Meet the team: Philipp Koppe, co-founder and Chief Technology Officer

What is your area of expertise and how did you develop it?

I’m one of the technical founders of Emproof. I bring expertise in the exploitation of software vulnerabilities and building or designing exploit mitigations – that is, techniques to mitigate the exploitation of software vulnerabilities. I also have practical experience in reverse engineering software. For my fellow co-founders, when it comes to reverse engineering Marc has experience in hardware and Tim is more on the theoretical side: obfuscated codes and automation. We complement each other very well.

As for how I developed my area of expertise, it was partly through private projects and academic research but much of it was self-training – learning by doing if you like.

I did lots of game hacking in my early teens and after. That led to security because game hacking helps you understand how programmes work and to understand reverse engineering, which is a very important security research skill. This also helped me during my academic research. Reverse engineering goes hand in hand with the exploitation of software vulnerabilities but also with building mitigations. All this knowledge transfers very well to what we do at Emproof right now.

Is there anything specific project that Emproof has taking on that has excited you?

We can’t name the company publicly, but we are working with a chip manufacturer – one that takes embedded security seriously. That’s a real plus point. We can talk to them on a very technical level and learn from them – as they can from us – about building with security in mind.

That process is never easy. You always need to balance usability, security, performance and memory overhead. If you build something extremely secure, too complicated to use or it makes programmes so big that they don’t fit on the chips anymore, no one’s going to use it. Most embedded systems use microcontrollers, which are inherently resource-constrained, therefore can only dedicate small amounts of these resources to security features. Finding the right trade-offs is the aim, and working with people who understand that is enormously advantageous.

Do you think the awareness is growing of the need for people to address embedded security?

We see mixed results. When we are talking to other companies and even to our current customers, some of them are very aware but others less so. The problem is that the impact of a given security breach can be very different depending on the embedded device. If it’s just a rain sensor collecting data for the city, the impact is low. But if it’s a pacemaker or an engine control unit in a car or aeroplane, a security breach could be life-threatening.

In some cases – like satellites – if there’s a security breach you just can’t go to the site physically and change something. And there are thousands of satellites. These are the sorts of issues that we’re trying to highlight to potential customers.

Do the proposed laws imposing penalties on lax computer software security mean that regulators are finally catching up with you?

The movement is more on the requirement side and less on the penalty side. That’s’ probably a good thing: protection before something happens is better than a penalty after it happens.

There are functional safety certifications for automotive – for example, ISO 26262, which we have achieved. These certifications make sure that vendors have a process in place to find bugs. That’s not too surprising. If you’re going at 200 km an hour on the autobahn you want to be sure there won’t be a sudden malfunction! Similar rules are on the way for embedded security. Suppliers will have to conform to certain standards when working on technologies embedded into cars. In other sectors, such as aviation, DO178C Software Considerations in Airborne Systems and Equipment Certification is the primary document used by certification authorities such as FAA and EASA to approve all commercial software-based aerospace systems.

What industry excites you most?

We’re at a very exploratory phase. It’s not easy; each industry vertical has its specific needs. Personally, however, I’m very excited about space and avionics. Many safety aspects are being addressed but there’s also a huge need for security. A lot of catching-up is needed here, especially in the embedded domain. There are more and more legal and certification requirements, but also technical ones: someone actually has to build those solutions so that all the right boxes can be ticked. And that will enable amazing things like autonomous flying taxis. You clearly don’t want hacking when people are on board one of those! Embedded security will be really important when these innovations happen.

How can Emproof Nyx provide a solution to the problems facing industries?

Emproof Nyx keeps attackers out by adding additional checks, exploit mitigation techniques and defensive techniques on the lower-level binary software that runs on small microcontrollers and chips inside the machinery you’re protecting.

Those chips are a main attack vector. Embedded software security here is not on a par with what we find in computers, smartphones and data centres for example because of lack of awareness, and until now the lack of a technical solution that works in resource constrained systems. Emproof Nyx is a defence for embedded software.

Why is now the right time for Emproof to exist?

Because embedded systems are everywhere! In the past everything was mechanical, then everything went electrical, and now everything is digital. And the connectivity of critical embedded devices has also increased. Just look at aeroplanes: there are screens and connectivity throughout the cockpit. Then think about the future and autonomous driving. These cars will take in information not only from sensors but also from the environment, other cars and infrastructure through wireless communications. A thousandfold more embedded devices will be used, and these will need to be protected. Prolific connectivity and digitalisation are what makes our offering timely – and necessary.

It’s quite a journey from hacking at school to finding yourself running a company. Is this where you expected to be?

No. I was just a very curious kid. I started with gaming, like everyone does, but then got curious about how things work. Things kind of snowballed after that. But it helped to start early. I would suggest that if you start your whole security journey with your first semester at college it’s a whole different level than if you started at the age of 11 or 12. I got noticed very quickly at university and then got invited to do my Masters in the US alongside Mark. I started a PhD, but our professor also suggested we think about patents or even starting a company. So, we did. Our first pitches in 2016 were terrible, but we were definitely onto something. By 2017 it was clear we needed to work on our ideas and concepts full time.

What’s your vision for embedded security for the next five years?

I hope that the sort of exploit mitigations that are already robust, researched, tested and established in larger devices like smartphones and desktop computers get into very critical smaller microcontrollers and smaller chips.

That’s important. Attackers always try to go for the lowest-hanging fruit – the area with the least security – and right now it’s the embedded domain. We have to educate people – and continue improving and adapting our product. Because I’m sure of one thing above all: as the world becomes more connected and embedded systems become more common, more industries will need our help