One of the most powerful techniques to test a product's security is fault injection. Such attacks aim at modifying the circuit’s behaviour in order to access protected assets. Many types of fault injection attacks have been developed during the past decades, posing a critical threat for modern secured products. Fault Injection Security Evaluators use a wide range of attack methods to evaluate the security of a product.

Fault injection attacks are performed in several steps, using various methods. Your daily activities involve (but are not limited to) cooperation with code and/or hardware reviewers to understand the product and its vulnerabilities, hands-on experiments in our lab, result analysis and reporting. As a Fault Injection Security Evaluator, you will be trained in these activities by an experienced colleague. Once fully trained, you will become an independent Evaluator. As attacks and products are constantly evolving, you will keep learning with the team.

A fault injection test is usually one task of a larger evaluation project. These projects start with an implementation review (hardware and/or code) to identify potential vulnerabilities. This review is done by code and/or hardware reviewers who then create a test plan based on the identified vulnerabilities.

Your task starts by building an understanding of the product: its architecture, the vulnerability you are assessing, the target operation you need to attack, etc. Typically, this information is also part of the test plan and you will discuss this during the project with the rest of the team. Understanding the architecture of a microcontroller/smart card, crypto algorithms such as DES, AES, RSA, ECC etc., or payment protocols will be helpful to understand the product. This will be the first part of your training if you have no experience in this area.

Once you have understood the product, you will prepare product samples for testing. This step can involve various preparation techniques like mechanical or chemical removal of packaging, chip thinning, the preparation of test circuit boards, etc. Skills like understanding and/or designing electronic circuits or experience with lab equipment like oscilloscopes will be helpful but they – as well as any skills needed to prepare the samples – will also be part of the training and are not mandatory.

Once the sample is prepared, you will need to write a test script (typically in JavaScript) which performs the attack on one of the various fault injection set-ups present at Brightsight. The techniques you will encounter include voltage manipulation (VM), body bias injection (BBI), electro-magnetic fault injection (EMFI) and light manipulation (LM) using various laser set-ups. During the second part of your training, you will learn how to prepare your sample and how to use all of our fault injection set-ups.

As part of the experiments, you will assess the impact of the manipulation attempts performed e.g. by analyzing the response to a target command. You will need to determine whether the product you are attacking has activated countermeasures or whether you have successfully injected a fault. This is an iterative process, based on the results of several experiments for each of which you will actively choose the various parameters needed to thoroughly test the product. During this phase, you will discuss your results with the team and the code or hardware reviewer to understand better any unexpected activity you may observe.

As a final step, you will write a technical report to describe the experiments that you have performed as well as the results you have achieved. An important part of the report is your well supported conclusion with regard to the security of the product. The report must be understandable for internal and external entities, so it is important that you can determine what is important or not and have good writing skills in English.

Besides the above-mentioned activities, fault injection security Evaluators are involved in the development of (hardware or software) tools and R&D of new attacks.

• We are looking for people with a BSc or MSc degree in a technical field (Electronics, Physics, Electrical Engineering) with the potential ability to understand and perform the above-mentioned daily activities of  Fault Injection Security Evaluators.
• It is important that you like to work in a lab, with oscilloscopes, function generators, and other electronic equipment.
• Having an analytic mind and being a good team player will be a plus.
• Experience in circuit development and knowledge of fault injection attacks are helpful but not mandatory. Brightsight provides a full training program from basics to expert level. Therefore, your motivation, potential and attitude to analyse the products are most important.
• This job also requires that you communicate knowledge convincingly, both orally and in writing, to internal and external entities.

The field of security evaluation is very broad, constantly on the move, and very exciting. We look forward to welcoming you to our team!

One of the most powerful techniques to assess the security of a product is the class of side channel attacks.  Such attacks aim to retrieve secret information by using information that a product leaks in some indirect ways, such as power consumption, electromagnetic emission, etc. After its advent in 1990’s side channel analysis has become one of the critical threats to the security of modern security products such as smart cards, electronic passports, payment terminals, etc. Side Channel Evaluators will assess these products in terms of their security against state-of-the-art side channel attacks with hands-on experiments and analysis.

The Side Channel Evaluator starts their tests by building an understanding of the product: the target operation, vulnerability of the product, etc. Typically, this information is delivered by code or design reviewers in the form of a test plan. Understanding of crypto algorithms such as DES, AES, RSA, ECC etc., architecture of a microcontroller/smart card, or payment protocols will be helpful to understand the product.

Once the sample is prepared, the Side Channel Evaluators measures power consumption or electromagnetic emission of the product using a dedicated measurement set-up.

The Side channel evaluator analyses the measured signals first by pre-processing the traces with different kinds of signal processing technics such as noise reduction, trace alignment, frequency domain transformation, etc., and then by applying mathematical methods such as statistical mean, correlation, multivariate-Gaussian model, mutual information, hypothesis testing, Maximum-Likelihood testing etc.

Recent advances in the Deep Learning field have also led us to use this in Side Channel Attacks. Therefore, artificial neural networks (ANN) are now also part of side channel analysis. When only partial information of the secret key is known from the tests, the Side Channel Evaluators needs to estimate the security using probability and entropy theory. A good understanding of the above mentioned mathematics or ANN will be helpful.

Besides the above mentioned activities, Side Channel Evaluators are involved in development of (hardware or software) tools and R&D of new attacks.

• We are looking for people with a BSc, MSc or PhD. degree in a technical field (Information Security, Computer Science, Electronics, Mathematics, etc.) with the potential ability to understand and perform the above mentioned daily activities of Side Channel Evaluators.
• A good understanding of mathematics is important, as is possessing an analytic mind.
• Experience of development of electronic circuits and knowledge of crypto algorithms are helpful but not mandatory. Brightsight provides a very good training program from the basics to the expert level. Therefore, potential and attitude to analyse the products are most important.
• This job also requires that you communicate knowledge convincingly, both orally and in writing, to internal and external entities.
• Working with colleagues from different backgrounds and knowledge is also important.

As a Senior Common Criteria Evaluator, you will participate in projects for our customers. Often you will have the role of a lead evaluator, which means that you will be responsible for the technical and/or methodological quality of the project. You will also use your knowledge and experience to inspire other younger colleagues in their development and communication to customers.

You will represent Brightsight in the field of Common Criteria to customers and during conferences and events. You will be active in defining internal R&D programs and you'll take an active role in supporting project managers during the acquisition of projects.

• We are looking for people with a bachelor’s or master’s degree in a technical field of study (electronics, physics, IT, mathematics) with proven experience in Common Criteria projects, preferably as an evaluator, but otherwise as a consultant or developer.
• A track record in Common Criteria projects in telecommunication, Integrated Circuits or smart cards is required.
• You are well familiar with the international schemes and you have contributed to several certificates for Common Criteria evaluations.
• In addition, you need to have a hacker mentality and good all-round English language skills.

As a source code reviewer you explore the software implementation of various IT products ranging from financial (including mobile payment), (U)SIMs and embedded secure elements to automotive, medical and ID products. Taking a specific product, it is your task to investigate the implemented security mechanisms and to define sophisticated attack scenarios using state-of-the-art attack methods, for example, fault injection using laser, in order to exploit the vulnerabilities you discovered. It is your responsibility to convince product developers of your findings to allow them to improve their products but it is even more important to provide sufficient argumentation to certification schemes why a product is (still) secure.

Brightsight is looking for enthusiastic people who are up for this challenge and believe they have the capabilities to perform these tasks within the evaluations Brightsight performs.

Furthermore, it is important that you take pride in your ability to both understand the security of a product and assess it in the context of the security requirements. Brightsight works for many different types of customers and approval organizations. This means the assessment must be adapted to accommodate different stakeholders every time.

In this position, you will be part of a project team that performs product security evaluations. As a source code reviewer you are in touch with customers who are developing state-of-the-art products including the latest mobile payment applications

You are assessing the implementation of the product and provide feedback to their solution in face-to-face meetings. Customer meetings are internationally oriented, which involves discussions in different cultural contexts. You will document the findings and argumentation for both the product developer and the approval bodies. You will also support colleagues who are executing the attack scenarios you have defined.

As products are changing rapidly as are the attacks applied to these products, source code reviews require constant improvement and adaptation to keep on top of what is out in the field and could threaten products you are currently assessing. You will gain significant knowledge on secure product implementation by having access to different vendor solutions. The interaction with many developers around the world is a great experience that will trigger continuous improvement.

To get up to speed for this position you will participate in the Brightsight training program on Methodology and Technology.

• We are looking for people with a BSc, MSc or PhD. degree in a technical field (Information Security, Computer Science, Electronics, Mathematics) that have experience with software development or testing for embedded systems.
• You must have the ability to understand complex designs and apply conceptual thinking to distinguish what is essential from what is less important.
• This job also requires that you communicate knowledge convincingly, both orally and in writing, to internal and external entities.
• Knowledge of (EMV) payment products is an advantage, as is experience with security evaluations, Java Cards, attack techniques and an interest in hacking products.
• You must have a good command of the English language.

As an Experienced Payment Terminal Evaluator you will participate in projects for our customers. Often you will have the role of a lead evaluator, which means that you are responsible for the technical and methodological quality of the project. Your experience must also include taking payment terminal evaluations beyond projects. You will use your knowledge and experience to inspire other younger colleagues in their development and communication to customers.

As Experienced Payment Terminal Evaluator you will represent SGS Brightsight in the field of payment terminals to customers and during conferences and events. You will actively participate in defining internal R&D programs and you will have an active role in supporting project managers during the acquisition of projects.

Brightsight evaluates the security of products: in many cases a combination of hardware and software. We assess the level of security based on international recognized standards. We work with financial companies such as MasterCard and Visa, certification bodies of governments and – of course – the developers/suppliers/manufacturers of security products. We also support our customers in understanding the security standards and the evaluation process.

• We are looking for people with a bachelor’s, master’s or PhD degree in a technical field (Electronics, Physics, IT, Mathematics) with proven experience in projects involving payment terminals or related devices, preferably as an evaluator, but otherwise as a consultant or developer.
• A track record in payment terminals is required.
• You are well acquainted with the banking schemes and you have contributed to several approvals for payment terminals.
• A hacker mentality.
• All-round good English language skills.

Location: Delft, The Netherlands

We are looking for students in the fields of e.g. Computer Engineering, Electrical Engineering, Informatics, Technical Informatics and Mathematics. A hacker mentality is certainly welcome, as well as good English language skills.

Apply here

• Automation of evaluation tasks: develop a tool to be used in evaluations.
• Beyond-specification test equipment: develop a device such as a card reader that enables beyond-specification testing.
• Mobile phone data retrieval: develop a proof of concept (application) that can use internals to indirectly eavesdrop data entered.
• Payment terminal attacks: proof of concept of hardware or software attacks, as well as of the combination.
• Protocols: elaborate on publicly known protocols and assess the consequences for evaluation methods and tools.
• Smart cards attacks: improve assessment methods in different domains for data that is retrieved in our measurements.

For an internship we feel that the best assignments are those that you like and want to dive into. Therefore we’d like to find a match between your wishes and our opportunities.

• We are looking for students in the fields of e.g. Computer Engineering, Electrical Engineering, Informatics, Technical Informatics and Mathematics.
• A hacker mentality is certainly welcome.
• All-round good English language skills.