“Think Like a Hacker”

To protect your IT, you must think like a hacker yourself, Christian Brandt is sure of that. And he knows what he’s talking about. While at university, he got engrossed in the idea of cracking a security chip. He spent all his free time trying to find the weak points in the system that still to this day “secures” voting machines and at the time was even used in payment systems. Still a student, Christian Brandt was allowed to use the infrastructure of the Fraunhofer Institute for Secure Information Technology SIT. Today he is a researcher in the Cyber-Physical Systems Security Department and heads the Mongoose Group of the Fraunhofer SIT, one of the institute’s hacking teams.

© Fraunhofer SIT
© C. Brandt/Privat
The setup for the hack.

Mr. Brandt, already as a student you drew attention to yourself with a remarkable hack, but what led you to Fraunhofer SIT?

While I was at university, I was involved with the security of cryptoprocessors for embedded systems. As early as the 1990s, there were cashless payment systems that used such semiconductors to secure electronic money. At that time, wireless networking was not yet developed to the point that these systems would have been able to perform online verification of monetary transactions. So, the security of such systems lay primarily in cryptoprocessors. For example, that’s where users’ credit balance was stored. Then as now, breaking into such systems exerts a strong fascination over me. And so, at the time, in addition to my studies, I invested all of my free time in developing attacks on semiconductor-based security systems that were used for both eCash applications and in voting machines.

And quite successfully, too, as it turned out. How did you go about this?

You can think of it as an iterative learning process. While the first method of attacking the chip would have taken over a hundred thousand years, the second one would have taken only two thousand years, and a few iterations later, only a few months. But that wasn’t enough for me. I kept searching for more sophisticated methods of attack. Finally, this led me to side-channel analysis. The hardware needed for this wasn’t within a student’s budget. A researcher at TU-Darmstadt gave me the crucial tip and that led me to Michael Kasper at Fraunhofer SIT.

What kind of support did you get at Fraunhofer SIT from Michael Kasper who, by the way, is now Head of Cyber- and Information Security at Fraunhofer Singapore?

Initially, I pursued this project in my own time. But as my inquiries progressed, I used them as the basis for my thesis. Michel Kasper found my project very exciting and provided me with access to the side-channel laboratory at Fraunhofer SIT. So, I continued this research as a research assistant at the Institute. It turned out that fault attacks were the key. This class of attacks uses, among other things, physical properties of semiconductors in order to provoke targeted malfunctions. By tempering the semiconductor to generate data remanence effects and the targeted use of power glitches, I was finally able to develop a differential attack with a duration of only a few seconds.

Tempering? Data remanence effects? Could you please explain that to us in more detail?

The secret key to cryptoprocessors through which all transactions are secured lies in a memory area that one can access from outside only to write, but not to read. In order for the keys to remain secret, the chip sees to it that this memory area can only be overwritten in full or not at all. By means of targeted interruption of the power supply, I was able to stop the copy process prematurely and thus to cancel out the first security feature of the semiconductor.

At normal room temperatures, this would lead to a data loss. But if you cool down a semiconductor to temperatures of -30 to -40 °C, the data are preserved for a few seconds to minutes. This phenomenon is known as the data remanence effect.

But why do you want to overwrite the unknown key? Don’t you want to find out what it is?

Exactly. But unfortunately, there was no way of directly getting at the key. The sole option would have been to read a cryptographic checksum that is calculated based on the key. One could then try out all the possible key combinations and compare them with the checksum. But there are 264 combinations – even with multiple high-speed computers, it would take many years to arrive at the solution.

In order to reduce the computing time, we overwrote the first half of the unknown key with known data. That way, we only had to try out all the combinations for the second half of the key, that is, only 232 different combinations. A modern graphic card can calculate this in less than an hour. So now we know the second half of the key, and we need only figure out the first half. For that we take a cryptographic checksum that we have generated before the first attack and that is based on the original key. Now we use the known second half of this key and only have to try out all of the possible combinations for the first half, which likewise means a maximum of 232 possible combinations. By breaking it down into two partial keys, we can reduce the calculation time exponentially. And that’s the trick to this attack. In practice, I actually even went a step further, and broke down the key into eight subkeys. That way the calculation time is reduced from 264 to 8 * 28 combinations, which brought the calculation time down to only a few milliseconds. In this way we managed to extract the secret key from the chip. And with this key it then became possible to outwit the payment systems and in fact produce as much virtual money as we wanted.

What were the consequences of this discovery?

About a year after the first publication of this weak point, the largest payment system based on this semiconductor, by the name of Akbil, which was used in Istanbul to pay for local transportation, was gone. But to date, the use of these iButtons has not yet completely disappeared. Unfortunately, the chip is still being used in security-critical areas such as voting machine systems. For me personally, the intensive engagement with this project meant that I was able to acquire a great deal of knowledge that I can now use for analyzing similar systems.

What drives someone to invest so much time in breaking into a system?

There are various reasons why someone would want to hack into a system. They can be financial or ideological. At the same time, many hackers have good intentions and want to improve the security of systems. The bigger the promises of companies, the greater the hackers’ motivation. Hackers then say: You think your system is secure? Challenge accepted! That’s a great motivator and should not be trivialized. If you want to protect yourself against hackers, you have to think like a hacker yourself. That’s why many companies also employ hackers to check the security of their own products.

 

1-Wire Cruncher v3b  Side Channel / Fault Analysis Board
© Fraunhofer SIT
Boards like these are used for the side channel analysis.
© Fraunhofer Sit/ C. Brandt
The crucial information is stored in a semiconductor. In order to access the encrypted data, Christian Brandt had to cool down the semiconductors considerably.

How safe are devices?

In recent years, much has changed for the better; above all a strong awareness of IT security has established itself in the industry. But that’s not to say that all products on the market are really secure or that they protect the customer’s privacy. A manufacturer of smart toothbrushes with a wireless interface probably doesn’t think too much about data protection and security. On the other hand, in critical areas, such as medical technology or the automotive industry, things are considerably better. Here, well-known manufacturers are working jointly with Fraunhofer SIT in the areas of research, development and security analysis of products.

How does Fraunhofer SIT go about recruiting in such a difficult environment?

Naturally, you can work with classic help-wanted ads, but we can’t meet our need for IT experts that way. You have to work with concepts that are oriented toward the individual features of the company itself – there’s no one-size-fits-all remedy.

At the end of 2018, I gave some thought to how we could improve the challenging situation of finding well-qualified personnel. Promising students are recruited by companies while they are still at university. For that reason, we should start from the very first semester to get students to commit to us. In the end, that is what led to the Mongoose Group at Fraunhofer SIT, which ties the targeted acquisition of personnel to research, university teaching and scientific communication. Students get the opportunity to participate in our research as part of their coursework. At the start of every semester, we pose a series of research questions from which the students can select a topic. Competent participants can easily be identified and can be specifically recruited for projects as research assistants or for theses, and, not infrequently, this leads to full-time work at our institute. This concept is attractive to students because they don’t just do exercises, but collaborate in solving real research questions. They get direct insight into our work and at the same time earn credits for their studies. We place a high value on individual support and access to our laboratories and resources. Basically, we offer students exactly what I would have wanted as a student myself. It’s a model from which both sides profit. In the very first semester, and through the course alone, we were able to attract several employees and research assistants.

We also come into contact with students in our biweekly hacking meetups at which we serve pizza and drinks, hack hardware together, and exchange ideas. These meetings are completely informal but always a great success on a personal and professional level. It’s something employers rarely offer.

Can the subject of security also be approached as a game?

The truly interesting projects not infrequently came about through explorative projects. Someone has an idea or a question and carries out experiments on it. During my switch to full-time employment, I carried out various experiments with Bluetooth LE. This resulted in a new focus on the security and privacy of wireless communication of embedded systems in the Internet of Things. I am now heading two research projects in this area. The first is concerned with the reconfiguration of radio interfaces. Previously static hardware components are to be able to be dynamically adapted to the demands of IT security during the lifetime of the product. The second one is part of the Athene Research Commission “Open and Sustainable IoT Security” of Prof. Dr. Christoph Krauß and investigates the security and privacy of specifications, but also of IoT products that are already on the market. Above all, we want to find out the weak points of today’s products and why they came about. This will allow us to make targeted improvements in the security of future products.

Thank you for speaking with us, Mr. Brandt.

Join the Fraunhofer-Alumni e.V. - and profit from numerous advantages

  • We offer former Fraunhofer employees permanent and systematic networking with excellently trained experts. Benefit from this community via the portal of Fraunhofer-Alumni e.V.! Nearly 1100 scientists and scholars have now joined this community.
  • Please visit other exclusive events of our association such as "CONNECTING ALUMNI - Experience and Expertise in Dialogue" or our INNOVATION LOUNGE. All events are listet here.
  • Accelerate your professional development: Via the alumni career portal you can present your expertise exclusively to the association's renowned funding subcontractors.
  • Numerous Fraunhofer events such as the evening festivities at the annual conference of the Fraunhofer-Gesellschaft or the "Netzwert" are open to you as a member of the association. You can obtain free trade fair tickets for events such as LASER, IAA or MEDICA from hianus.
  • Benefit from discounts on Fraunhofer offers such as a discount on seminars of the Fraunhofer FOKUS Akademie or professional training services of several Fraunhofer organisations.
  • Use the association portal to obtain exclusive information, reports and interviews from the world of Fraunhofer alumni, job offers and event information.
  • Network with top-class experts in business and science or meet old friends again.
  • Follow us on LinkedIn or Twitter or register here as a member of Fraunhofer-Alumni e.V.

Ready for the digital transformation of your company

© Fraunhofer / C. Floritz

Digital business models, the degree of digitization of your own company or the planning and implementation of assistance systems in your company - Fraunhofer Austria currently offers online seminars for these three topics. Thanks to a cooperation with Fraunhofer-Alumni e.V. we can now offer our members a 10 percent discount on these seminars.

Fraunhofer Austria's research areas include human-centered work system design, MRK, logistics, maintenance, Industry 4.0, automation and data evaluation. Parallel to the research, the oldest Fraunhofer foreign society also maintains an extensive congress, seminar and training program. Due to the corona crisis, the colleagues and digitization experts in Austria offer online seminars.

Get the details.  

 

»Easy enough for 12-year-olds« IPT alumnus Carl Toller

© Privat
Fraunhofer IPT alumnus Carl Toller is a Design Engineer and a winning marathon runner.

Carl Toller is a design engineer at the Gothenburg engineering firm Forma. The company gained fame for its contribution to the interior of the Volvo CX40, the car of the year 2018. The travel-loving mechanical engineer is involved in the Swedish Rheumatism Society and has been president of the student union of his alma mater, the Chalmers University of Technology. For his many different projects he still uses a self-developed framework based on a project of the Fraunhofer Institute for Production Technology IPT. He spends most of his free time with marathon competitions and training. Running, as he puts it, is the best way to develop new creative ideas.


To the interview.

"Future is a good Word” - IFU-Alumna Dr. Edeltraud Leibrock

© Privat
Dr. Edeltraud Leibrock is "proud to be part of the Fraunhofer Community, because Fraunhofer uses innovation and cutting-edge technology to move forward."

Dr. Edeltraud Leibrock loves the opera, the mountains, a range of sports, and this physicist has been supporting businesses with her IT expertise ever since she was 16 years old. It all started with a holiday job working on programs for capturing production data and analyzing cement at a lime manufacturing plant near Regensburg. For her doctoral dissertation, the triathlete swapped Regensburg for the Alps, so that she could perform atmospheric research work at the Fraunhofer IFU in Garmisch-Partenkirchen. After that, she was appointed to the executive board of KfW Bankengruppe as CIO, where she was responsible for IT. But as a Fraunhofer alumna it is only natural for her to ask - #WHATSNEXT. Since 2016, as partner and managing director of Connected Innovations, one of the digital and KI consulting firms co-founded by her, she advises cross-sector enterprises on the complex issues concerning digital transformation.


Continue reading.

German interview: »Nicht nur schöne Dinge, sondern Produktionsunterlagen«

© Fraunhofer / M. Schindler
Prof. Dr.-Ing. Hans-Jürgen Grallert, ehemaliger Institutsleiter Fraunhofer HHI.

Prof. Dr.-Ing. Hans-Joachim Grallert joined the Fraunhofer Institute for Telecommunications, Heinrich Hertz Institute, HHI in 2004 as head of the institute.  Prior to this, he was Senior Vice President of Optical Networks at Siemens Information and Communications Group, where he was responsible for research and development worldwide. He transformed the HHI from a pure research organization into an application-oriented and industry-oriented institute.

At the alumni meeting at the Netzwert Symposium we had the chance to talk to Prof. Grallert about the dynamic time at HHI and his commitment to Fraunhofer Alumni e.V.. We had a conversation in German with him.

To the video

 

A new career with the Fraunhofer-Alumni e.V.

The main focus of this service is to support departing Fraunhofer employees in their further career development outside the Fraunhofer-Gesellschaft.

It addresses Fraunhofer employees who will be leaving Fraunhofer within the next 6 months due to the termination of a temporary contract and offers them a platform to post their own applicant profile.

The good news is: Registred members of our alumni-association can also use this portal. Only Fraunhofer-Alumni e.V. funding agencies interested in highly qualified professionals have access to these application profiles.

For acces to this portal reach out to:

Martin Schindler    
Editorial Team, international and career portal

martin.schindler@zv.fraunhofer.de
Phone: +49 89 1205-2158