German cybersecurity company, Sikur, has high demands for security - it’s Secure Communication Platform is utilized by governments, corporations, and high-level executives.
In addition, the company just announced a new cryptocurrency wallet for its secure mobile device, SIKURPhone at Mobile World Congress in Barcelona.
Ahead of this new product launch, Sikur ran a HackerOne challenge with highly skilled hackers focused on everything from hardware, to software to physical phone theft. We chatted with Sikur COO Alexandre Vasconcelos, who was in charge of the program, to learn more about how hackers serves as an essential component of Sikur’s overall security strategy.
Why did you choose to run a hacker-powered security test versus a standard penetration test?
When crafting such device with a specific purpose our goal is to keep user information safe from any prying eyes, so when submitting the SIKURPhone to researchers we expected that would test things that we had missed.
A standard penetration test may depend on the unique ability of the tester who - by the way - can be an exceptional tester, but it will not cover all the product technical aspects. On the flip side, a hacker-powered test is far more extensive, due to its nature of having more testers and with different backgrounds, which contributes to the hacking process. By this approach, the program is more effective and proved that our device has accomplished its purpose, keeping user information (stored locally, in the cloud or in transit) secure from any third-party.
You focused on three test plan areas: accessing a “stolen” phone, breaking a purchased phone, and intercepting data. Why these three areas?
That's because we think that those are the most common situations where hacking occurs. When a malicious person gains access to your device, chances are that a local exploitable flaw may be found. Having researchers help to prove that was crucial to our product.
The proposed “stolen” phone scenarios were important to set real world situations that, where any user could face. Our goal was to prove that users would benefit from SIKURPhone security, keeping their information safe even in the worst situations, like a device theft.
There were no limitations during the testing phase, hackers were allowed - and encouraged - to search for hardware and software vulnerabilities.
Did they find any vulnerabilities that surprised you (no need to name the vulnerability, just explain the process or why it was surprising)?
In fact, we've got surprised by the way that hackers worked to find the issues, the approach was very interesting and effective.
Talk to us about the hardware component of your challenge and how its different from software-based security.
Hardware is far more difficult, because it has some very particular components that works together with software. Also, when it comes to hardware, when a vulnerability is found, deeper testing is needed to guarantee that the fix will not affect other components.
We do have some engineers with hardware expertise, and it is a very particular profile, as they also need to have software skills to help implement the solution as a hacker would, thus setting the security bar higher. HackerOne helped us a lot to find the right hacker profile for our challenge; they did a very good job.
How did HackerOne’s managed services (triage) help you and your team during the Challenge?
The triaging service is crucial to both sides, so that hacker can have a better understanding on how the customer’s product works, and on the flip side the customer may have a clearer understanding about the hacker approach to a given situation. Somethings that may seem to be an issue are made by design, and some can be classified as bugs. The triage service gave us room to work on those situations.
How did the hacker-powered penetration test via HackerOne Challenge compare with your past penetration tests?
We did have some tests before, but as technology and hacking techniques evolve, there is always something to learn and improve. We always learn something new. In this challenge we gained a lot of knowledge that will help to improve our skills.
Would you recommend a HackerOne Challenge to others? What are the benefits that you saw?
Yes, definitely. HackerOne has a strong team of highly skilled hackers who will help people to test their assets, no matter it is software, hardware or both. HackerOne also has a very strong team to help you manage the program, from its conception to the final report.
Read more about the HackerOne Challenge product and check back for updates on the next Sikur program!