The White Knights of Hacking: An Interview with Dr. Siegfried Rasthofer of TeamSIK

It’s a weeknight and a group of PhD students and researchers have assembled in a room. Pizza boxes are open everywhere, drinks are poured and lively discussion echoes around the table.

The topic of the night? Hacking and any discovered flaws or weaknesses in the latest artificial intelligence-imbued product.

So, what’s their endgame? Does this group hack into apps to steal passwords or transfer bank funds? No. They actively poke through software and reverse engineer applications to first discover, then resolve, significant vulnerabilities. The team members meet weekly to discuss and present new hacking techniques and interesting discoveries about mobile applications and IT security software.

Meet Darmstadt-based TeamSIK, a collaborative think tank of researchers. Barely two years old, they’ve already tested the security vulnerabilities in smart houses, cloud databases, antivirus products and password managers. The origin of TeamSIK can be attributed to Dr. Siegfried Rasthofer and Stephan Huber.

Armed with advanced degrees, both Rasthofer and Huber currently work at Fraunhofer Institute for Secure Information Technology (SIT), researching security, software engineering and mobile applications.

Fraunhofer SIT is the leading research institute for IT security. Vendors and application developers regularly reach out to Fraunhofer SIT, requesting their expertise to help improve a product. TeamSIK is a group within Fraunhofer and, similar to the university’s vision, the team’s overarching motivation is the potential to learn and apply their research to the real world.

Rasthofer and Huber used to meet up regularly in their free time and look into different Android applications. Their ultimate goal was to exploit the applications to find possible vulnerabilities.

After a while, the duo wondered if anyone else would also be interested in hacking applications with them.

So, two years ago, they coordinated a one-day Android hacking event. Taking cues from Capture the Flag–which gamifies human hackers detecting software vulnerabilities—they came up with different challenges that students would compete to solve. To their utter delight, Rasthofer and Huber discovered that the participants wanted to continue actively discovering and solving other vulnerabilities.

Naturally, I had to interview the founder of TeamSIK about what motivates the team’s research, the response TeamSIK received from affected vendors and his views on the way ever-evolving technology impacts cybersecurity.

The Mission

84 percent of internet users rely on only pen and paper or memorization for password management.Pew Research Center

If you scroll through TeamSIK’s website, you’ll see a page that lists their Zerodays and vulnerability reports. Those are reports that detail TeamSIK’s findings, posted after the vendor fixes the discovered issues. Rasthofer explained that after his team uncovers vulnerabilities, “We directly try to contact the vendor or app developer and then, in a secure way, we provide them our findings and give them a certain amount of time to fix it.”

That certain amount of time is 90 days, a standard grace period for the industry. However, Rasthofer reassured me that their 90-day window isn’t a strict one. Helping vendors and app developers improve their product is, after all, what TeamSIK aims to do.

I was interested in what determines the projects that TeamSIK pursues. Ultimately, Rasthofer explained the team starts a project when they find a cool, interesting topic. Appropriately, at the bottom of the website is a ticker that keeps track of the number of discovered vulnerabilities by year.

He recognizes that software gets “more and more complex over time. If a software has features x, y and z, it’s great for user convenience. But the more you add, the more complicated it gets and the more vulnerabilities can crop up that no one’s thought about.” He turns to the interconnectedness of internet of things technology. Refrigerators, toasters and cars can all talk to each other and to the consumer, but what does that mean for privacy and security?

In the example of their password manager project, he said that the team was compelled to look into the topic because people are becoming more vigilant and proactive about the passwords that protect sensitive information. According to Pew Research Center, while 84 percent of internet users “rely primarily on memorization or pen and paper as their main (or only) approach to password management,” 52 percent of internet users use some type of multifactor authentication. Password managers claim to take the stress and uncertainty out of creating and maintaining passwords and, thus, any vulnerabilities within them would affect millions.

Responsible Disclosure

“It’s basically a free beta test.”

TeamSIK takes security and confidentiality extremely seriously, Rasthofer said. Because the group is made up of students and employees of Fraunhofer, they’re inevitably always looking into some sort of security problem. “What’s important to me,” he said, “is that everything is done under a strict responsible disclosure agreement. Our students don’t find something and go out in the wild. After all, we’re in a security community.”

When asked if TeamSIK regularly comes across similar bugs and issues, Rasthofer said, “Of course. But in many cases, they are different because there are different questions involved. For password management apps, we’re interested in ‘Can we extract your credentials?’ and ‘Is your security protected?’ For antivirus apps, the question ‘Does it detect this malware?’ is not so interesting because we already know the answer. What we want to know is ‘Do they have security vulnerabilities, which makes it worse?’”

For Rasthofer and the team, the point of their research is to let vendors and developers know about a discovered problem for the sole purpose that they fix it. Interestingly, reaching out to the correct contact may be one of the more difficult things for TeamSIK to do.

“Are vendors upset that their apps have been hacked?” I asked.

“No,” Rasthofer answered, “They’re usually very happy that we told them. For them, it’s basically a free beta test. Some of them are really very nice and acknowledge that we did a good job. We haven’t had a situation where they didn’t care about the impact.”

Impact of Innovative Technology on Cybersecurity

Rasthofer and I discussed the constantly evolving fields of artificial intelligence, internet of things and machine learning. Those types of technology and the products that are imbued with those aspects are impressive and ripe to disrupt their respective industries. However, he cautions that those types of technology aren’t yet perfect.

That wariness Rasthofer has towards machine learning he also exhibits regarding the cybersecurity space. Despite working on projects that ultimately deal with the effectiveness of software and applications within the context of cybersecurity, he hasn’t christened any hard-and-fast rules.

He can give suggestions, though.

For instance, if someone were to purchase a piece of preventative software, a fantastic thing to have would be a certificate that verifies if a software does what it claims to do. Rasthofer is a big proponent of third-party testing on software before its launch date, as well as the integration of security early on in the software development lifecycle. With third-party tests, beta testers can figure out security vulnerabilities early on —before a buyer purchases it.

In many cases, usability of software and applications is more important to end-users than the security measures placed around those applications. Unfortunately, to those same end-users, cybersecurity measures aren’t an important factor to consider until something bad happens, such as a breach, a malignant virus, a hack and so on.

READ: The History of Hacking

However, it seems Rasthofer has at least one rule in place when it comes to considering or purchasing a software or mobile application. “As a corporate buyer, you need to know what the software is doing. You need to think what data or process the software does and think about whether this is something that [aligns] with internal policy. For instance, if your internal policy is that all passwords entered must be securely stored, then you need to have some insight into how they are stored and if that storage strategy works.”

Push and pull collaboration and competition is crucial for innovation. Just look at some of the incredible results of epic collaborative partnerships: Cars, airplanes, personal computers, the internet, the space program and ice cream are just a few examples.

TeamSIK is a modern example of that kind of valuable collaboration. They have great timing: Cybercrime is on the rise—just take a look at the global fallout from ransomware #WannaCry leveraging weaknesses in businesses and organizations who had failed to update their operating systems—and we need all the help we can get.

It’s become pretty clear that hackers have the ability to pivot and innovate should their efforts fail or stall, which are the same skills that are valued at any company in any enterprise. However, brushing hackers with that broad stroke of villain-of-the-week does a disservice to others who apply those same hacking skills for good.

TeamSIK isn’t an origin story, it’s a reboot. When it comes down to it, the members of TeamSIK are a bunch of PhD students sitting around, eating pizza, racing against the clock, solving mobile and software vulnerabilities so that vendors can continue protecting the interests of the consumer.