SBA Research is a research center for Information Security funded partly by the national initiative for COMET Competence Centers for Excellent Technologies. Within a network of more than 70 companies, 15 Austrian and international universities and research institutions, and many additional international research partners we jointly work on research challenges ranging from organizational to technical security to strengthen Europe’s Cybersecurity capabilities.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT


Rudolf Mayer and Andreas Rauber host the annual meeting of the EU project MyHealthMyData

On October 9th and 10th, 25 researchers collaborating in the MyHealthMyData project meet at SBA Research to discuss issues of secure and privacy-preserving data sharing in e-Health applications.

MyHealthMyData implements a new way to share private information and empower their primary owners, the patients. The project uses novel approaches like using blockchains and smart contracts to trace the sharing and usage of patients in academic and commercial studies. Patients will control their data via personal data accounts, and can give dynamic consent to usage of parts of their data.

Peter Kieseberg @ CMG-AE-Tagung

Today, Peter Kieseberg gave a talk on “Neue Security-Herausforderungen im industriellen Umfeld” at the “CMG-AE-Tagung” in Vienna.

Peter Kieseberg @ ICDF2C2017

Today, Peter Kieseberg presented our work „Real-time Forensics through Endpoint Visibility“ at the „9th EAI International Conference on Digital Forensics & Cyber Crime“ (ICDF2C2017) in Prague.

Study on EU-DSGVO

On behalf of the Austrian Federal Ministry of Transport, Innovation and Technology (bmvit), a research team consisting of cbased (Community-Based Innovation Systems), SBA Research, and the Vienna University of Economics and Business (WU), examines the impact of the data protection legislation (EU-DSGVO), which will become effective May 2018, on Big Data and Innovation.

The study was open to public participation of citizens, companies and experts until 09.10.2017.

More information can be found here and the study including the discussion here (both in german).

Philipp Reisinger at Österreichischer Sicherheitstag

Today Philipp Reisinger will talk about “The Defender’s Dilemma” at the Austrian IT Security day in Klagenfurt.

The IT Security day takes place in conjunction with IT Carinthia

Further information can be found here.


Mauro Conti @ SBA

Maura Conti gave a guest talk about Novel Security and Privacy Threats to Mobile Users at SBA Research yesterday.

More information can be found here.

Peter Kieseberg awarded Apertus Axiom

Yesterday, Peter Kieseberg from SBA Research and IoT-Austria awarded Apertus Axiom with the OpenMinds-Award in the category “Open Hardware”.

SBA Research at IKT-Sicherheitskonferenz of the Austrian Armed Forces

Jointly with the OCG working group on information security we organized the young researchers’ day (YRD). Edgar Weippl gave a talk on Bitcoins. Philipp Reisinger gave a talk at the IKT Sicherheitskonferenz about “Techology radar and Security 4.0”. The event takes place at the congress center villach today.

The program can be found here.

Alexei Zamyatin @ IEEE MASCOTS 2017

Alexei Zamyatin presented his paper „Swimming with Fishes and Sharks – Beneath the Surface of Queue-based Ethereum Mining Pools“ at the IEEE MASCOTS 2017 conference which took place from September 20 – 22, 2017 in Banff, Canada.

Aljosha Judmayer @ DigitalDays2017, Vienna

Aljosha Judmayer was invited to give a lightning talk about “Do we need the Blockchain” at the DigitalDays 2017.

The DigitalDays 2017 presented the digital competence of Vienna as a location, all activities related to the DigitalCity.Wien initiative and its partners. Innovative technologies were presented and could be experienced in the “DigitalCity.Wien TechStreet”. In addition, exciting topics from the field of digitization were discussed interactively with experts. The DigitalDays 2017 took place from September 20 – 21, 2017 in the City Hall of Vienna.

Stefan Jakoubi @ DEEPINTEL

Stefan Jakoubi will give a talk on Risk Communication – “To be informed, or not to be informed: that is the question” at DEEPINTEL today.

Making correct and effective decisions requires complete, meaningful and tailored data. This is nothing new and what sounds like an easy challenge is nowadays still surprisingly difficult and not well (enough) implemented.

For further information please see here

Stefan Jakoubi at Gartner Summit

Stefan Jakoubi is attending Gartner Security & Risk Management Summit, which takes place from 18-19. Sept. in London, UK.

Further details can be found on their website.

Edgar Weippl on Bitcoins at IDC Security Roadshow

Edgar Weippl gives a technical introduction to Bitcoins (Agenda)

Peter Kieseberg moderating PwC event

Today Peter Kieseberg is moderating the PwC Security Trend event focusing on Business Continuity, Security Policies and the DSGVO.

Tomasz Miksa chairs the newly endorsed DMP Common Standards working group at the RDA

Tomasz Miksa has become the chair of the newly endorsed DMP Common Standards working group at the Research Data Alliance. He will present the goals of the group for the next 18 months at the 10th Research Data Alliance Plenary in Montreal, Canada.

The group brings together a broad spectrum of stakeholders from all around the world, such as: research funders, data repositories, ICT infrastructure providers, software developers, and researchers representing various scientific domains.

The specific focus of the working group is on developing common information model and specifying access mechanisms that make Data Management Plans (DMPs) machine-actionable. The outputs of this working group will help in making systems interoperable and will allow for automatic exchange, integration, and validation of information exchanged using research data infrastructures.

This should lead to higher reproducibility of computational workflows and increase of trust in scientific data.

To follow the activities and learn more about the DMP Commons Standards WG please visit its official web page.


Best Paper Session at ARES 2017

This year’s ARES conference had great papers in the best papers session and the first time-of-test award.

Featured article in newspaper

„Our KIRAS-project “Darknet Analysis” is currently featured with an article in the newspaper “derStandard”, as well as in “”:

Paper accepted @ ACSAC’17

The paper “Grid Shock: Coordinated Load-Change Attacks on Power Grids” by Adrian Dabrowski, Johanna Ullrich, and Edgar Weippl was accepted for publication at the 2017 Annual Computer Security Applications Conference (ACSAC 33).

Our work analyzes whether large-scale botnets are able to modulate electric power consumption in a coordinate way to bring down the power grid. ACSAC is a leading conference in applied computer security. In total, 48 out of 244 submissions were accepted, resulting in an acceptance rate of 19.7%. ACSAC 33 will be held in San Juan, Puerto Rico in December 2017.


Electric power grids are among the largest human-made control structures and are considered as critical infrastructure due to their importance for daily life. When operating a power grid, providers have to continuously maintain a balance between supply (i.e., production in power plants) and demand (i.e., power consumption) to keep the power grid’s nominal frequency of 50\,Hz or alternatively 60\,Hz. Power consumption is forecast by elaborated models including multiple parameters like weather, season, and time of the day; they are based on the premise of many small consumers averaging out their energy consumption spikes. 

In this paper, we develop attacks violating this assumption, investigate their impact on power grid operation and assess their feasibility for today’s adversaries. In our scenario, an adversary builds (or rents) a botnet of zombie computers and modulates their power consumption, e.g., by utilizing CPU, GPU, hard disks, screen brightness, and laser printers in a coordinated way over the Internet. Outperforming the grid’s countervailing mechanisms in time, the grid is pushed into unstable states triggering automated load shedding or tie-line tripping.

We show that an adversary does not have to rely on smart grid features to modulate power consumption given that an adequate communication infrastructure for striking the (legacy) power grid is currently nearly omnipresent: the Internet to whom more and more power-consuming devices are connected.​

Paper accepted @ CBT’17

The paper “Merged Mining: Curse or Cure?” by Aljosha Judmayer, Alexei Zamyatin, Nicholas Stifter, Artemios G. Voyiatzis, and  Edgar Weippl was accepted for publication at the 1st International Workshop on Cryptocurrencies and Blockchain Technology (CBT’17), held in conjunction with ESORICS 2017.

Merged mining refers to the concept of mining more than one cryptocurrency without necessitating additional proof-of-work effort. Although merged mining has been adopted by a number of cryptocurrencies already, to this date little is known about the effects and implications. We shed light on this topic area by performing a comprehensive analysis of merged mining in practice. As part of this analysis, we present a block attribution scheme for mining pools to assist in the evaluation of mining centralization. Our findings disclose that mining pools in merge-mined cryptocurrencies have operated at the edge of, and even beyond, the security guarantees offered by the underlying Nakamoto consensus for extended periods. We discuss the implications and security considerations for these cryptocurrencies and the mining ecosystem as a whole, and link our findings to the intended effects of merged mining.

An extended version of the paper is available at the Cryptology ePrint Archive: Report 2017/791.

SBA at USENIX Security

Numerous members of SBA are currently at USENIX Security in Vancouver. Katharina Krombholz is presenting our paper ‘“I Have No Idea What I’m Doing” – On the Usability of Deploying HTTPS’, and you’ll be soon able to watch the recording here due to the USENIX open access policy.

News coverage: Bulletproof TLS Newsletter, USENIX ;login: (to appear)