Cybersecurity
“We Did Not Want Our Research to Remain on the Shelf”
From left to right: Simon Wörner, Tobias Scharnowski (co-founder of Fuzzware), Dr. Steffen Schabel (Marketing & Sales Consultant). Photo: Fuzzware GmbH
Today, vehicles, medical devices, and many other technologies often contain embedded computers that create potential attack surfaces for cyberattacks. Fuzzware, a spin-off from the CISPA Helmholtz Center for Information Security, develops technologies to identify security vulnerabilities in these systems. Co-founder Tobias Scharnowski discusses the search for vulnerabilities and the journey from a research project to a startup.
You founded Fuzzware together with Simon Wörner. What problem does your company aim to solve?
We make embedded systems more secure. These are small computers found in many everyday devices without people even realizing it. They can be found, for example, in vehicles, medical devices, or components of critical infrastructure. As these systems become increasingly interconnected and communicate with their surroundings, the number of potential attack surfaces continues to grow. Security vulnerabilities can therefore have far-reaching consequences, particularly where technical systems perform critical functions. Our goal is to identify these risks at an early stage and improve the security of the affected systems.
How do you identify such vulnerabilities?
We use a technique called fuzzing, which hackers also use to identify software vulnerabilities. The process involves automatically exposing a system to a very large number of different inputs. Put simply, we systematically probe software for weaknesses. If certain inputs lead to errors, crashes, or unexpected behaviour, this may indicate a security vulnerability. The objective is to reach as deeply as possible into the software, including areas that are rarely used during normal operation and are therefore seldom tested. Such methods are now widely used for conventional software running on PCs or servers.
The software of an insulin pump, a charging station, or an electronic control unit in a vehicle cannot simply be run and tested on a standard computer.
Exactly. Doing so requires a very specific hardware environment. Our key innovation is that we automatically recreate this environment digitally. The technical term for this is rehosting. This process allows us to analyse the software without requiring access to the actual device. As a result, significantly more extensive testing becomes possible, helping us identify security vulnerabilities much more quickly.
Image: Fuzzware GmbH
Why did you decide to move into the industry?
At first, founding a company was not the original goal. I began working on this topic in 2019 as part of my research simply because we wanted to solve a technical problem. Over time, it became clear that our approach was not only scientifically interesting but also highly effective in practice. At the same time, we realized that many embedded systems remain highly vulnerable and that only a few tools exist for systematically assessing them for vulnerabilities. At some point, this raised the question of what should happen next. We had developed a technology that could be relevant for many companies.
Industry partners could have taken over at that point.
Research results do not automatically find their way into industry. Methods presented in scientific publications do not automatically make their way into practical applications. That is why we wanted to drive the transfer ourselves. Put differently, we had to decide whether to let the research remain on the shelf or try to turn it into something tangible. We chose the latter path. That decision ultimately led to the creation of Fuzzware.
How has founding the company changed your day-to-day work?
Founding the company has completely reshaped my daily work. Previously, I was focused almost exclusively on research and technical questions. Today, my responsibilities also include customer relations, personnel matters, financial management, and a wide range of organisational tasks. These are areas with which researchers would not normally have much contact.
Das klingt nach einer steilen Lernkurve. Welche Unterstützung haben Sie auf diesem Weg bekommen?
For a startup, speed is often crucial. Yet especially in the early stages, many obstacles consume time and energy. CISPA and Helmholtz helped us remove these barriers and focus on what mattered most: advancing our technology and building the company.
Support during the spin-off process was particularly important to us. It makes a significant difference whether you have to navigate this path alone or can rely on people who are already familiar with such processes and can support and guide you through them.
How do you view developments in cybersecurity overall?
The global political situation has become noticeably more tense in recent years. We live in a less peaceful world today than we did only a few years ago. As a result, attacks on critical infrastructure and other important systems have taken on an entirely different significance.
In addition, artificial intelligence is making it easier for attackers to identify vulnerabilities and prepare attacks. Many tasks that previously required extensive
Readers comments