It’s a dreadful scenario: fraudsters working to crack a credit card’s micro controller and steal sensitive data. Deutsche Telekom’s test center painstakingly inspects IT products, covering everything from micro controllers to entire routers, on the behalf of manufacturers in order to prevent misuse.
They grind away at smart card chips, bombard semiconductors with light pulses, use electromagnetic fields and torment software with nonsense or error-ridden entries in order to disarm their protective mechanisms and get their hands on confidential information. These are no criminals at work, however – they’re employees in the Evaluation Facility unit at Telekom Security. The unit belongs to a handful of certified test centers in Germany which test IT services, products and systems and work in close collaboration with the Federal Office for Information Security.
The nearly 30-person testing team receives orders from companies who face huge financial risks if their services and products are not secure. They also receive commissions for security checks from government agencies.
From the humble chip to the latest encryption technology
Credit card chips, card readers, and ATMs have been subjected to tests since 1998. Nowadays, the pros also check chips for ID cards and passports as well as SIM cards used by the police and fire service for digital mobile communications. The testing methods are even suitable for “secure elements”, i.e., highly integrated system-on-a-chip (SoC) solutions with integrated security controls.
What’s more, the testers dismantle digital tachographs, the modern versions of which are used to record truck drivers’ driving time and rest periods. They even check entire routers.
“We are currently one of the few teams in Europe who test quantum key distribution – an encryption technology which uses quantum computing,” explains the head of the test center team, Rüdiger Peusquens.
Using finesse and precision
The test center’s services are in high demand – support would be very welcome. In addition to hardware, the experts are devoting themselves increasingly to software components. The tests carried out in the laboratories for this are very formal, following technical guidelines which dictate exactly what is to be tested. Whereas the methods themselves are like something out of a spy film since the experts in physics, mathematics, IT, and electrical engineering do their best to outsmart the technology. Both sly and persistent, they seek out points of entry to systems, leaving no trace where possible, and try to crack encryptions or compromise the keys used.
The pros make use of microscopes and oscilloscopes and know all the tricks hackers use. “Sometimes things like a component’s energy consumption can let you draw conclusions about the data processed. Or you can use extreme voltages to change the date in the software and therefore get around any security barriers,” explains Peusquens. The software is checked for all eventualities using techniques such as fuzz testing. This term refers to the attempt to get around security mechanisms or intentionally cause malfunctions using unspecified input data or undescribed operating sequences.
“Anyone working here needs a certain amount of destructive energy paired with sensitivity, attention to detail, and a great understanding of technology,” states Peusquens.
Certificate attests to high level of security
The pros are very precise in documenting the attack pathways and results. If they weed out any errors found, the manufacturer will have a certificate to attest to the successful check carried out by BSI or another organization which sends a message to the outside world that their product fulfills a high level of security.
Deutsche Telekom’s test center assesses IT products in accordance with the internationally recognized Common Criteria standard. The methodical product check includes an analysis of vulnerabilities and comprehensive security checks. It forms the basis for a security certification.