Alumni Profile
Karsten Nohl Uncovers Technology Flaws to Accelerate the Evolution of Security
As a Ph.D. student in computer engineering, Karsten Nohl (CE ’09) was part of the U.Va. team that researched the privacy capabilities in widely used radio frequency identification technologies. With his adviser, Associate Professor David Evans, he developed a new type of cryptographic function for RFID applications that improved privacy at minimal cost.
As part of his exploration of new cryptographic solutions for small devices, Nohl sought to publicize the deficiencies of existing RFID cryptography. Because the manufacturers of RFID technologies refused to open their privacy functions to academic scrutiny, Nohl worked around them. In 2007, he and two collaborators cracked the weak encryption algorithm used in more than 2 billion smart cards used in public transportation systems and door locks. The resulting media attention brought about a number of redesigns in RFID systems used in electronic payment and access control systems. At the same time it underscored the importance of peer review in the development of sound cryptography, a principle that Nohl champions.
“We are trying to goad the world’s technology operators to use better security,” says Nohl. After completing his Ph.D. in 2008, he joined McKinsey & Co. in the technology office of its Berlin bureau, consulting with clients on large-scale technology projects. “It was like going back to school,” he says. “U.Va. taught me how engineering excellence works; at McKinsey I learned how to scale it.”
During his tenure at the consulting firm, Nohl continued his research journey, identifying significant problems with GSM networks, the standard for about 80 percent of the world’s cell phones and mobile devices. His efforts organizing an open source, distributed computing project to crack the GSM encryption algorithm earned him further media attention and led him toward his next venture.
In 2010 Nohl founded Security Research Labs, a Berlin-based think tank and consulting firm. There he leads a team of highly skilled researchers and management consultants who advise Fortune 500 companies, documenting technology vulnerabilities and supporting strategic IT decisions and risk management processes.
Nohl and the research team at Security Research Labs hack the embedded computing systems of everything from smart card chips to mobile phones to intelligent cars to the electrical grid. Boldly bringing attention to the protection capabilities of major networks (as with this GSM phone map) has made Security Research Labs one of the major forces in the field of technology security.
The approach implicitly demands that technology creators maintain accountability for the security of their systems. “This increases the likelihood that the same mistakes will not be included in future systems,” he says. “There is no improvement without incident.”