Meet the ethical hackers who uncover cybersecurity flaws to keep your software and online devices safe

In today’s increasingly digitized world, resilience to cyber risks on data and critical assets has become more important than ever. Discover speaks with two of the most well-known experts in the field, Felix and Nico Lindner of Recurity Labs, on what it takes to create modern system security.

By Florian Bayer 

Like elsewhere in the world, data is reshaping the future of the shipping industry, and cybercrime has become an increasing threat. In fact, in 2020 alone, reported maritime cyberattacks increased by 400 percent.

“Data is essential to helping us make smarter decisions and better predictions,” says Gregory Puckett, Group Chief Digital Officer (CDO) at MAN Energy Solutions, “but increased digitization can also lead to new vulnerabilities.”

Puckett, who drives the company’s digital strategy, says one major challenge lies in bringing legacy technologies and services into the Digital Age with cloud computing, data analytics and the Internet of Things. The risks are great, because cybercriminals could bring a ship, an industry process or even a power plant to a halt.

"For us – and this should be true of any company – cybersecurity isn’t an afterthought: It starts straight away with product development.” This is where some of Germany’s (and arguably the world’s) best hackers come in, Felix and Nico Lindner and their Recurity Labs team of 16 specialists in IT security and reverse engineering.

Audits, penetration tests, reverse engineering and hardware analysis make up only part of the work to help secure systems from cyberthreats. ©Ole Witt

Ethical hacking?

Recurity Labs was founded in 2006 in an office atop an inconspicuous yellow rowhouse in a sleepy corner of Berlin-Kreuzberg, and it may well be that the inconspicuousness is intentional. Just like the hackers we see in television and movies, the lab’s team dismantles pieces of software and hardware, looking for ways to discreetly bypass security or exploit weaknesses. But instead of meaning harm, they’re trying to prevent it. The industry calls the Felix and Nico Lindners “white hats” or ethical hackers who are given consent to identify security flaws in a system.

Since 2018, Recurity Labs has been working with MAN Energy Solutions to strengthen their products, conducting rigorous hardware and software security assessments and providing expertise in threat modelling. “We trust our processes in product development,” says Gregory Puckett, “they’re well established, but Recurity Labs helps us constantly improve.”

Nico and Felix Lindner (right) grounded the IT-consultancy Recurity Labs in 2006 in Berlin, Germany. ©Ole Witt

Maritime cybersecurity

“Remember MAN has been operating for over a century,” says Nico Linder, Recurity Labs’ CEO, “and are now bringing the world of innovative, new data-driven technology to an established industry. It’s a challenging position.” On the one hand, he explains, the company has to connect complex solutions, often involving heavy machinery built when devices were never meant to communicate with one another or remotely. And they have to do this in a way that’s easy to use and provides functional scalability for operators.

On the other hand, adds Nico Lindner, “they need to keep up with the rapid pace of ever-changing information technology, keeping functionality, safety and security in balance so everyone’s needs are satisfied.”

A hack every 39 seconds

A few years back, as part of simulation for a German energy utility, Felix Lindner, Head of Recurity Labs, revealed how he went about attacking power infrastructure, and the risks only increase as more “smart” technology goes online. “It goes without saying that companies should be integrating corporate and product security to protect their business and services,” says Felix Lindner, “but the truth is we almost always find something.”

Thankfully, most of Europe’s digital infrastructure is resilient, says Lindner, but potential risks have grown significantly in the last 20 years because there are more potential targets. Using data clouds and the Internet of Things (IoT) as potential gateways, intruders can hack a range of devices from the smartphones in our pockets to the at least 50-odd different computer components found in modern cars or the hundreds in modern ships. According to at least one university study, there’s a near-constant rate of hack attempts: one every 39 seconds.

“Nothing can guarantee 100 percent security,” says Felix Lindner, Head of Recurity Labs. ©Ole Witt

Thinking outside the input box

So what does a perfectly secure system look like? “It’s basically a system which does exactly what it’s specified to do,” says Felix Lindner. “All requests and inputs not intended by design are discarded.”

In its simplest form the principle works like this: If an input box only allows alphabetical characters, numbers and symbols should be rejected. Of course, modern digital systems are far more complex, say the Lindners, but even on a large scale this is the basic mechanism of modern cybersecurity.  Problems begin to occur when developers don’t consider what can happen outside the intended use of their digital product. And this is where Recurity Labs comes into play to find potential vulnerabilities and shortcomings.

Recurity Labs looks for shortcomings or weaknesses in code, design or architecture that could have a hand in introducing vulnerabilities. ©Ole Witt

Withstand, tolerate and contain

Cybersecurity is never “finished”, explains Nico Lindner, but an ongoing effort that should be woven into any IT-related process. “We encourage clients to work closely with us from the start of their product’s development, he adds. “From the beginning, MAN has always stressed the importance of cybersecurity and backs it up with solid engineering, thorough testing and the proper organizational structures. ”

If vulnerabilities are found, Recurity Labs’ specialists pinpoint its source and see if the threat can be repeated, followed up by a written diagnosis of the problem and ways it can be repaired. “Usually there’s not one, but several potential solutions to a problem,” says Nico Lindner, and how any specific problem is solved is ultimately the customer’s decision. Once a solution is implemented, Recurity Labs runs further tests to verify security.

“Nothing can guarantee 100 percent security,” says Felix Lindner, especially since the bar for hacking is constantly being raised. What is possible, however, and what the experts at Recurity Labs aim for, are the guiding principles noted on their website: “We support in designing protocols as well as software and system solutions that can withstand most-common forms of attacks, tolerate the ones they cannot withstand and contain the ones they cannot tolerate.”

About the author

Florian Bayer is a freelance journalist based in Vienna, Austria, where he has written for Die Zeit Online, Der Standard, and the Wiener Zeitung.