Siebe has been with Riscure for over 10 years, and he has taken on different roles over the years. He originally started as a software engineer and then moved on to the role of a security analyst. However, Siebe did not stop there and, for a while, worked as a security trainer at Riscure Academy and Customer Experience teams, which he helped create. In these roles, Siebe supported our clients with his in-depth knowledge of Riscure tools and hardware hacking techniques in general. At the end of 2019, Siebe transferred to the role of a Principal Engineer for Riscure Inspector.
Why did you choose Riscure?
I was attracted to the technical depth that we have in this company. Riscure consists of mostly technical experts in a very fascinating field of cryptography and embedded devices. I have a background in hardware, however, I was never solely interested in this field. I am more of a midway between hardware and software. That is exactly what Riscure does, and this is what lured me in. I am also not a theoretical person but prefer the implementation of knowledge, which is again what Riscure does. Unlike many companies that live in a theoretical world, Riscure lives in the real world. We do not ask whether something works, but we seek to explain it and improve it. That is what drew me in the beginning and kept me here over the years.
How would you define device security?
To me, device security is ensuring that whatever product the consumer gets in their hands is safe. For example, if they buy a phone or a car, consumers want hackers to stay out. I think that is the core of what we do. We provide safety and security to end-users. Our role in this is to provide tools and services for those making these devices, who have the end goal of securing their devices for users. Although complete security can never be guaranteed, developers seek our support to ensure a reasonable degree of robustness. In doing so, we try to hack the device looking for different ways to break it. We use Riscure tools ourselves or offer these tools to development teams to test the security of devices in-house.
Can you explain what Side-Channel Analysis is?
Side-Channel Analysis (SCA) is basically just listening and analyzing. SCA is the equivalent of a 1950s spy movie where two mobsters in a hotel room are talking, and a person in the adjacent room is listening with a glass on the wall and writing everything down. It is something that the mobsters don’t expect, and likewise, it is often not expected that a device can be analyzed via a side-channel. They expect that the room is soundproof, or they simply don’t think about it.
In short, with SCA, one tries to find a way to listen in on whatever’s going on and tries to extract information from it. In our case, it is a bit more complicated. Devices speak in code, so we not only have to write it all down but also decode the information. That is the second step of SCA – analyzing through crypto or statistical analysis to see whether there are commonalities that can be exploited.
How is Fault Injection different from Side-Channel Analysis?
Fault Injection (FI) is much more active. With FI, we try to actively interrupt the process to a point where it starts spilling information. It is somewhat similar to interrogation in gangster movies. The same happens to a device. However, you have to be careful with the device, as you don’t want it to break completely, or you will destroy the information contained within.
What are Riscure Tools, and who are they for?
The software side of Riscure Tools can be divided into three types: a classic Riscure Inspector, Inspector FI Python (FIPy), and Riscure True Code. Inspector and FIPy are focused on testing physical attacks, while True Code is focused on pre-silicon evaluation and code analysis. These are two fairly different avenues. Inspector is developer-focused, and FIPy is process-focused.
Looking into the differences between Inspector and Inspector FIPy, the main difference is the coding language. Inspector is written mostly in Java, while Inspector FIPy is Python-based, adding extra flexibility. The difference in language base and versatility result in two different use cases. As an example, for Side-Channel Analysis, Java works well, as the workflow is fairly common. However, for Fault Injection, sometimes a leaner environment is needed, depending on the device, which makes the simplicity and flexibility of Inspector FIPy more convenient.
Inspector has traditionally been very much a tool for experts by experts. However, what we see more and more is that the industry is growing, while the number of experts is not growing as fast. So we are adjusting the tool for non-experts, in other words, we make it easier to perform attacks that a real-life hacker would be able to mount. I believe that this is where Riscure Tools can continue growing: transitioning from the traditional focus on performance and advanced functionality to making our tools more accessible for non-expert users.
What are some of the biggest challenges in your work?
I remember I was quite intimidated in training because of the list of trainees in my courses. I remember once I was giving security training at a university, where the participants were two professors, four PhDs, a few Ph.D. candidates, and master’s students. Looking blind at the titles, I started to question my expertise and knowledge. But in the end, the only thing that mattered was that I am the expert in my field, and I have the expertise to share with them.
When it comes to development, I get new challenges every day. Otherwise, I would not still be at Riscure. Developing new attacks and implementing new ciphers is very challenging technically. But in the end, the biggest challenge is the evolution of the tool in the right direction and making sure that everyone on the team is on the same page about what it should look like.
It is like planting a vine that keeps growing on its own. But it grows all over the place, so some of us have to add the framework for it to grow in the right direction. I would say that I’m a fairly experienced programmer, so I contribute with lots of knowledge at least. I think I also contribute and plan to contribute more to the long-term vision of what the software should and can be. We are currently in a split of two types of environments: SCA vs. FI and expert vs. non-expert. While it is a purposeful decision, we aim to go back to having one tool for all to make it more convenient from a user perspective.
What are some of the industry developments happening in the device security industry now?
There is a very big shift away from SCA to FI. The whole industry focuses more and more on the Fault Injection because we see that there are not many really new attacks being published for SCA. While SCA is still valid for all markets and can still gets the result, it is not the core of businesses anymore as it was 10 years ago. Therefore, the focus of the industry on FI is very reasonable as it keeps getting results, whereas countermeasures against SCA have gotten so effective that it’s often no longer feasible to perform successful attacks.
However, this focus is not a very new thing. It has been marketed by companies like Riscure for the last few years, inviting the industry to focus more on FI than SCA. The message appears to not necessarily get everywhere yet. But we do see that as the focus of the industry right now and in the future.
What is it like to work at Riscure?
Some things about Riscure have changed over the years. But the core remained the same. Riscure is a community of great and smart people. You can sometimes hear internationals describe the Netherlands as a not too open or welcoming country. While I can imagine that is true about some Dutchies, it is definitely not the experience I observe anyone has at Riscure. Everyone who joins blends right in. The colleagues are ready to help and share knowledge from work-related topics to personal lives and experiences. Riscure is always fun and supportive of each other. That is why we are a true community, where each of us can find a place.