U of T staff (ethically) hack CERN, world’s largest particle physics lab

Photo of inside CERN
CERN, the international lab near Geneva, is home to the Large Hadron Collider, the world’s largest particle accelerator (photo by Claudia Marcelloni/CERN)

It takes 22 member states, more than 10,000 scientists and state-of-the-art technology for CERN to investigate the mysteries of the universe. But no matter how cutting-edge a system is, it can have vulnerabilities – and last year University of Toronto employees helped CERN find theirs.

CERN, the European Organization for Nuclear Research, asked for help to hack its digital infrastructure last year, organizing the White Hat Challenge. Allan Stojanovic and David Auclair from U of T’s ITS Information Security Enterprise and Architecture department, along with a group of security professionals, were more than willing to answer the call.

Passionate advocates for information security, Stojanovic and Auclair say regular testing is essential for any organization.

“Vulnerabilities are not created, they are discovered,” says Stojanovic. “Just because something has been working, doesn’t mean there wasn’t a flaw in it all along.”

Their director, Mike Wiseman, supported their participation in the challenge. “This competition was an opportunity to bring experts together to exercise their skill as well as give CERN a valuable test of their infrastructure.”

Stojanovic first heard about the challenge during a presentation at a Black Hat digital security conference. He jumped at the opportunity,  immediately approaching the presenter, Stefan Lüders, CERN’s security manager.

Stojanovic put together a group of eight industry professionals (pen testers, consultants, Computer Information Systems administrators and programmers), set goals for the test and created a ten-day timeline. 

Any penetration test involves three main stages: scoping, reconnaissance and scanning. Before the scanning stage begins, testers are not allowed to interact with the system directly, but try to learn everything they can about it.

During the “scoping” stage, testers define what is “in scope” and specify what IP spaces and domains they can and cannot probe during the testing. The “recon” stage is exactly what it sounds like: reconnaissance. The testers try to find out everything they can about the domains that are in scope, helping guide them towards potential weaknesses.

With scoping and recon complete, the team was able to officially begin the scanning stage. Scanning is like a huge treasure hunt, beginning with a broad search and gradually narrowing it down,  burrowing deeper and deeper into the most interesting areas and letting go of the others.

This went on for nine days. It was a gruelling process – the team would find a tiny foothold, investigate it, but nothing significant would emerge. This happened again and again.

Read about U of T scientists at CERN

Finally, Stojanovic was woken up one day by a short message, “I got it!” One of his team members, Jamie Baxter, had solved the puzzle – a breakthrough generated by multiple late nights of patient analysis.

Details of the breakthrough are kept secret due to a confidentiality agreement with CERN. But after more than two weeks of work, the team revealed weaknesses in CERN’s security infrastructure and provided important recommendations on how to improve it.

CERN's security group was then able to roll out fixes and address the identified vulnerabilities before U of T's formal report even hit their desks.

Stojanovic hopes that his team’s success will encourage educators to use penetration testing as a pedagogical tool.

“It’s a lot of really fantastic experience,” he says, adding that these are the hands-on skills that new security professionals are going to need in the fast-growing information security industry.

Stojanovic also hopes that other institutions, including U of T, will follow CERN’s lead in opening themselves up to testing of this nature.

And this won’t be the last CERN will see of U of T – Lüders has already asked for round two.



The Bulletin Brief logo

Subscribe to The Bulletin Brief