I started in my early teens. I enjoyed digging into software. I wanted to understand how it worked and how people might exploit it – bypassing copy protection in commercial applications, for instance. I also did some research on computer viruses: how they work, how to write them and so on. Essentially, I always wanted to do something involving information security.
After I finished school, I did my bachelor’s and my masters in that area. After my masters, I had to decide whether I wanted to go into industry or stay in academia. I chose a mixed approach: learning more about algorithms and the formal aspects of reverse engineering but also freelancing as a consultant and a trainer to teach people about these subjects.
Once I finished my PhD I had to think about what I wanted to do next. I have a deep understanding of programmes: how programmes work, how one can analyse programmes and how to make them more secure. That led me to Emproof, to which I brought my understanding of software protection: how to build it and how to undermine it. I also have an understanding of everything that goes into large-scale automated reverse engineering and how to develop techniques that prevent reverse engineering. Furthermore, as an experienced trainer, I internationally teach students & professionals on topics in these areas and raise awareness for embedded security at various conferences.
It’s really the growth in the profile of the security sector that has been the most interesting thing for me. In the last ten years, the number of concerns and requirements related to security has steadily gone up. There’s a way better understanding of the importance of software and hardware security in general, of course; that’s down to the increasing number of attacks. But there’s also more concern about our area of expertise: embedded security across critical infrastructure in multiple industries –automotive, avionics, healthcare and more.
There isn’t one that is more interesting than the others; they are all important because embedded devices are almost everywhere! Critical infrastructure is necessary in our day-to-day lives – be it medical care, transportation, automotive or avionics. That critical infrastructure makes use of automation – and embedded devices.
As I said, the need for embedded security is everywhere; most industries use small, embedded devices that perform very critical roles. Most of them are vulnerable to attacks. While numerous vulnerabilities exist, our primary focus at Emproof lies in addressing two major attack vectors.
One is exploitation: people finding bugs, exploiting them and potentially taking over a given infrastructure. Another is distributed denial-of-service attacks. We protect against these attacks by adding guard systems that allow us detect threats and respond in real time.
We also protect against product piracy, offering protection of intellectual property of all kinds. This threat involves people finding a way into products with the goal of unlocking specific software features or reusing them in different contexts, say by cloning software, putting it into a cheap hardware clone and reselling it somewhere else. This can be very problematic for companies – especially if they have spent lots of time and money on research into the product.
Related to all of this is our work on making reverse engineering harder and adding security guards, so that these attacks are no longer feasible.
They’re catching up, but still a long way behind. It’s like there’s a large fire in the forest and you only have a small extinguisher. It doesn’t do much and everything is still burning. That said, these laws are raising awareness and this will hopefully trigger more legislative requirements.
Customers are noticing. For example, more and more attendees at security conferences are people who want to know about embedded security.
We see this in conversations with our own customers. They see devices getting hacked and reports about it appearing in the media. That’s bad for the reputation of the company involved, of course, but if a product gets stolen or attacked that could also mean a financial penalty. Our customers realise that this is a problem that might affect their own products and they want us to fix that.
That’s one development. Another is that, as we mentioned, government and regulators are starting to enforce requirements to guarantee specific security features and measures across diverse industries – such as automotive, avionic and consumer IoT. Even the companies that are trying to ignore the threat are still going to have to do something about it in the coming years.
Part of the vision is simply to improve: lowering overheads and making the production of our solution easier. But I’d like us to adapt even more in areas where people have more specific needs. In general terms that means preventing cyberattacks or product piracy. In specific terms, we want to respond to a given customer’s particular focus. For instance, we have some customers who are less worried about a specific product but more worried about the machine learning model they ship within the product. In other words, they’re interested in the protection of very specific parts. So we hope to look more into customization for specific problems or specific sub-problems.
I think there are many possible outcomes, but two that are the likeliest. One – the worst-case scenario – is that people don’t really care about security. In the coming years embedded devices will grow in number, they will be everywhere and will have a role in everyone’s lives. Without security that could mean cybercrime at the level of nation-state attacks.
The preferred scenario is a rise in security awareness. There are encouraging signs in this area but our role at Emproof is to help raise awareness and to be a leader in this area.
In fact, I’d go further. Given that embedded devices are spreading everywhere it’s a really good thing that this company is present in the market. We know how to navigate through the choppy waters of cyberthreats and how to address the regulations. We have a working solution – and an important and effective one.