How ethical hackers make KONE products and services safer

How a masked hacker makes KONE products and services safer for customers

Ethical hacking is going mainstream as another way to help protect against cyberattacks which aim to steal user credentials, knock networks offline and even encrypt customer data for ransom. Alongside strengthening its own cybersecurity expertise, KONE enlists the skills of friendly hackers, including challenging them at high-profile meetups like the Disobey Nordic Security Event.

Published Jun-16-2023

At an exhibition hall in Helsinki, a hacker who calls himself ‘The Mask Guy’ sits down at his PC alongside a group of fellow computer experts, who all start feverishly hacking away at a KONE test monitoring system. Their goal is very clear – to beat KONE’s defenses and bring that system to its knees.

These talented and often anonymous computer whizzes come from different walks of life, but they share a common passion – to find ways to break into connected devices, services, and embedded systems, no matter how secure their administrators may believe they are.

The cybersecurity plan is not a destination but rather a continuous journey.

But what is different about this crowd is that they are known in the cyber community as ‘white hat’ or friendly hackers – ethically-driven computer pros. Their motivation, be it for pleasure, profit, or prestige, is to probe for weaknesses in connected systems and thereafter collaborate with their owners to help make them more secure to keep out the bad guys, the ‘black hats’.

It’s for this reason that corporations, cybersecurity professionals, and ethical hackers have gathered at the annual Disobey Nordic Security Event in Helsinki to share expertise and take part in challenges. At the ‘Capture the Flag (CTF)’ competition, co-sponsored by KONE, white-hat hacker teams will race to find a vulnerability in a KONE test monitoring system and exploit it, allowing the company to gain ever-deeper insights and stay one step ahead of attackers.

For the hackers, events like Disobey are not only a chance “to raise awareness of security,” says ‘The Mask Guy’, but also to socialize with and work alongside other “ethically driven, positive and collaborative people”.

Two people discussing about work with laptop.
In an era of persistent cyber threats, it has become essential to find new ways to protect against unethical hackers.

Why is ethical hacking so important?

Ethical hacking is a necessity in today's world as cyberattacks led by hostile or “black hat” hackers have rocketed.

Research by Check Point Software Technologies tells us that between 2020 and 2021, cyberattacks on corporations increased by 50 percent. What’s more, the cost of cyberattacks is growing – for companies and ultimately for their customers, with the average cost of a data breach estimated at $4.35 million in 2022.

As products and services become increasingly connected, customers need more than ever before the peace of mind that companies are taking all possible measures to protect themselves and their customers against hostile actors.

“Unethical hackers have a number of vectors in which to attack any company – especially those that do not invest and continuously improve their security practices,” explains Laura Kankaala, Threat Intelligence Lead at Finland-based F-Secure, a paragon within the cybersecurity industry and periodic consultant to KONE.

“They will come at you through a vulnerable web application, a misconfigured cloud service, a poorly protected identity, untrained staff who fall victim to e-mail phishing attacks, or in cases where the company has not enforced basic security settings such as multi-factor authentication across a company’s IT services.”

Kankaala, an experienced ethical hacker in her own right, likens successful cybersecurity to a puzzle comprised of many pieces. These traditionally include a company’s own IT pros, top-notch security consultants, proven internal policies and training. But more recently, warming-up to friendly hackers who will play on your team has become an invaluable tool in the box.

“Even then it’s essential to understand that keeping the unethical and criminal hackers at bay results from a comprehensive cybersecurity plan, and still the plan itself is not a destination but rather a continuous journey,” adds Kankaala.

Two colleagues collaborating at an office in front of a computer.
Cyber specialists inside the company have a vital role for safeguarding all types of data.

Building holistic cybersecurity excellence

Back at the Disobey CTF challenge, ethical hacker ‘The Mask Guy’, – who uses a pseudonym due to his day job as an Internet of Things expert at a large cybersecurity firm – conspires with his team to employ any and every trick in their book to hack into the KONE demo system and seize control of it first in order to win the competition.

Looking over these hackers’ shoulders is Antti Salminen, Application Security Expert at KONE, who smiles to himself at the clever coding and impressive problem-solving going on.

“KONE has always taken cybersecurity and the threat that hackers pose very seriously,” Salminen says. “We want to fight this battle on our terms, and so we recognized that one of the best ways to do that was to build a bridge between KONE and the white hat community to establish closer collaboration.”

“The Disobey event provides a perfect venue to build those bridges.”

Alongside large events, KONE also offers a financial reward incentive program, called a ‘bug bounty’, to invited ethical hackers to probe its services and products and locate undiscovered vulnerabilities.

KONE has always taken cybersecurity and the threat that hackers pose very seriously.

Such bug bounty programs have not only become commonplace among organizations in the private and public sector in recent years but are now considered an emerging best practice to ensuring robust cybersecurity. Indeed, formalized training and certifications are now being offered such as the EC-Council’s Certified Ethical Hacker program as well as a three-course certificate program at the University of Washington in the US.

But Salminen makes clear that there is no substitute to having your own team of crack cyber specialists inside the company, too.

“In the past, a people-moving company like KONE may not have been the first place a cybersecurity specialist would go looking to for a career. But that’s changing. We are online with our products and services more than ever and cybersecurity is a top priority, so we strive to attract the highest cyber talent to be found in the industry.”

KONE’s commitment to cybersecurity was recognized in 2023 when it became the first in the industry to gain the IEC 62443 cybersecurity certification for its DX class elevators, and ISO 27001 certification for its digital services, including KONE 24/7 Connected Services.

Elderly woman looking at information screen in an elevator.
For KONE, cybersecurity is the foundation of good customer experience.

A win for KONE customers … and the white hats

So, the question remains … did ‘The Mask Guy’ and his team of white hats succeed, or did the KONE demo system’s cyber fortress hold?

“Yeah … we captured the flag,” deadpans ‘The Mask Guy’. “It wasn’t easy, but our team did find a way to get root access to the system.”

And with it, first-place winner of the 2023 Disobey CTF competition.

For KONE, the route that the hackers found into the system provided valuable cybersecurity insights that can be made use of in future.

“It was a great learning experience for us,” Salminen points out, “and our demo monitoring system’s cyber resilience held up well - for most of the time.”

“For KONE, the experiences we shared at Disobey helped to de-mystify the white hat hacker community and serve as a framework for us to collaborate more closely going forward to build better cybersecurity in our products and services for our customers,” adds Salminen.