Security Evaluation Services

ON A MISSION: HACKERS FOR HIRE.

Working as a developer for MI6, the British secret service, sounds like a dream job – occasionally dangerous, but never boring. Who knew that you could pursue a similar career at T-Systems? Of course, you don’t get the weapons and cars that Q develops for James Bond. But hasn’t everyone dreamed of “legally” breaking into an ATM machine and scooping out piles of colorful bills?
Author: Thorsten Rack
That’s exactly what T-Systems Security Evaluation Services (SES) does. Robert Hammelrath, the current head of SES, has been on the team since the start. “With all the cybercrime today, manufacturers have to show customers that they take data security seriously and have done everything they can to minimize risks,” explained the expert for security analysis and testing. “We can help corporate clients maximize their IT security with Verified Security, our hardware and software testing and certification service.” All the security tests conform to international standards such as Common Criteria (CC) or Information Technology Security Evaluation Criteria (ITSEC).

REGULAR CLIENTELE: FINANCE AND AUTOMOTIVE

The automotive industry has been a regular SES client since digital tachographs were introduced in 2000. “The current device generation monitors driving and break times in order to improve traffic safety. Our test makes sure that no one can improperly modify tachographs once they leave the factory,” said Hammelrath. SES’s bread-and-butter business also includes financial companies, pay TV operators and the federal government. Around 80 percent of its clients are multinational corporations. One of its most important, longstanding customers is the German Federal Office for Information Security (BSI). Even the leading lights of the worldwide payment industry ask T-Systems SES to subject their products to its demanding IT security tests. “Every one of these clients has been tasked with protecting their products from tampering. How they go about it, though, is entirely up to them,” explained Hammelrath. “We only care about two things: Do they meet the right criteria for their specific application? And is their security strong enough?” Hammelrath and his team handle up to 150 orders a year. Some orders are finished in two to three days; others may take several years.
„Verified Security, our hardware and software testing and certification service, helps corporate clients maximize their IT security.“
Robert Hammelrath, Head of Security Evaluation Services T-Systems

SECURITY CHECKS START EARLY IN DEVELOPMENT

“Many manufacturers bring us on board as advisors in the development phase. That way, they can build products that meet minimum security requirements from the very start,” explained the SES head. Financial service providers often avail themselves of SES’s services as well. They have the keypads on their ATMs exhaustively tested for tamper protection so clients can enter their PINs with confidence. At the first sign of mischief, integrated security mechanisms have to sound an alarm and immediately delete any stored number codes. SES has around 30 people working at its high-tech laboratory – mathematicians, cryptologists, physicists, engineers and programmers. “Half of them act like stereotypical hoodie-wearing hackers, just like you see in movies,” explained Hammelrath with a grin. “The other people are also hackers, but of a different mold: they aren’t afraid to slice up microchips or keypads into thousands of pieces with drills, files and cutting mills.”

AS HIGH-TECH AS Q’S LABORATORY

SES’s toolkit ranges from hacking software and burglary tools to an exotic microscope known as a “focused ion beam” (FIB). This advanced instrument costs two million euros and would look perfectly at home in Q’s research laboratory. The T-Systems experts use it to probe microchips for vulnerabilities and hack them if required. Hammelrath has received some off-the-wall requests during his tenure as the head of SES. “We got an odd request to test a trash can that used identification tags for weight-based billing. So we subjected it to our standard battery of tests to verify its tamperproofness. Another time, someone asked us to certify timing rings for racing pigeons. Unusual requests like these always add a welcome variety to our day.”

Further Articles