Projects and Challenges as a Hacker – A Hacking Specialists’ View on Cybersecurity and Cyberattacks

Karsten Nohl

Karsten Nohl is founder and chief scientist of Security Research Labs. His research areas include GSM security, RFID security and privacy protection. He describes himself as a “hacker.” His team hacks “to understand what makes technology safe or the other way around, what is the reason why technic is built insecure again and again.” In the following interview, he talks about his work and projects as a hacking specialist and his interest in wanting to penetrate and understand technology. Furthermore, he provides insights into the technical challenges he encounters as a hacker and gives his opinion on current trends: what security measures make sense? Does paying ransoms fuel criminal activity? How are cryptocurrencies related to this?
[German version of the interview automatically translated into English]

Jannis Stemmann
Many thanks for taking the time today! It’s great that you’re here. Who are you and what are you doing? Can you first tell us a little about you?

Karsten Nohl
I know what I do who I am by definition that’s what I’m still looking to find out. I am a hacker in the broadest sense and we hack many things. Originally, we worked from Berlin now from a few other locations, too. We hack to understand what makes technology safe or the other way around, what is the reason why technic is built insecure again and again. sometimes we also help companies to implement what we understand into practice, but our main interest is to penetrate the technology and to understand what results in more or less hacking protection.

Jannis Stemmann
Can you tell us something about the projects that you typically do, maybe also exciting technical challenges that you usually face?

Karsten Nohl
We help companies by hacking their technology in order to understand how they can be attacked. Germany of course has flagship industries in this regard. Everything concerning electromobility, for example, of course is a big hacking field but also the financial sector is evolving, like many companies around the world. Fintec, both banks and insurances we like to be there too, and we do it often.
We support companies either through the hacking tests that I have already mentioned or really by building teams because we do not believe that one is ever done with the topic of security. For example, we just worked with a cell phone operator who is just gaining a foothold in Germany. And you can imagine extremely interesting for us! Building a new 5G network, very cloud centric, extremely decentralized, with a lot of experimental technology yes, but without any legacy is really forward thinking. A team there to set it up and manage it for the first time, that’s our job. We’ll do it for a year or two and then we move to the next and to the next and to the next most exciting topic.

Jannis Stemmann
Can one say that big companies – you just mentioned mobile communications or financial services, banks and insurance, that they are much better protected than small or medium-sized companies or do you need one significantly larger team over a longer time to hack into such big companies or what is your experience?

Karsten Nohl
From my point of view currently hardly anyone really is protected from being hacked but you don’t necessarily have to be. Criminals are opportunistic. Most of them go for the weakest targets which means as long as you’re not in the last group or in the first group to be hacked you are risk-wise on the safe side. The difference between big and small companies from our experience is not that significant. However, that is not because the big companies do much more additionally with regards to security – and they do a lot more additionally – than smaller companies but because there is much more to protect there. Because of course for criminals, it is much more attractive to demand a large ransom from a large company than to attack many smaller companies for a small ransom. That means the evolutionary pressure to improve is much bigger. Does that give us a larger safety buffer? Of course it does not.

All these risk models from auditors or insurances are always directed to the past. Like basic stochastic questions. Like a storm insurance company will ask how high the highest spring tide was so far on the baltic sea and as long as the dam is a few meters above that then you are already on the safe side. That’s not how it works in the hacking age. Every hacking wave is completely unique and also interactive. If we stick to the picture of the spring tide, they are basically waiting for the moment when you start renovating your dam and strike then. On the other side there also is a human being involved, it is not just statistically distributed like bad weather.

Jannis Stemmann
How is this when one of your teams runs a penetration test? How long does it typically take you to find a weak spot you can exploit? Where you can say so we can actually cause some damage, conduct a ransomware attack, if we wanted to?

Karsten Nohl
A team of let’s say five people can not only enter a company but also take over completely without being detected in about two weeks time. There is no 100 percent probability right now, especially for the last part of not being detected. That means sometimes as a hacker you get thrown out but of course you are not automatically taken to prison but basically only have to start again and again, learn from your mistakes. That means we’re talking of weeks not months to take over the largest companies in the republic.
Why that does not happen more often is of course because the criminals can find easier targets that need even less effort to gain their ransom money. The big medium well protected companies where we work for two weeks with a team of five people to get in have just not been targeted yet, because it hasn’t made sense for the attackers yet.

Jannis Stemmann
Some of the people watching or listening to us might think that maybe Karsten’s team has more information than the hackers do – with a white box test or a gray box test – Does that even play a role?

Karsten Nohl
That definitely plays a role and I can simply say that the factor that probably plays the largest role is our experience that we have been doing this for over ten years now. There is hardly a criminal out there who has been hacking computers for ten years because after a few years you’re either very rich or in prison. Is the starting advantage a factor of two or three – maybe but not much more than that. And as I just said it will take us two weeks to get in so does a factor 3 really help you? It will still take you a month and a half to get in so does this really let you sleep better or do you think when you are going to pay a million in ransom for a hacker anyway he would still invest six weeks to try and maybe even twice. When you get paid a few million once a quarter you don’t need many years to finally be able to retire.

Jannis Stemmann
How do you see the whole topic of automation of such attack simulations?

Karsten Nohl
I find automation extremely important. If attack simulations really are the first things that I would automate I would put a question mark there again, because the automation of the attack simulation basically helps with two things: On the one hand it creates a basic understanding that one can be hacked. This kind of basic understanding is really something everyone should have today so I don’t need another service provider no matter how automated to explain to me that there is a theoretical possibility that I will be hacked. The second part where attack simulations help is to train internal detection teams to give them the opportunity to on a weekly basis or bi-weekly basis respond to if not to a real, a still authentic hacking attack and sharpen their knives accordingly. But most companies do not have such Teams. Where would I start automation at the processing of all the problems raised in detection and in basic understanding. The vast majority of today’s companies are drowning in good ideas what you could do about the topic of security without really using automation in order to get the work done.

Jannis Stemmann
Do you see maybe not in general, but occasionally, security measures that make you think, well, they have been implemented but honestly they don’t really make a difference when put in practice and you’d probably better have invested the money in something else?

Karsten Nohl
Yes, every day! The security market has evolved around the understanding that security is something that you are done with one day. In Germany for example, there is a BSI basic protection. Yes, I believe that BSI itself does no longer believe today that if you use their recommendations for the basic protection once that you are finished with security. That is why it is called basic protection and rightly so and not fully extensive security and yet you can find the same idea again in ISO-certifications, with NIST, everywhere. Almost everything that is asked of you during the certification process gives you nothing with regards to hacking protection. However, you cannot blame the certification itself for that because every idea in these certifications or in these basic protection catalogues will surely help someone to improve their current security situation.

The things you need for hacking protection are much more subtle: they are in the behaviors or in the interpretation of processes, they are human factors. I don’t mean the people who open phishing mails – they are surely also a problem but a problem that we simply have to live with – but the people whose job it would be for example to patch and that promised during the ISO certification to patch every month, they will eventually notice it is not that easy and we have promised something that is not feasible at least not without more automation, we were just talking about. Then at some point the reality and the documentation part is drifting apart, leaving people to ask: “why did we make it so complicated in the first place?” So, yes to your question if I ever saw measures when it comes to actual hacking protection that don’t increase protection. Well, most of the ones I see fall exactly in this category.

Jannis Stemmann
When you look at the topic you realize that more and more money is spent on security. This may not apply to every single company but for almost every company and for the general public as well. At the same time, of course, if we look at the statistics then the number of attacks and the severity of the attacks also steadily increases. Do you have a perspective on that?

Karsten Nohl
Before I go into detail, I think I’ll have one more perhaps controversial opinion to express and that is: Zero hacking also would not be good because zero hacking would mean that we understood the technique that we deal with every day completely that we really took time and thought about how to operate the technology and how to keep it safe from hackers and that comes with such a delay that we would lock ourselves out of innovation. The people that really understand 100 percent of the technology they use, do not experiment, they don’t try anything new anymore. Just rely on the technology that you installed years ago and that you finally understood relies on that this is still the best to have today. So, they basically commit technological suicide. I don’t think anyone would say it is good that we have hacking but the thesis that I stand for is that I say: Of all the alternatives, alternatives with zero hacking are very unattractive because we would have to sacrifice a lot of other things for it.

No one wants more hacking but we do want innovations and innovation pays us billions, trillions of added values and to say we give it all up because we don’t want to lose millions to hackers. I think that is the wrong consideration. I see hacking as a tax on innovation and I am talking specifically about hacking companies that lose money when we talk about private life and data protection then I have a different opinion. I think to deal with the data of other people and to lose it does not harm oneself but others are harmed very intensively, there I think certification, legislation and so on are very helpful when it comes to minimizing the risks that the companies burden on others. Like a pollution of the internet. But if we are only talking about financial damage, I think even if we create billions or trillions in value and the hacker then robs us a per mil of it, it’s still a good compromise we just have to make sure we keep it under control so that the per mil does not eventually become a percent and we lose more and more to an ecosystem that feeds itself of this money, that trains itself and that might eventually take over.

Jannis Stemmann
Another thought that you often read in the newspaper nowadays: What about the ransom payment? Isn’t it that this business model is actually fueled by making payments?

Karsten Nohl
Very exciting topic! And that’s exactly the topic that explains the stats you mentioned that suddenly there are twice as many hackers than a few years ago because exactly this blackmail trojans have prevailed in the last years. This is a development that definitely needs an answer. It currently seems that the answer is that government agencies, I do not know if from Germany, but the Five Eyes, so America and their closest allies, hack back so they try to beat the criminals with their own methods, to expose them, to put protection money, bounties, on the criminals to explore and that usually comes in a package of measures that also include protection payments bans, or at least that transparency is required.

In the US they are about to pass a bill that discusses that ransom may still be paid but at least one has the obligation to report so that at least statistic data can be gathered on how much money really is lost and the unreported number is getting smaller. At the end of the day those are all just mitigating measures therefore nothing of that will actually solve the problem because if we take a look at classical ransom demands, i.e. kidnappings, nothing electronic, they also never stopped in regions of the world that are insecure and dangerous. And internet and the technology we use for internet is unsafe and dangerous that means you can raise transaction costs that one arrests someone every now and then making the transaction itself more difficult by making large bitcoin exchanges for example clearly want to know their customers and will no longer allow criminals but I believe that the child fell into the well so we won’t be able to go back to that now and pull the numbers down to zero. A much more forward-looking answer is to make it so difficult for criminals that they give up on you and send them somewhere else. That of course does not help the others but it helps us all to keep getting better.

Jannis Stemmann
How do you see the topic of cryptocurrency in connection with ransoms?

Karsten Nohl
I think there will be a few more innovation cycles needed until crypto currencies are more good than bad for the world.

Jannis Stemmann
Karsten, there also is a perspective on the whole topic of cybersecurity that it is just a hype and naturally also fueled by all those providers – there are thousands of providers in the security area – they all live from it and in the organizations there are people responsible for security that live from the fact that cyberattacks are there and that you must protect yourself from it. But of course, there are for example also owners of medium-sized companies and they say, “well my company has survived two world wars and it will probably also survive a cyberattack, so let’s not get too far.” And there are few examples of companies that were actually ruined by a cyberattack.

Karsten Nohl
Those who are afraid of hacking, as one extreme end of the scale, block innovation and are going towards a slow death. At some point there will be a more agile digitized company that simply takes away the customers. The other extreme of the spectrum has no respect for the subject of hacking and simply jumps into the topic of digitization. Those might be hacked so badly that it scares the customers away, and they will die a much more disruptive not death but at least will realize that what has been hoped to gain from digitization was not achieved. So, we would need to find the middle, let’s say moderate digitization, where you understand hacking risks but are not afraid of it. This is the right way but not to prevent death by hacking but to remain alive as far as innovation is concerned.

Jannis Stemmann
When it comes to penetration tests, there might be tips and tweaks that aren’t so obvious, that are often overlooked that you would recommend to IT leaders of medium-sized companies, if they decide to tender a pentest. When they finally decide to find a provider, an ethical hacker?

Karsten Nohl
What is very important is not to impose too narrowly on the hackers on what is to protect. Often a company says “ok, we have been here for 100 years, we have been using computers for 40 years, everything we have today is secure of course but we’re going to the cloud now or have our first mobile app or whatever and this is the part we are afraid of. So please test his part.” Then, two years later, the company is hacked anyway because they missed something in their existing systems. So please leave it to the hackers to tell you where you are vulnerable. On the other hand, what do you do with the results then? Now, that you found out that the cloud migration to amazon may not even be the worst but rather in the course of the tests it was found that you cannot handle your own middleware. Will you then take the sledgehammer and say “we have to implement the BSI basic protection and then the ISO certification and everything else.”

My suggestion is do not do that, but get expert advice there too and before you do anything what  potentially slows you down or comes with a cost explosion, always ask how does the hacker see that? Does it bother the hacker if you implement this measure? And does it bother him a lot for a very expensive measure? And if so, then do it! When the hacker says it won’t matter if you put a certificate on your website, I am hacking something completely different anyways, then don’t make it.

Jannis Stemmann
Now as final question: If you could send an email to all CIOs in the world or if you have a street billboard set up, what would be the core message or what will be in the subject line?

Karsten Nohl
Trust your experts! You have everyone in house or at least with partner companies who have learned over years about what is important when it comes to security. And trusting experts also means not fearing hacking that much. It will not improve when you are scared but everything else that the company does might become worse – you might become technic skeptical. Trust the experts and let them do their work and if the expert says, we need a tool, then give him the budget now. But do not increase the budget by 30 percent every year so only you as the CIO think you fulfilled your part. Extra money does not always help and may even be in the way of people.

Jannis Stemmann
Karsten, thanks again!

Karsten Nohl
Thanks, Jannis, great questions!

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.