Threats from cyberspace

Reducing cyber risks, improving information security 

Why expanding connectivity endangers our daily lives, what Srdjan Capkun likes most about information security and how he can protect us from cyber risks. 

Imagine, you have a pacemaker. Once a year the doctor remotely checks and adapts its proper functioning. But if malware modifies the parameters on your doctor’s system, this might cause you significant harm. Imagine, you park your car in front of a supermarket and lock it electronically with your key. When you come back, the car has gone. Someone has spoofed its entry/start system. Imagine a self-driving bus suddenly runs into a crowd of people waiting at the bus stop. Someone has hacked the electronic system and has taken control of the bus. These are just a few examples of threats Srdjan Capkun, Professor of Information Security at ETH Zurich, mentions when we meet him in his office. “Most of the devices today are somehow connected,” he explains. “They collect data or have little computers running inside which can be attacked. Connectivity is great but it is definitely something that exposes us to high risks.” Digitisation and connectivity are going to make our society extremely vulnerable. We are facing threats at all levels – from financial institutions and public services like banks, power plants and transport systems down to individual devices like mobile phones, computers or smart homes. When Srdjan Capkun started as a PhD student at the EPF Lausanne some 20 years ago, he realised that information security would become a crucial topic in the future; hence, he wrote his PhD thesis on a security topic and specialised in this field. 

«Digitisation and connectivity
are great but they are going
to make our society
extremely vulnerable.»

“It is a lot of fun to work on these topics where you have to consider someone else’s actions, which is hard to predict. If you change something, the other side will try to adapt and you have these games continuously back and forth. And what I also like: security is a cross-layer field and requires a holistic approach because you need to have a broad understanding of an entire system in order to secure it,” Srdjan Capkun tells us on the way to his systems security lab just across the corridor. There, his team is currently testing how to measure the distances of two devices securely, for instance the distance of your car and the key in your pocket or how to safely obtain the GPS position of your mobile phone. 

Secure positioning 

Secure measurement of the distance between two devices or a position of a device is a key issue in security. Attackers try to change the distance measurement and by doing so alter the position of your device to a false place. Your mobile phone believes it is in Berlin while it is actually in Zurich. Once the attackers have faked the position, they can spoof your device and misuse it in many ways – from opening and stealing your car up to controlling a robot. Srdjan Capkun and his team have developed a solution concept for this problem and they have proved already that it works by successfully securing the access to cars. “Currently, we can do this for a distance of about 200 meters, but we need to push the distance as any kind of internet devices are affected,” he says. However, there are still many scientific and technical problems to overcome in order to make the concept work under different conditions and to prove that it is secure. To address these difficulties, Srdjan Capkun received an ERC Consolidator Grant in 2016 that came into effect in spring 2017 (Cross-Layer Design of Secure Positioning). “For a long time, I have had this dream to understand the problem fully and to have this security system built and deployed,” he tells us while we are heading back from his lab. “So, in five years from now I want to write 50 pages on this topic and say: Now we do understand. We know how to build it, we know what the trade-offs are, what can and what cannot be done.”

Secure clouds 

Back in his office, he tells us about another key focus of his research – the security of cloud platforms. Cloud providers offering services in data processing and storage to many different companies have to make sure that their systems are secure and robust against any leaks within the system itself as well as against attacks from outside. 

«Security is a cross-layer field
because you need to have a broad
understanding of an entire system
in order to secure it.»

The provider runs many different companies on the same infrastructure and processes data of different clients on the same machine simultaneously, so it must be guaranteed that these companies do not receive each other’s data. This is a matter of isolation. However, security also means ensuring that data a client wants to delete disappears completely according to compliance and regulations. This is very often not as trivial as it looks like. Depending on the software design, data might still remain hidden somewhere within the system. 

«It is key to this kind
of collaborative projects like TREDISEC
to understand each other’s concepts
and technologies.»

Srdjan Capkun and his team have been dealing with challenges of cloud security and secure deletion of data throughout several projects, including TREDISEC, a European collaborative Research and Innovation Action, financed by the European Union. TREDISEC will end by March 2018, presenting prototypes or demonstration models of cloud platforms, which by then will have been built jointly by the project partners. Srdjan Capkun and his team will contribute to the prototypes by implementing security concepts. What is the main benefit for a scientist to participate in such a collaborative project? Srdjan Capkun mentions two fields. “Cloud computing infrastructure is a very complex infrastructure. Some of the participants in this project are leading international companies like SAP, IBM or NEC, with whom we have been collaborating for a long time. It is key to this kind of collaborative projects to understand each other’s concepts and technologies. And from a research point of view: the project gives us access to the infrastructure of our partners, so we can test our concepts on their system and obtain the data.” 

Secure online authentication

Online authentication is another key topic Srdjan Capkun has been working on for quite a long time. We usually use passwords to access our online services but, according to Capkun, this is one of the most insecure ways of authentication: “About 80 percent of passwords employees generate in an average company can be guessed within a couple of days of computation.” The reason is that people cannot remember complex passwords, so they tend to choose simple ones. Therefore, Srdjan Capkun and his team have developed an additional system of authentication by the mobile phone called Sound-Proof. Let’s say you want to open your email account on your laptop. 

«The system of double check
by password and mobile phone
is the most secure way
of authentication so far.»

First you enter your password and then your mobile phone communicates automatically with the server to make sure you are allowed to log in. This system of double check by password and mobile phone is the most secure way of authentication so far, because the server accepts your login only if your mobile phone is in the same room that you are. But what about biometric authentication? “Biometrics seemed to be a great solution initially but as most biometrics are static, they can be worse than passwords,” Srdjan Capkun tells us. “If you lose your password you can create another one. If someone picks up your biometric authentication, it is gone forever. You cannot change your hand.” To catch someone’s fingerprint seems to be very easy. With a little bit of powder you can pick it up from a keyboard or a glass. German hackers proved that fingerprints may be obtained even from a photo of a politician  waving his or her hand. 

Leaving Srdjan Capkun’s office after an inspiring morning, we have a look at the cartoon pinned to the door showing two mice pretending to take over the world tonight. “That is for my students,” he explains with a laugh. “I want them to aim big. 

«Your mobile phone believes
it is in Berlin while it is actually in Zurich.»

They should pick up a relevant topic and say, for example, ‘I want to build the most secure phone in the world. I want to understand all the challenges and complexities involved and I am going to build this phone!’ Then you can do this for ten years and eventually build that phone. But in the process of these ten years, you detect so many other topics and solve so many other problems. This is my message to the students and also the guideline for myself – aim big!”

Interview with Srdjan Capkun
Srdjan Capkun

Srdjan Capkun is a Full Professor in the Department of Computer Science, ETH Zurich, and Director of the Zurich Information Security and Privacy Center (ZISC). Srdjan Capkun was born in Split, Croatia. He received his Dipl.-Ing. degree in Electrical Engineering/Computer Science from the University of Split in 1998 and his Ph.D. degree in Communication Systems from the EPFL in 2004. Prior to joining ETH Zurich in 2006, he was a postdoctoral researcher in the Networked & Embedded Systems Laboratory (NESL) of the University of California, Los Angeles, and an Assistant Professor in the Department of Informatics and Mathematical Modelling, Technical University of Denmark (DTU). His research interests are in system and network security. One of his main focus areas is wireless security. He is a co-founder of 3db Access, a company focusing on secure distance measurement and proximity-based access control, and of Sound-Proof, a spin-off focusing on usable on-line authentication.

Projects funded by Horizon 2020

TREDISEC – Trust-aware, REliable and Distributed Information SEcurity in the Cloud: European collaborative Research and Innovation Action (RIA) that leverages existing or novel cryptographic protocols and system security mechanisms, which offer strong data confidentiality, integrity and availability guarantees while permitting efficient storage and data processing across multiple tenants. The project involves nine academic and industrial partners from Europe and is coordinated by Atos SE, Spain.

Duration: 2015-2018 

Financial contribution from Horizon 2020: € 4,4 m.


CSP – Cross-Layer Design of Securing Positioning: ERC Consolidator Grant on new approaches to the design of positioning systems that consider security requirements. 

Duration: 2017-2022 

Financial contribution from Horizon 2020: € 2 m.