Markus Kammerstetter

Markus Kammerstetter

General Information

I am head of the Hardware Security Lab, post-doctoral researcher at the Secure Systems Lab Vienna / Automation Systems Group at Vienna University of Technology and managing director of the IT security company Trustworks KG.

Together with participating project and industry partners, I recently co-authored a number of research proposals in the Smart Grid and hardware security domains. One of my latest efforts led to the KIRAS SG², the RASSA (Reference Architecture for Secure Smart Grids in Austria) and the EU Horizon 2020 AnyPLACE research projects, all having a strong security focus on critical infrastructures and embedded security.

I am continuously involved in extending the lab with respect to personnel and lab equipment resources. The result is a unique environment in the hardware security domain with sophisticated and dedicated analysis tools ranging from a Focused Ion Beam (FIB) workstation, a Scanning Electron Microscope (SEM), plasma etcher, a semiconductor precision polishing machine or a custom confocal microscope to side channel/fault injection equipment, RFID analysis tools and software defined radio (SDR).
Currently, I use most of the equipment to focus on typical hardware attacks (i.e. non-invasive, semi-invasive and invasive attacks) such as side-channel and fault injection ("glitching") attacks, IC reverse engineering including depackaging, delayering, netlist extraction and subsequent analysis as well as FIB circuit edits and micro-probing. Due to the challenges involved within this field, many of our solutions are customly designed involving our own circuits, PCBs, FPGA designs and firmware.
My research interests include most aspects of computer and embedded-system security, with emphasis on hardware security as well as low-level binary analysis, forensics and reverse engineering. However, due to our hardware security lab infrastructure and the long lasting experience in the Smart Grid and hardware security domains, my current research focus is more in that area today. The following figure provides an overview of the three major hardware security areas I currently work on:

In my PhD thesis, entitled "Embedded Security Analysis with Emphasis on Critical Infrastructures", I focused on risk management and embedded security analysis within the context of critical infrastructures. In the thesis, a practical architecture-modeling driven risk assessment approach is presented to identify high-risk embedded components in smart grid installations. For these components, techniques for firmware extraction using physical attacks and subsequent embedded firmware security testing are described. Ultimately, the approach allows identified vulnerabilities in embedded critical infrastructure components to be fixed within a holistic security management approach. I completed my PhD with distinction and was nominated for the TU-Wien Ressel research award 2017.

In my master's thesis, entitled "Real-time Encrypted Speech Communication Over Low Bandwidth Channels", I implemented an embedded real-time system, allowing secure speech communication over channels with 9600 baud/s and below. Besides confidentiality, integrity and authenticity, the system has a number of unique security features that are novel to the field and were considered for patent application. The following image provides an overview of two interconnected cryptophone systems:

In my bachelor's thesis, I focused on semiconductor security analysis techniques including the extraction of sensitive information such as cryptographic key material, secret algorithms or program code from silicon chips.

In my spare time I enjoy taking part in CTF contests (e.g. UCSB iCTF in the team We_0wn_Y0u, Defcon CTF, ruCTF, etc.) and hacking our lab equipment to further improve our capabilities.

Professional Activities

Since 2005, I have been working as an independent security consultant specialized on binary vulnerability analysis for enterprise environments. Among my references are a notable financial institution as well as several large scale enterprises. Since then, I have been responsible for the discovery of more than 100 critical vulnerabilities in leading enterprise products.
Since 2012, I'm also managing director of the constantly growing IT security company Trustworks KG.


Starting with 2007, I am or have been involved with the following courses:

Practicals and Theses

If you want to work in the hardware security lab and want to do a practical ("Praktikum") and/or thesis related to embedded, hardware, wireless, RFID or semiconductor security, please contact me.

Project Experience


Markus Kammerstetter, Daniel Burian, Stefan Riegler
Security Audits von Embedded Systems mit Mikrocontrollern
D-A-CH Security 2017, September 5-6, 2017, UniBw Muenchen, DE
[to appear]
Freudenmann, Christian; Henneke, Dominik; Kudera, Christian; Kammerstetter, Markus; Wisniewski, Lukasz; Raquet, Christoph; Kastner, Wolfgang; Jasperneite, Juergen
Open and Secure: Amending the Security of the BSI Smart Metering Infrastructure to Smart Home Applications via the Smart Meter Gateway
Conference: Smart Energy Research at the crossroads of Engineering, Economics and Computer Science 2017 S.: 12, Springer, Essen, Germany, Jun 2017
Markus Kammerstetter
Embedded Security Analysis with Emphasis on Critical Infrastructures
PhD thesis, October 2016
Oliver Jung, Stefan Fenz, Markus Kammerstetter und Aleksandar Hudic
Eine Architektur fuer sichere Smart Grids in Osterreich
D-A-CH Security 2016, September 26-27, 2016, Klagenfurt, AT
D. Henneke, C. Freudenmann, M. Kammerstetter, D. Rua, L. Wisniewski, and J. Jasperneite
Communications for AnyPLACE: A Smart Metering Platform with Management and Control Functionalities
21st IEEE International Conference on Emerging Technologies and Factory Automation (ETFA 2016), September 6-9, 2016, Berlin, Germany
Markus Kammerstetter, Markus Muellner, Christian Kudera, Daniel Burian and Wolfgang Kastner
Efficient High-Speed WPA2 Brute Force Attacks using Scalable Low-Cost FPGA Clustering
Conference on Cryptographic Hardware and Embedded Systems 2016 (CHES 2016), August 17-19, 2016, Santa Barbara, CA, USA
[download extended version] [download conference version] [ Watch YouTube Video ]
Lucie Langer, Florian Skopik, Paul Smith and Markus Kammerstetter
From old to new: Assessing cybersecurity risks for an evolving smart grid
Elsevier Journal on Computers & Security, Volume 62, September 2016, Pages 165-176
Markus Kammerstetter, Daniel Burian and Wolfgang Kastner
Embedded Security Testing with Peripheral Device Caching and Runtime Program State Approximation
The Tenth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2016), July 24-28, 2016, Nice, France
[download], Best Paper Award received
Johannes Goellner, Lucie Langer und Matthias Tischlinger (Hrsg.); Christian Kudera, Markus Kammerstetter, Florian Skopik, Matthias Tischlinger, Berthold Haberler et al. (Autoren)
Buch: Smart Grid Security Guidance - (SG)²: Sicherheitsmaßnahmen für Stromnetzbetreiber in Österreich
Schriftenreihe der Landesverteidigungsakademie (Mai, 2016), ISBN 978-3-902944-98-6
Adrian Dabrowski, Markus Kammerstetter, Eduard Thamm, Edgar Weippl and Wolfgang Kastner
Leveraging Competitive Gamification for Sustainable Fun and Profit in Security Education
USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE '15) co-located with USENIX Security Symposium 2015, August 11, 2015, Washington D.C., USA
Florian Skopik and Paul Smith (Editors); Dariusz Kloza, Lucie Langer, Markus Kammerstetter, Martin Hutle, Kieran McLaughlin et al. (Authors)
Book: Smart Grid Security: Innovative Solutions for a Modernized Grid
Elsevier Science Publishing Co Inc (June 1st, 2015), ISBN 978-0128021224
[Amazon Link]
Markus Kammerstetter, Markus Muellner, Daniel Burian, Christian Platzer and Wolfgang Kastner
Breaking Integrated Circuit Device Security through Test Mode Silicon Reverse Engineering
21st ACM Conference on Computer and Communications Security (ACM CCS), November 3-7, 2014, Scottsdale, Arizona, USA
Markus Kammerstetter, Lucie Langer, Florian Skopik and Wolfgang Kastner
Architecture-Driven Smart Grid Security Management
2nd ACM Workshop on Information Hiding and Multimedia Security, June 11-13, 2014, Salzburg, Austria
Markus Kammerstetter, Christian Platzer and Wolfgang Kastner
PROSPECT - Peripheral Proxying Supported Embedded Code Testing
9th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2014), June 4-6, 2014, Kyoto Garden Palace, Kyoto, Japan
L. Langer, M.Kammerstetter, F. Skopik, T. Hecht, and P. Smith
POSTER: Smart Grid Security Analysis: The (SG)² Approach
Smart Grids Week 2014, May 19-23, 2014, Graz, Austria
Lucie Langer, Johannes Goellner, Christian Meurers, Andreas Peer, Markus Kammerstetter and Thomas Bleier
Importance of Risk Management for the Security of Smart Grids
European Meetings on Cybernetics and Systems Research EMCSR 2014, April 22-25 2014, Vienna, Austria
Markus Kammerstetter, Lucie Langer, Florian Skopik, Friederich Kupzog and Wolfgang Kastner
Practical Risk Assessment Using a Cumulative Smart Grid Model
3rd International Conference on Smart Grids and Green IT Systems (SMARTGREENS), April 3-4 2014, Barcelona, Spain
Johannes Goellner, Christian Meurers, Andreas Peer, Lucie Langer and Markus Kammerstetter
Bedeutung des Risikomanagements für die Sicherheit von Smart Grids
13th SYMPOSIUM ENERGY INNOVATION (EnInnov2014), 12th - 14th February 2014, Graz, Austria
L. Langer, F. Kupzog, M. Kammerstetter, T. Kerbl, F. Skopik
Smart Grid Security Guidance (SG)2 - Empfehlungen für sichere Smart Grids in Österreich
ComForEn 2013, 4. Fachkonferenz Kommunikation für Energienetze der Zukunft, September 26, 2013
Markus Kammerstetter, Christian Platzer and Gilbert Wondracek
Vanity, Cracks and Malware: Insights into the Anti-Copy Protection Ecosystem
19th ACM Conference on Computer and Communications Security (CCS 2012), October 2012, Raleigh, NC, USA
Florian Skopik, Thomas Bleier, Markus Kammerstetter and Georg Kienesberger
Smart Grid Security Guidance: Eine Sicherheitsinitiative fuer Intelligente Stromnetze
42. Jahrestagung der Gesellschaft fuer Informatik e.V. (GI) (INFORMATIK 2012), September 16-21, 2012, Braunschweig, Germany
Markus Kammerstetter
Real-time Encrypted Speed Communication Over Low Bandwidth Channels
Master's thesis, May 11, 2011, suggested for Distinguished Young Alumnus Award
[download] [presentation]
Markus Kammerstetter
Sicherheitsanalysetechniken von Mikrocontrollern
Bakkalaureatsarbeit, March, 2009

Notable Achievements

  • For my PhD thesis, I was nominated for the Ressel Award 2017 by the Faculty of Informatics.
  • My paper "Embedded Security Testing with Peripheral Device Caching and Runtime Program State Approximation" received the best paper award at SECURWARE2016.
  • I was nominated for the Distinguished Young Alumnus Award due to my outstanding master's thesis.
  • My paper "Practical Risk Assessment Using a Cumulative Smart Grid Model" was recommended for the best paper award at SMARTGREENS'14.
  • Together with the WoY team, we managed to take the 3rd place in the iCTF competition 2014/15
  • Together with the WoY team, we managed to take the 2nd place in the iCTF competition 2012/13
  • Together with the WoY team, we managed to take the 1st place in the iCTF competition 2011
  • Together with the WoY team, we managed to take the 5th place in the iCTF competition 2008
  • Together with the WoY team, we managed to take the 4th place in the iCTF competition 2007
  • Together with the WoY team, we managed to take the 1st place in the iCTF competition 2006
  • Together with the WoY team, we managed to take the 2nd place in the iCTF competition 2005


I can be reached under mk (at)

You can find my contact information through TISS.

Last Modified: Thu Jun 1 18:34:36 CEST 2017

International Secure Systems Lab