Employees in an IT testing lab pry out the security systems in chips, processors, smartphones and cars. In search of the secure system, they destroy devices, put chips under electro-microscopes and malfunction processors with too high voltages. And at some point they always solve the “very interesting puzzle” from their point of view.
The verdict of the test laboratories is sobering: Most IT systems are not secure and should not be safe at all. For example, smartphones are designed as open architecture, security is not possible per se. One reason is that for many business enterprises security is a business calculation. And one of the cost factors is the company’s image damage if hackers report a successful attack.
The clientele of the laboratories are just as sensitive as the tests performed by the employees and their results. During a visit to one of the major European testing laboratories, his director explains that for almost 20 years, he has been testing processors or network components on behalf of governments, certifying ID cards, certifying military technology, and breaking codes, phones or health cards. Government agencies often demanded proof of 100% certainty.
On the other hand, those interested in the economy are quite different: here, security is more a question of risk management. Those responsible in the financial industry, for example, understand IT security as a business calculation. Their parameters are the degree of security, the possible image damage and an acceptable level of damage.
In Europe, there are few IT test laboratories. A research shows that they are often integrated into the IT departments of large corporations. Other testing laboratories are spin-offs from research institutes or universities, and some are organized as state agencies. In addition, major IT manufacturers equip their research departments and quality management with their own test laboratories. Here, the researchers not only disassemble their own products, but also deal intensively with the devices or components of the competitors.
In addition to this gray area, there is undeniably the dark side. These are criminal hackers working with similarly equipped laboratories with similar instruments to undermine their safety.
Hacking is always the defining concept. According to its own account, it is the task of a testing laboratory to check the safety of the systems and products by the employees cracking them. And all the means were right – and it would work “on almost every product”. According to the laboratory manager, this is not primarily a technical challenge, but rather “a very interesting puzzle”.
Of course, the conflict is inevitable. Engineers follow design and manufacturing specifications. A smart card should typically operate between zero and 45 degrees Celsius. The engineers can not say whether a chip card is safe even at minus 70 degrees or at plus 120 degrees. If a chip is designed for three volts of voltage, the manufacturer will not state how the chip behaves at seven or ten volts. Therefore, it is the task of the test laboratory to go beyond the limits of specifications and to examine how and when safety and reliability diminish.
Interested parties from all industries are queuing up at the test laboratories
Of course, this also applies to encryption and the cryptographic methods – and this includes not only the technical issues, but also the analysis of design and manufacturing. If key generation is part of the process, the lab checks the entire process. For companies that generate the keys institutionally, this would be a subject of their own approval process.
Thirty years ago, financial institutions were the first companies to show interest in the work of testing laboratories. Today, interested parties from all sectors are in line: for example pay-TV, video-on-demand, automotive industry, chip manufacturers, telephone providers, internet providers, energy suppliers, government and military.
The next growth market could be the automotive market. With connected vehicles and electromobility, safety issues are increasing in the automotive industry. Many manufacturers now generate their own software keys in their own PKIs. Because without encryption and sophisticated security systems there will be no networked vehicles, no electromobility, no new mobility concepts and no car sharing.
Therefore, the automakers build a physical point in their vehicles that is safe. Specifically, this is a processor that can safely store the keys and process the cryptographic protocols. The engineers first design such a point and the task of the testing laboratory is to test whether and how certain this point actually is – and then to certify the degree of safety.
It is alarming that exactly this process – the construction of a “safe point” – has never existed among smartphone manufacturers. That’s why smartphone architectures are per se “open”, a perfect security system is not possible. But there is good news that I take home from the test lab: The manufacturers of smartphones are thinking about securing their products. Not because they think it necessary. Rather, they are driven by various sectors of the economy. For example, video-on-demand providers are demanding security for their paid content business model.