FH St. Pölten students found security vulnerabilities in industrial IoT hardwar
Students of the master’s programme Information Security at the University of Applied Sciences St. Pölten have uncovered security vulnerabilities in industrial IoT (Internet of Things) devices in the course of a course together with the company CyberDanube. The manufacturing companies were informed and have fixed the gaps.
In order to make teaching more practical, students on the IT security degree programmes at St. Pölten UAS regularly search for vulnerabilities in IT components. Last summer semester it was the turn of firmware of networked industrial devices in the Industrial Internet of Things (IIoT).
“The aim of the exercise was to find already known vulnerabilities and to document them accordingly. In addition to the already known vulnerabilities, the students also found new, not yet known, so-called zero-day vulnerabilities in the devices. This is a great experience for students and a remarkable success,” says programme director Christoph Lang-Muhr.
Real devices and digital twins
The analysed devices belong to the category of industrial communication solutions and are used to enable reliable and secure data transmission in industrial environments. Since the students did not have any physical devices available, they worked on so-called “digital twins”, i.e. virtual replications of the networked devices. The devices are from industry-known suppliers. “Phoenix Contact and Advantech are both leading companies in the field of Industrial Internet of Things, or IIoT.
The course was presented and coordinated by the IT security company CyberDanube, which also provided the MEDUSA solution, i.e. the technology & infrastructure for the digital twins. CyberDanube is one of two CNAs (CVE Numbering Authority) in Austria and thus authorised to assign globally recognised vulnerability numbers, so-called CVEs.
“It was a very exciting experience for us to work with particularly motivated students in this field of cyber security. We can also further incorporate relevant findings and experience gained through this into our platform,” says one of the founders of CyberDanube, Mario-Valentin Trompeter.
“These successfully found vulnerabilities show the relevance of research in this area and the practical work and training of students at St. Pölten UAS,” says Lang-Muhr.