  • Bernstein v. United States (1995–2002): DJB sues the US arguing that code is speech. Wins — the 9th Circuit declares crypto code as First Amendment.
  • 2000: massive relaxation of export controls.

Technical legacy:

  • FREAK (2015), Logjam (2015), DROWN (2016): exploits against "export grade" left on servers 20 years later.
  • "Export ciphers" still in CDNs until ~2015.

Lesson: policy has a cryptographic half-life. Decisions from the 90s still bite in the 2010s.


6. DualECDRBG (2007–2014)

Context: NIST SP 800-90A (2006) standardizes several RNGs, including DualECDRBG (Elliptic Curve Dual). Recommended by the NSA.

Mathematical suspicion:

  • Shumow + Ferguson (CRYPTO 2007 rump): show that the curve constants may contain a trapdoor. Whoever knows \(d\) such that \(P = dQ\) can predict the output after a few bytes.
  • NIST never explains how the constants were generated.

Confirmation:

  • Snowden documents (Sep 2013) show the NSA paid US$10 million to RSA Security to make Dual_EC the default in BSAFE.
  • The BULLRUN program confirmed.

Affected products:

  • RSA BSAFE (default RNG in some versions).
  • Juniper ScreenOS NetScreen firewalls (2008–2013) — Juniper later announces a secondary backdoor installed by a third party in 2012 (CVE-2015-7755) that altered the constants; speculation: a different state actor stole the NSA backdoor via Dual_EC.
  • McAfee, Fortinet, Microsoft (partial), BlackBerry (partial).

Removal: NIST withdraws the recommendation in 2014. RSA "deprecates" it in 2013. Final removal in NIST SP 800-90A Rev 1 (2015).

Impact:

  • Trust in the NIST process shaken for decades.
  • The community demands an open process (AES, SHA-3, PQC competitions).
  • NSA documentation has been read carefully ever since.

Lesson: Magic numbers in standards without explanation are red flags. Even "neutral" standards may contain backdoors. Open competition is the antidote.


7. Debian OpenSSL RNG bug (2008, CVE-2008-0166)

Context: In 2006, a Debian developer (Kurt Roeckx) commented out a line in crypto/rand/md_rand.c that Valgrind reported as an "uninitialized memory read".

Bug: The line contributed the contents of the uninitialized buffer to the entropy pool — intentional use via MD_Update(&m, buf, j) before the buffer was populated. It was removed.

Result: openssl_rand() seeded only with the PID (1 to 32768). Only 32k unique keys generated across all of Debian/Ubuntu from 2006-09-17 to 2008-05-13.

Detection: Luciano Bello discovered it via a Valgrind suppress investigation; the bug affected SSH host keys, SSL certs, OpenVPN keys, DNSSEC keys.

Impact:

  • 30k+ public servers exposed.
  • Massive certificate revocation.
  • Long-tail: vulnerable keys found in production years later.

Lesson: Patch reviews in crypto require expertise. Distros should not alter upstream crypto without analysis. Valgrind warnings are not uniformly safe to suppress.


8. Heartbleed (CVE-2014-0160)

Discovery date: Codenomicon (Finland) + Neel Mehta (Google) — simultaneously, April 2014.

Bug: OpenSSL implementation of the TLS Heartbeat extension (RFC 6520). The client sends a heartbeat with a declared length \(N\) + a short payload. The server returns \(N\) bytes of memory starting at the payload buffer — leaking \(N\) bytes of residual heap.

// vulnerable code
n2s(p, payload);  // attacker-controlled length
memcpy(bp, pl, payload);  // copies payload bytes, not actual data size

Leak:

  • RSA private keys (recoverable via key schedule patterns in the heap).
  • Session cookies, passwords, recent plaintext.
  • ~17% of public servers affected.

Mitigation:

  • OpenSSL 1.0.1g patch on Apr 7.
  • Mass rotation: every TLS cert in the world (with an RSA key) revoked and re-issued.
  • Browsers updated CRL/OCSP rapidly.

Financial impact: estimated US$500M in rotation + downtime + revocation.

Additional details: the vulnerability existed since Dec 2011 (2.5 years). It is estimated that exploitation by state actors occurred before public disclosure. The NSA was accused of knowing (officially denied).

Lesson: C heap-based libraries require obsessive care with bounds. Post-Heartbleed: the OpenBSD fork LibreSSL, the Google fork BoringSSL, both cleaning up the code. OSS-Fuzz ramped up. OpenSSL 3.0 redesign.


9. POODLE (Oct 2014)

Technical details in 11-attacks.md. Historical context:

Bodo Möller, Thai Duong, Krzysztof Kotowicz (Google). Browsers still fall back to SSL 3.0 when the TLS handshake fails → a MITM attacker forces a downgrade → CBC padding oracle reveals cookies.

Response: Browsers disable SSL 3.0 in Q4 2014–Q1 2015. TLSFALLBACKSCSV (RFC 7507) added.


10. Freak / Logjam (2015)

FREAK (Mar 2015): a state machine bug in OpenSSLAppleMicrosoft TLS allowed servers to accept "export-grade" 512-bit RSA even without cipher negotiation. 512-bit RSA breakable in ~7h via NFS.

Logjam (May 2015): "imperfect forward secrecy" — researchers demonstrate that pre-computing NFS against common DH-1024 primes is within the NSA's capability. Reading historic VPN traffic possible.

Both: legacy of the export ciphers of the 90s still in the code.


11. Bullrun / Edgehill / Snowden disclosures (Jun 2013–)

Edward Snowden, NSA contractor, leaks ~1.7M documents to Glenn Greenwald, Laura Poitras, Barton Gellman.

Programs disclosed:

Program Agency What
PRISM NSA Direct access to Big Tech (Google, Apple, Facebook, etc.) data
MUSCULAR NSA + GCHQ Tap into Google/Yahoo internal data center links
BULLRUN NSA Crypto sabotage program ($250M/year budget)
EDGEHILL GCHQ UK equivalent of BULLRUN
XKEYSCORE NSA Internet surveillance database
MYSTIC / SOMALGET NSA Bulk recording of phone calls
TAO catalog NSA Hardware implants catalog (COTTONMOUTH, BULLDOZER, etc.)
Quantum Insert NSA Man-on-the-side packet injection

BULLRUN specifically included:

  • Influencing standards bodies (NIST, ISO, IETF) to weaken algorithms.
  • Industry partnerships with secret payments (RSA Security $10M).
  • Custom backdoors in commercial crypto products.
  • Cracking of specific protocols (TLS, IPsec, SSH variants).

Impact on cryptography:

  • Massive shift to E2E messaging (Signal adoption exploded).
  • TLS 1.3 designed with paranoia (remove RSA key transport, etc.).
  • PQC migration urgency.
  • Browsers push HTTPS everywhere (Let's Encrypt 2015).
  • IETF declares pervasive monitoring as an attack (RFC 7258, 2014).

Snowden a refugee in Russia since 2013.

Lesson: The threat model must include state actors by default. Before 2013, "the NSA won't attack you" was a common assumption. Post-Snowden, any long-term system must consider nation-state capability.


12. DigiNotar (Sep 2011)

Context: DigiNotar, a Dutch CA, a trusted issuer for the MozillaMicrosoftApple root stores.

Compromise:

  • An Iranian attacker (likely a state actor) compromises the internal infrastructure.
  • Issues ~500 fraudulent certs: *.google.com, *.microsoft.com, *.skype.com, *.cia.gov, *.mozilla.org, etc.
  • Iranian users redirected via DNS spoof + MITM with a *.google.com cert for Gmail interception.

Detection: Chrome in Iran (with hardcoded pinning for Google domains) warns users. Public reports trigger an investigation.

Response:

  • Browsers remove DigiNotar from the trust store globally (Sep 2011).
  • DigiNotar declares bankruptcy within a few weeks.
  • The Dutch government performs an emergency reissue (DigiNotar held government contracts).

Lesson: CA single point of failure. Catalyzes the adoption of Certificate Transparency (RFC 6962, 2013), HPKP (later deprecated), DANE (RFC 6698 — TLSA records).


13. Stuxnet (discovered 2010)

Context: A USB-borne worm designed to sabotage Iranian centrifuges at the Natanz nuclear facility. Estimated: NSA + Unit 8200 (Israel).

Crypto:

  • 4 zero-day exploits.
  • Forgery of a Microsoft Windows Update signature via MD5 chosen-prefix collision (Marc Stevens technique, 2008–2012). Allowed infection via the update mechanism.
  • Encrypted C2 communication.

Impact:

  • Destroyed ~1000 centrifuges at Natanz.
  • Delayed the Iranian nuclear program by ~2 years.
  • The first cyber weapon confirmed by a government (not directly, but with official acknowledgment over the years).

Lesson: Crypto attacks can cost real billions when they target industrial hardware. The MD5 collision was still exploitable in 2012, years after the public "break". CRL/CT matter.


14. Apple vs FBI / San Bernardino (2016)

Context: San Bernardino shooter (Dec 2015). The FBI wants Apple to unlock an iPhone 5C with iOS 9.

Demand:

  • Custom firmware with brute-force PIN without limit, without the 1-second delay.
  • Signed by Apple (\(Apple signing key\) + boot chain).

Apple:

  • Tim Cook publishes an open letter refusing — apple.com/customer-letter.
  • Argument: creating this capability is "creating the master key for all iPhones".

Resolution:

  • The FBI eventually pays a "third party" (rumored Cellebrite or GrayShift) ~US$1M to crack it via a 0-day exploit.
  • Apple never helps.

Legacy:

  • Apple increases security: SE with aacskd, randomized boot, hardware-backed entropy.
  • iOS 14+: blastdoor sandbox for iMessage.
  • 2024: Apple Private Cloud Compute (PCC) — attested compute for Apple Intelligence.

Lesson: A cryptographic backdoor = a backdoor for everyone. The industry took a firm stance against encryption mandates. But the debate continues (UK Investigatory Powers Act, EU CSAR, Australia AA Act).


15. ShadowBrokers / NSA TAO leak (2016–2017)

Context: An anonymous group, "Shadow Brokers", leaks NSA TAO (Tailored Access Operations) tools.

Leaked:

  • EternalBlue (CVE-2017-0144) — SMBv1 exploit.
  • DoublePulsar — backdoor implant.
  • Decrypts of various firewall/router exploits.

Impact:

  • WannaCry ransomware (May 2017) — uses EternalBlue, spreads globally. NHS UK, Maersk, FedEx, Renault paralyzed.
  • NotPetya (Jun 2017) — wiper disguised as ransomware. Maersk lost US\(300M, Merck US\)870M.
  • Total estimated damage > US$10B.

Lesson: A stockpile of 0-days leaks eventually. An argument against government cyber arsenals (Vulnerabilities Equities Process).


16. ROCA (Oct 2017, CVE-2017-15361)

Details in 11-attacks.md. Context:

The Infineon RSALib used in smartcardsTPMseIDs generated keys with a special structure. Researchers (Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas) discover it in Jul 2017; disclose it in Aug 2017.

Affected:

  • Estonia eID — 750k cards, nationwide ID. The state issues an emergency update in November 2017.
  • Slovakia eID, Spain DNIe.
  • TPMs in Lenovo, HP, Fujitsu laptops.
  • Yubikey 4 (FIDO U2F) — rotated.

Mitigation: rotate keys; Infineon patched the library but fielded hardware remained.

Lesson: Hardware crypto is no more secure than its library. Even FIPS 140-2 certified products had the bug. Estonia case: government emergency rotation was viable only with mature digital identity infrastructure.


17. Juniper Dual_EC backdoor backdoored (CVE-2015-7755, Dec 2015)

Context: Juniper ScreenOS firewalls (2008–2013) had DualECDRBG with constants that the NSA could probably exploit.

2012: An unknown attacker (not the NSA per the documents) changes the constants in the ScreenOS code. Inserts their own backdoor over the existing one.

Detection: A Juniper internal security audit (2015) discovers it. Public disclosure Dec 2015.

Implications:

  • A different state actor "stole" the NSA backdoor.
  • Shows that a backdoor inserted for the "good guys" eventually serves the "bad guys".

Lesson: a practical argument against crypto backdoors. A backdoor inserted by country A will be discovered/used by country B.


18. WhatsApp / Mexico Pegasus (2019)

Context: NSO Group Israel develops Pegasus spyware — a zero-click iOS/Android exploit.

Crypto-adjacent:

  • 1400+ WhatsApp victims identified (Citizen Lab, Univ. of Toronto).
  • Journalists, activists, lawyers.
  • Mexico, Saudi Arabia (Khashoggi), Hungary, India, Spain, France (Macron).

WhatsApp/Meta sues NSO — in May 2025, a jury awarded WhatsApp US$167M in damages.

Lesson: Even E2E encryption does not protect if the device is compromised at runtime. Hardware/OS security is a prerequisite.


19. ROBOT (CVE-2017-13099)

Details in 11-attacks.md. The Bleichenbacher 1998 attack still working in 2017 against:

  • Cisco ACE, ASA.
  • Citrix NetScaler.
  • F5 BIG-IP.
  • IBM WebSphere DataPower.
  • Erlang TLS lib.
  • Java SafeNet HSM lib.

Lesson: 19 years was not enough for a universal fix. Implementations never catch up to theoretical patches.


20. RSA SecurID (Mar 2011)

Context: RSA Security (an EMC subsidiary) issues SecurID hardware tokens — a popular enterprise 2FA.

Compromise:

  • APT phishing email, Excel macro with a Flash exploit.
  • Attackers (APT1 / a China group) access internal systems.
  • Stealth theft of seed records — serial numbers + seeds of the manufactured tokens.

Use:

  • Lockheed Martin attacked (May 2011) — the attackers have the seeds, manage to clone the engineers' SecurID tokens.
  • L3 Communications, Northrop Grumman also targeted.

Response: RSA emergency reissue of 40M tokens.

Lesson: Centralized 2FA systems with a seed-database are a single point of failure. Modern practice prefers TOTP (without seed escrow) or WebAuthn (hardware-bound).


21. KRACK (Oct 2017)

Mathy Vanhoef (KU Leuven) discovers the Key Reinstallation Attack in the WPA2 4-way handshake. Forcing reinstallation of the PTK → reuses the nonce stream → deciphers parts of traffic.

Affected: practically every WPA2 Wi-Fi client.

Patches: rolled out 2017–2018. WPA3 (with the Dragonfly handshake) introduced as a successor — but Dragonfly had Dragonblood vulns in 2019 (Vanhoef again).

Lesson: Wi-Fi crypto has always had a bad track record (WEP killed by Fluhrer-Mantin-Shamir 2001; WPATKIP killed by Tews-Beck 2008; WPA2KRACK 2017; WPA3/Dragonblood 2019). A cyclical migration.


22. Zerologon (CVE-2020-1472, Aug 2020)

Tom Tervoort (Secura). A bug in the Netlogon protocol: AES-CFB8 with an all-zeros IV. ~1/256 probability of "session key = zeros" → the attacker authenticates as the domain controller without credentials.

Scope: Active Directory environments globally (~70% of enterprises).

Patch: Microsoft Aug 2020. Mass adoption push.

Lesson: AES-CFB8 with a zero IV is an example of broken cryptographic protocol design from old decisions (Netlogon protocol design from the 90s). Modern implementations need a random IV. Crypto agility — protocols that are too rigid take a long time to fix.


23. ProxyLogon / ProxyShell (2021)

Microsoft Exchange Server vulnerabilities (Mar 2021). Crypto-related: ASP.NET viewstate signed with a leaked MachineKey → forge auth.

10k servers compromised within days. White House blame on a China APT (Hafnium).


24. SolarWinds (Dec 2020)

Supply chain attack: The SolarWinds Orion update server compromised. A malware-laden update signed legitimately with a valid signing key.

Impact: 18k organizations including US Treasury, State Dept, DHS, Microsoft, FireEye.

Crypto-adjacent: a (valid) signing key used incorrectly; SAML token forging post-access.

Lesson: Code signing assumes the build process is sound. Reproducible builds + multi-party signing begin to gain focus post-incident.


25. Log4Shell (CVE-2021-44228, Dec 2021)

Not a crypto incident per se, but it reshaped security thinking. Log4j JNDI lookup remote code execution. 100% of Java internet impacted.


26. WhatsApp/Meta Pegasus, NSO Group (various, 2019–present)

Commercial spyware industry. NSO Group, Candiru, Intellexa. Zero-click exploits. Crypto bypass via endpoint compromise.


27. Boothole / LogoFAIL / Black Lotus (UEFI bootkits, 2020–2023)

Boothole (CVE-2020-10713): GRUB2 buffer overflow. Bypasses Secure Boot.

Black Lotus (2023): the first commercialized UEFI bootkit (sold in dark markets). Persists before the OS loads.

LogoFAIL (CVE-2023-...): vulnerabilities in vendor boot-logo image parsers. Generic across BIOS vendors (AMI, Insyde, Phoenix).

Lesson: The Secure Boot chain of trust depends on every link. Bugs in pre-OS code escape OS protections.


28. xz-utils backdoor (CVE-2024-3094, Mar 2024)

Long-running supply chain attack: a contributor under the "Jia Tan" pseudonym gains trust in the xz-utils project over 2 years. Inserts a sophisticated backdoor in release 5.6.0/5.6.1 that attacks OpenSSH via a systemd dependency.

Backdoor activated by an RSA-style trigger in SSH connection metadata.

Discovered accidentally by Andres Freund (Microsoft PostgreSQL dev) investigating a 500ms-slower SSH login.

Impact: discovered before stable distros adopted it (Debian/RHEL still on 5.4.x). Catastrophic if not caught.

Lesson: Single-maintainer open source projects are targets. Reflects fundingsustainability problems in open source cryptosecurity infrastructure.


29. Lessons by category

A broken algorithm does not fall instantly

MD5: collision academic 2004, practical 2008, exploited in Flame 2012, still in use in some systems in 2026.

Implementation > algorithm

Heartbleed bug = ~17% of the internet exposed. The TLS algorithm was correct.

Operations > theory

Venona broken by OTP reuse, not by the OTP itself.

State actors are part of the threat model

BULLRUN, Crypto AG, Stuxnet, Pegasus, SolarWinds.

Supply chain is a crypto attack vector

xz-utils, SolarWinds, Stuxnet (via forged signature).

Long-tail of legacy algorithms

FREAK, DROWN, ROBOT — exploits decades after "deprecated".

A backdoor inserted by A will be used by B

Juniper Dual_EC, ShadowBrokers NSA tools.

Mass rotation is viable but costly

Heartbleed, ROCA Estonia eID, Debian RNG. Requires preparedness.


30. Cross-reference

  • Detailed technical attacks: 11-attacks.md.
  • People involved: 12-people.md (Snowden, Marc Stevens, Zimmermann, etc.).
  • Chronological timeline: 01-timeline.md.
  • Confidential computing as a response: 09-confidential-computing.md.
  • Koder Stack security posture: 14-koder-applied.md.