War Hackers: Why Breaking Enigma is still relevant to cybersecurity today

This year marks 100 years since the precursor of the Enigma machine was first patented by Arthur Scherbius.

Although known best as the enciphering machine used by the Nazis during World War Two, the Enigma machine in fact pre-dates the war and was available commercially until the late 1920s, after which the German government swallowed up the company, removed the machines from the open market and upgraded the hardware.

Cover of the original manual for an Enigma machine

So how could the cracking of coding technology that is a century old still have any relevance to today’s cybersecurity world, where ciphers, and the hacking of them, are infinitely more complex?

Well, the story of breaking the Enigma code is a fascinating tale of cat and mouse, which anyone in the cybersecurity space today will appreciate. Essentially, the Poles, Brits and Americans, who each broke Enigma ciphers at different points during the war, were hackers, constantly probing for weaknesses in the Enigma system.

It was a combination of mathematical genius along with exploiting said weaknesses in the hardware, prescribed protocol and just plain user error, that helped Allied forces break Enigma ciphers and allowed them to read many of the messages (though not all by a very long way) and gain advantages which eventually led to Allied victory and the shortening of the war.

Dropbox, San Francisco, Feb 2018

As part of our recent Silicon Valley Tech Tour, Dr Enigma presented at the Dropbox HQ in San Francisco, and during this visit I spoke to Scott Joaquim of Dropbox’s Security Team. He perfectly sums up why the Enigma story is still so relevant to IT security and what they are trying to achieve at Dropbox today:

“At Dropbox, one of our core company values is being worthy of trust. With over half a billion users and 300,000 companies using our platform, security and privacy are our top priority.

So for us, one of the most riveting elements of the history of the Enigma machine is that, in spite of the machine’s technical sophistication, it was human error, procedural flaws, and leaks of key information that helped enable the Bletchley Park team and others to crack the codes.

It’s a dramatic testament to the fact that a system or organization can only be as secure as the people who are operating or taking care of it. At Dropbox this is why we cultivate a culture of security where every employee, regardless of their role, takes personal responsibility for keeping Dropbox and our users secure.”

Speaking at Dropbox HQ, San Francisco, Feb 2018

Indeed, with more ways to set up an Enigma machine than there are atoms in the observable universe, the Nazis were convinced that Enigma ciphers were unbreakable. And indeed they were correct in believing that they were safe from a brute force attack; it would have taken a lifetime to run through each setting, and even with today’s modern computing power, you can’t break Enigma this way.

However, clever people approached the problem differently, discovering and exploiting weaknesses with both the machine’s hardware, the user protocols set from above, as well as just every day user laziness, to attack and break the ciphers.

As Scott from Dropbox noted, it’s a stark reminder that systems are only as secure as their weakest link. It’s not just holes in the code which need to be patched; social engineering attacks are nothing new, and the lessons that Alan Turing and the Enigma hackers learned back then, still have much to teach us today.

To learn more about the fascinating Enigma story and its relevance today, book Dr Enigma for an Enigma Machine presentation and hands-on demo with his original Enigma machine.