Season 3 / Episode 156
How did Boris Hagelin succeed in selling compromised cipher machines to half the world, for more than 50 years? Some have speculated that it was some kind of backdoor. But, no - it was more clever than that... but Bo Jr., Hagelin's son, who became an important part of his father's company, did not approve of the secret deal with the NSA...
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
Exec. Editor @ PI Media
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Crypto AG, Part 2: The Death of Bo Jr.
It feels like the more you learn about Boris Hagelin–the inventor and founder of Crypto AG–the less you actually know him. Like, here’s something: Boris, though Swedish, was born in a small village in Azerbaijan, where his father ran the local arm of Alfred Nobel’s petroleum company.
Boris earned an engineering degree but, by the time he was put in charge of AB Cryptograph, he had no experience working with cipher machines. And yet, remarkably, in under six months he successfully built a model that rivaled the Enigma–the secondmost notorious weapon of the war, behind the atom bomb.
Soon his machines were not just secure, but entirely unbreakable by even the NSA. And so he was approached with an offer: to partner with U.S. intelligence for the most brazen hacking operation ever conceived. According to accounts, Hagelin had absolutely no qualms, accepting the offer on the spot.
Trying to unravel what shaped Hagelin–who he really was, what he thought, what he was capable of–becomes more difficult the harder you try.
In that way–and that way alone–he was quite like his son, Bo Jr.
WHO IS BO JR.?
Bo Jr. was a man of average height, with white, combed over hair like his father. There’s really only one photograph of him in circulation: a family picture. Boris Sr. is prominent in the foreground, while his son, perhaps fittingly, is lined up in the back. Boris looks elderly but distinguished, while his son looks a bit…naughty, maybe? Sly? His smile is more of a smirk, and his goatee certainly doesn’t help.
Bo Jr. was a man of contradictions. Like his father, he resists easy definition. On one hand, he was his father’s successor, in more ways than one. He was a capable inventor–for example, he came up with the initial model for a pocket-sized cipher machine in 1951. It later became the CD-57–a device not much larger than a pack of cigarettes, designed like a transistor radio. Bo’s skill may be why, initially, his father planned to retire and make him head of Crypto AG.
Except Boris Sr. insisted that he was the one who invented the CD-57. When Bo asked for royalties for the CD-57’s sales, his father was furious. Eventually, according to the accounts of William Friedman–chief cryptanalyst at the NSA–Bo Jr. obtained exclusive rights to sell the CD-57.
The conflict continued from there. Bo relocated to the United States, and married a woman his family did not approve of. He was careless with money, and requested that his father send him tens of thousands of dollars in allowance. The relationship between father and son deteriorated to the point where, by 1969, they hadn’t seen one another for at least half a decade.
At the same time, Bo Jr. was becoming an increasingly vital member of his father’s company. He was by now directing sales in North and South America, playing a vital role in the survival of the business.
Hagelin had made a small fortune selling C-38s to America in World War II but, in the immediate aftermath, as you’d imagine, demand declined. Sales halved from 1945 to 1946 and, in 1947, Hagelin sold just 57 cipher machines total. He fell into a depression, and considered terminating his company.
Then the Cold War began. Through the mid-50s, Crypto AG sold between 4- and 500 machines a year. In the early ‘60s, over 2,000. In 1963, over 5,000. And up and up from there.
Many of their new customers were not NATO allies but, rather, small satellite countries of the U.S. and U.S.S.R. Middle eastern nations like Egypt and Iran, and South American nations in flux between communist revolutions and right-wing dictatorships. Bo Jr’s business in South America was gaining so fast, in fact, that it became a problem. Because Bo–still presumed to be his father’s successor as CEO–was not informed about what his company was actually doing. That what he was selling was part of an elaborate ruse.
Of course, this led to some complications. William Friedman went to visit Boris at his home and, sitting in his garden on September 28th, 1957, a day of “bright, warm sunshine,” he brought up that Bo was threatening the operation. Quote:
“I said: “Boris [Jr.] has been calling in person at every legation and embassy in Washington and I suppose he is “educating” some of them. I know he put out one document that we’re not happy about.””
By “educating” Friedman means instructing countries on the most secure use of their machines. Bo wouldn’t have known that, by helping out his customers, he was betraying his father’s deal to sell intentionally vulnerable equipment. Friedman hoped Boris would dissuade his son, but Boris deferred. Quote:
“I should think your authorities would be in a better position to control this sort of thing than I. After all, he is in your country and I am here, in Switzerland.”
In 1960, Bo Jr.’s arm of Crypto AG sold a batch of machines–model “CX-52/RT”–to the government of Brazil. The NSA was furious. They contacted Boris Sr., and told him they couldn’t do that. In fact, they couldn’t sell that particular model to any country south of Texas. The reason: Because it was unhackable.
The CX-52/RT is, you’d have to say, quite ugly. Even by old cryptography standards, it’s one of the duds. It’s small– roughly the size of a shoebox –but somehow also chunky. It’s military green. On the left side of the machine are a series of dials, on the right side a small hand crank. On the left hand side of the face of the machine there’s a rotating dial of characters–like a rotary phone, but with letters instead of numbers–and above it a thin paper printer, which produces your message and corresponding cipher. Next to the dial and printer is where you’ll find a roll of what’s called “random tape.” The “RT” in CX-52/RT.
Random tape doesn’t look particularly interesting–kind of like if Scotch tape had a baby with some Swiss cheese. And yet, this kind of encryption–random or “one-time” encryption–remains the strongest way you can encrypt anything, in general, even today.
Imagine I want to send a secret message to you. I can encode it in any number of ways. For example, with simple substitution–where every A is a J, every B a G, and so on–but this system would be easy to crack by identifying common words and letters. An even less secure version of this would be to substitute letters with simple arithmetic–like, every letter becomes the letter 3 spaces down in the alphabet, so A is D, B is E, C is F and so on.
But what if, instead of using the same +3 formula for each letter, you used a completely new and random number? For every new letter, you hit a random number generator, and add to it that number of places in the alphabet.
So imagine the secret message is “Malicious Life.” First letter: M. Random number generator says: 8. I write down 8, and add 8 to my encoded letter: U. Next letter: A. Random number generator says: 23. 23. W. And so on.
If you, the receiver, have the encoded message and the set of random numbers, you simply subtract. U minus 8: M, W minus 23: A.
Without those randomization instructions, no outside party is going to be able to decode the message. The way one letter is encoded has no relation to the next.
Maybe some of you out there watched “The Imitation Game,” about Turing and his colleagues breaking the Enigma. In the movie, the crucial turning point is when the characters realize that every Nazi message ends with the phrase “Heil Hitler.” Because they can decrypt “Heil Hitler,” they can deduce the rest of the alphabet. With one-time encryption, this would never work. Each “Heil Hitler” would encode completely differently. Even the two Hs at the beginning of each word would come out differently.
The CX-52/RT uses one-time encryption with “random tape,” encoding these random mathematical functions into little, randomly arranged holes of varying sizes along a thin strip of tape. But the principle is the same: it is impossible to decode the message without the exactly corresponding random tape.
To this day, you can’t crack a CX-52/RT. So, as you’d imagine, when the NSA discovered Crypto AG marketing them to South American governments, they weren’t happy.
After their visit from the NSA, Crypto AG halted marketing of the model below the Mexican border, and continued selling them only to NATO countries, Sweden and Switzerland. Boris Hagelin directly contacted the Brazilians he’d just sold the machines to, and convinced them to swap their new RTs for another model of CX-52–one which, of course, unbeknownst to them, was exploitable.
In our first episode about Crypto AG, we talked about a crucial bit of insight that transformed Crypto AG from the world’s biggest cybersecurity operation to the world’s biggest hacking operation. It was the idea that this company could make both secure cipher machines–for America and its few closest allies–but also intentionally insecure cipher machines, for everyone else.
From the outside it all looked the same–the machines sold to the allies, neutrals and adversaries of the U.S. and NATO countries wouldn’t have seemed any different. But, behind the scenes, the CIA, NSA, and partner intelligence groups from countries we’ll discuss soon, had specially arranged it otherwise.
How, then, did they pull it off?
Some have speculated that it was some kind of backdoor. That would make sense, right? Some mechanism of some kind, hidden deep in the gears of the hacked machines, which compromised their functioning.
Except the Crypto AG scam couldn’t have survived so long if there were some shady kind of component hidden in a lug or a gear. No, it was more clever than that.
To understand how Crypto AG secretly hid vulnerabilities in their own machines for the better part of a century, it helps to understand how those machines actually worked on the inside.
HOW THE CX-52S WORK
When Hagelin convinced the Brazilians to toss their CX-52/RTs, he replaced them with a different model of CX-52. The CX-52 product line, first developed in the early 50s, was probably Hagelin’s greatest work. The money he earned supplying C-38s to the World War II U.S. army funded the development of this design. It became so central to the Crypto AG scam because they were so useful for both good and evil.
The CX-52 comes in either dark gray or military green. It’s like the later RT model but, instead of the random tape, six pinwheels stick out like teeth in the middle of the machine. If you’re having trouble imagining it, just picture the muzzle they put on Hannibal Lecter in Silence of the Lambs, and you won’t be too far off.
Open up the case and you’ll see packed rows of pinwheels and gears and their little notches intertwining to create a spectrum of number combinations that boggles the mind. The sheer power in these arrangements of tiny components makes it, actually, kind of beautiful to witness. That such a small thing could be so layered, so deep and complex.
Actually using it, on the other hand, is quite simple. You and whomever you’re messaging begin with a codebook–the same codebook–with instructions for whatever starting position you’ll be using. So, for example, you and I open our codebooks on February 21st, 2022, and you see the numbers: 13, 02, 07, 15, 41, 39. We both set our pinwheels to that starting setting in order to ensure that the final result of my enciphering matches yours.
Next, turn the rotary dial to whatever letter you wish to encode–let’s say, “L.” Pull the hand crank and viola: “N.” You dial the next letter–“E”–and it comes out “A.” And you keep going just like that: a “V” becomes a “T,” an “I” becomes an “E.” As long as you and your receiver have the same model, the same exact configuration and the same starting position, they’ll be able to decode what you encoded.
That, alone, is standard enough. What made the CX-52 so interesting is that it was entirely customizable.
For example, there’s the drum–the revolving cage with sliding bars attached, that revolves every time you pull the lever to encode a letter. Depending on how you arrange the pins and little lugs attached to the cage, the machine will output a different number of steps for the pinwheel. The mechanics are difficult to explain without a visual aid, but all you really need to understand is the effect. With this level of customization, you can cause a wheel to advance by 1 notch–from what we’ll call position 1 to position 2–or 2 notches–1 to 3–or 3, 4, or 5. And, remember, there are six pinwheels. Imagine how difficult it would be for an adversary to recreate your particular arrangement of the drum, necessary to decode your cipher.
Next we’ll look to the left side of the machine where, as we mentioned, there’s a tiny printer. It’s kind of like a receipt printer, that outputs a thin strip of paper with the input text in one column and the output in the other. Some iterations of the CX-52 possess the ability to mix and match the letters on the dial–where you choose each letter of your message–along with the corresponding printheads that press ink to paper, to add an extra layer of scrambling.
Great customization allows for great security, because cracking any customized pair of CX-52 machines is unlike cracking any other pair. Or, as a professor put it to the BBC, quote:
“It’s a bit like defeating Enigma and then moving to the next country and then you’ve got to defeat Enigma again and again and again.”
THE TRICK TO CX-52 HACKING
However, this principle goes two ways. Generally speaking, anything that can be configured to be secure can be configured to be insecure.
William Friedman had discovered this all the way back in the late ‘30s, when Hagelin made his first trip to sell C-36 machines to America. America’s leading cryptanalyst liked the young inventor, but didn’t love his product. It was nice in theory but, presciently, Friedman discovered that he could arrange it in such a way that created a short “cycle”–essentially, reducing the complexity necessary for someone like him to solve the machine’s output. The mechanics involved are very complicated so, as an analogy, think of a computer server. In the right hands, servers can be very secure, allowing only certain information to travel along certain channels. Misconfigured, however, they can be sitting ducks for hackers. Hagelin’s C-36 was secure to those who knew exactly how to use it, and vulnerable to anyone else.
Three decades later, Peter Jenks, a mathematician and cryptanalyst for the NSA, took a CX-52 machine and deliberately manipulated its customizable settings in order to produce a shorter, more solvable cycle. The result was that the NSA could interpret outputted messages at a rate of 20% or so, given the capabilities of their cryptanalysts and reasonable time constraints.
Crucially, Jenks then devised a customization for which the cycle would be long, but this time only pseudo-random. Thus, from the outside, this new customization of lugs and pinwheels would look to an observer to be very secure. And yet, it was even less secure than the short cycle arrangement. With this, the NSA could read about 70% of outgoing ciphers.
So, in summary:
The CX-52, when operated by a knowledgeable cryptographer, is incredibly difficult to crack. An adversary would have to put in an unthinkable amount of effort just to determine what particular configuration is being used.
However, if customized in such a way as to be only pseudo-random, the machine will follow a cycle that appears secure and is, in fact, largely readable.
There’s only one matter remaining, then: how do you get Crypto AG customers to use the vulnerable configuration instead of a strong one?
THE FINAL STEP
In a kind of biography about his company, “The Story of the Hagelin-Cryptos,” Boris Hagelin left a clue as to how he pulled off that last piece of the puzzle. Published in English in 1981, the very last sentences now, in retrospect, read like a hidden message–an encoded message, perhaps–either intended for the people doing the hacking, or the hacked.
He’s finishing up by putting into context the complexity of his machines–just how secure they are, at their best. In that he concludes, quote:
“The numbers given in this section are hard to comprehend. Even the number 10^15 corresponds approximately to the distance from the earth to the sun in millimeters. The numbers cited have significance only as far as they show that the possibilities for all machines of the C-type are practically inexhaustible. But these numbers are meaningless if the user does not carefully accept and exercise the instructions and does not make full use of the possible variations. The old rule is still true: the quality of a machine depends largely on its user.”
When he says “instructions,” Hagelin is referring to the manual that comes along with an order of his machines. The manual that instructs you how to configure your settings.
Hagelin wrote these manuals himself. In fact, he wrote three versions of them, each one with a secret mark according to their category: best security, medium security, or low security.
Do you see where this is going? Crypto AG could, if they wanted to, sell the same machine to an allied country and an adversary, along with two different sets of instructions.
By the time the ally finished arranging their machine, it would produce “practically inexhaustible” ciphers.
By contrast, when the adversary opened up their manual, they would begin unwittingly programming their own backdoor.
CRYPTO AG CHANGES HANDS
By the late ‘60s, Boris Hagelin was growing old and tired. His wife, Annie, passed away in 1966. His middleman and longtime friend William Friedman–long since retired and in declining health–passed away in 1969, at the age of 78. News that Hagelin might soon retire reached the intelligence agencies of the U.S., France and Germany, who began vying to purchase the company.
On June 4th, 1970–after three years of arrangements and negotiations–Boris Hagelin transferred full ownership of Crypto AG to the Bundesnachrichtendienst, or BND, Germany’s NSA. In return he earned 25 million Swiss francs, approximately 6 million U.S. dollars. Eight days after this deal, the BND signed an agreement with the CIA to share ownership 50/50. The NSA, though not formal owners, became party to the operation, and two more private companies–Siemens and Motorola–were contracted as covert vendors providing personnel, consulting and parts.
You might wonder how two national intelligence agencies purchased a private company without anybody realizing it. In fact, Hagelin made it quite simple. Back in 1950, even before founding the company, Hagelin devised a complex structure of shell companies through the small nation of Liechtenstein in order to shield Crypto AG from taxation.
In a documentary on Swiss television titled “Cryptoleaks – How CIA and BND spied worldwide with Swiss help,” a German journalist explained how the company’s revenues made it back to the BND out of sight even by Germany’s own government and regulators. Quote:
“Profits would be transferred to Liechtenstein and on to Munich, where BND officers picked the money up [. . .] in cash, and carried it in briefcases to an underground car park to hand over to CIA officers. Like a scene from a bad movie.”
Though they were quite large by now, just three people at Crypto AG were made aware of the deal:
Boris Hagelin, of course, who, upon signing away ownership, retired as CEO.
Sture Nyberg, Hagelin’s trusted colleague and plant manager, now CEO.
And Bo Hagelin Jr.
From the beginning, U.S. intelligence could sense that Bo was not quite the same willing partner that his father was. He was reckless, unknown, not so morally aligned. An internal CIA memo described him as, quote, “a wild card in the deck who, if he discovered the true arrangements, might try to derail them.” End quote.
We don’t know exactly how Bo reacted to learning that his father picked another man to be CEO. What we do know is that Bo was the only person with knowledge of the CIA-BND takeover of Crypto AG who expressly opposed it.
He was the only weak link in an otherwise flawless arrangement. The only individual who might have possessed the motive to do something…undesirable.
Until a fortuitous event struck.
In the Fall of 1970, Bo Hagelin Jr. was driving along Interstate 495 in Washington D.C. and crashed. He later passed away in the hospital. In their summary of the event, The Washington Post noted that, quote, “there were no indications of foul play.” End quote.
It was quite coincidental timing. According to German journalist Erich Schmidt-Eenboom, quote:
“Even the BND’s Vice President assumed that Bo Hagelin was not the victim of a car accident, but of a murder committed by secret services. Hagelin Sr. is said to have tried, unsuccessfully, to clear up the death of his son for many years.”
With Bo Jr. out of the picture, American and German intelligence officials could breathe a sigh of relief. The greatest threat to their operation, for all these years, was gone.
Thus began the most successful period in the history of Crypto AG. Between 1970 and 1975 revenue tripled. It became so lucrative that the BND began funneling profits to fund their other, unrelated intelligence operations elsewhere.
According to the Crypto Museum, by the late ‘70s, Crypto AG had become the preferred supplier of ciphers to somewhere between 80 and 90 percent of the global market. That included over 130 governments, spanning six continents. Nearly the entire Middle East, southern Europe, southeast Asia, most of South America, and just about every single meter of the continent of Africa. Leave a big, gaping hole over China and the U.S.S.R.
It’s been estimated that, without Crypto AG, the NSA would’ve been able to read less than 29% of encrypted cables they managed to intercept from these countries. With Crypto AG, they were able to read twice as much: 57%.
The man who oversaw this period of its history–the successor to Hagelin’s successor–was a man named Heinz Wagner. Wagner, an upstart manager recruited from Siemens, was a characteristically different CEO from his two predecessors. According to the Crypto Museum, quote: “He had no experience with crypto whatsoever, but was dynamic, charismatic, good looking and decisive. When he walked into a room, all heads turned towards him.” End quote.
From a financial standpoint, Wagner was a very effective CEO. But in 1977, he made a critical error.
It began with a complaint from the NSA. For some reason, they could no longer read communications exiting from Syria–one of their most important targets–no matter how hard they tried.
The Syrian Army was using CSE-280 voice encryptors–a boxy, digital device resembling a generator. Apparently, they’d discovered that the device possessed weak cryptologic and so, on multiple occasions, they called in for customer support.
The man who made the trips was Peter Frutiger, head of Crypto AG’s R&D department, responsible for a number of the company’s patents. Without authority from his superiors, Frutiger had diligently addressed the government’s concerns, eventually strengthening the CSE-280 until it was truly secure.
This wasn’t his first time. In 1974, the governments of Austria and Yugoslavia discovered a cryptologic weakness in the MCC-314 bulk encryptors they used in their networks. Frutiger fixed that for them, too.
Frutiger might have otherwise informed his CEO about his trips to Damascus, except he knew not to. Over the years, he’d slowly pieced together that something was not right at his company. According to the CIA, Frutiger, quote, “had figured out the [. . .] secret and it was not safe with him.” And he was not the only one.