This is a Technikon podcast.

This is a Technikon podcast.

How much does the data on your mobile phone say about you? You might be astonished at the answer. We store photos of bank information, context, private conversations and so much more on these ubiquitous devices in the wrong hands, this could be disaster. But don't panic. The good news is that the manufacturer of your phone has been diligent in protecting you. In fact, if encrypted with a password, your phone is likely the most secure device you own. And that's great for everyone, except for the law enforcement agency trying to solve a crime, and the only evidence they have in their hands is a locked telephone. I'm Peter Balint from Technikon, and today we look at the EXFILES project once again. This European project is developing methods to access locked phones. This is a critical activity in the forensic investigation toolbox. There is no easy solution, but in EXFILES, partners across Europe have resolved to make inroads to this challenging aspect of cybersecurity. Today, we speak with project partner Renaud Feil from Synacktiv in Paris. Let's have a listen. Welcome, Renaud, and thanks for coming on today.

How much does the data on your mobile phone say about you? You might be astonished at the answer. We store photos of bank information, context, private conversations and so much more on these ubiquitous devices in the wrong hands, this could be disaster. But don't panic. The good news is that the manufacturer of your phone has been diligent in protecting you. In fact, if encrypted with a password, your phone is likely the most secure device you own. And that's great for everyone, except for the law enforcement agency trying to solve a crime, and the only evidence they have in their hands is a locked telephone. I'm Peter Balint from Technikon, and today we look at the EXFILES project once again. This European project is developing methods to access locked phones. This is a critical activity in the forensic investigation toolbox. There is no easy solution, but in EXFILES, partners across Europe have resolved to make inroads to this challenging aspect of cybersecurity. Today, we speak with project partner Renaud Feil from Synacktiv in Paris. Let's have a listen. Welcome, Renaud, and thanks for coming on today.

Thank you for inviting me

Thank you for inviting me

To start with. Tell us what The EXFILES project is all about.

To start with. Tell us what The EXFILES project is all about.

Yes, of course. EXFILES is a project funded by the European Union under the Horizon 2020 research and innovation program, and the aim of this project is to provide law enforcement of several European countries, France, Germany, Spain, Netherlands and Norway - I hope I'm not forgetting anyone here -  is to provide the law enforcement of this country with new techniques and tools to be able to access forensic evidence is on mobile phones, which may have been confiscated from from criminals. Of course, criminals like everyone are using mobile phones more and more, especially during and after the COVID crisis. It's less and less about piece of papers and face to face conversation . They need to talk about the project, share information, set up plans for the traffics in their crimes. Most of the time, over the internet, sometime within a small group, sometimes in a large group. And so you, end up actually with a lot of critical evidences on modern phones, which are, by the way, the most advanced and secure piece of electronic equipment that everyone owns. It's very secure, and most of the time, if you don't have the pin code or the passphrase, you can't access to data even if the phone is in your hand. And of course, it's a good thing for privacy. If someone steals your phone, but it's a big issue for law enforcement in specific cases. And it's actually the same for that time in transition or the communication themselves, they are now protected by what's called end to end encryption or the cryptographic techniques. You have, of course, regular people, but also criminals, they use VPN to encrypt their traffic, they hide their IP addresses on the internet and so on. So just observing the traffic on the internet doesn't tell you much about what's what's going on. And so more and more, you need to access the data on the mobile phones themselves because it's where the data is stored. So yeah, police forces around the world are looking for new ways to get access to what's stored on the suspects phone and to help this criminal case. And that's the that's the objective of this EXFILES project.

Yes, of course. EXFILES is a project funded by the European Union under the Horizon 2020 research and innovation program, and the aim of this project is to provide law enforcement of several European countries, France, Germany, Spain, Netherlands and Norway - I hope I'm not forgetting anyone here -  is to provide the law enforcement of this country with new techniques and tools to be able to access forensic evidence is on mobile phones, which may have been confiscated from from criminals. Of course, criminals like everyone are using mobile phones more and more, especially during and after the COVID crisis. It's less and less about piece of papers and face to face conversation . They need to talk about the project, share information, set up plans for the traffics in their crimes. Most of the time, over the internet, sometime within a small group, sometimes in a large group. And so you, end up actually with a lot of critical evidences on modern phones, which are, by the way, the most advanced and secure piece of electronic equipment that everyone owns. It's very secure, and most of the time, if you don't have the pin code or the passphrase, you can't access to data even if the phone is in your hand. And of course, it's a good thing for privacy. If someone steals your phone, but it's a big issue for law enforcement in specific cases. And it's actually the same for that time in transition or the communication themselves, they are now protected by what's called end to end encryption or the cryptographic techniques. You have, of course, regular people, but also criminals, they use VPN to encrypt their traffic, they hide their IP addresses on the internet and so on. So just observing the traffic on the internet doesn't tell you much about what's what's going on. And so more and more, you need to access the data on the mobile phones themselves because it's where the data is stored. So yeah, police forces around the world are looking for new ways to get access to what's stored on the suspects phone and to help this criminal case. And that's the that's the objective of this EXFILES project.

OK, and we'll talk a little bit more about the technology later. So you come from Synacktiv , the company is called Synacktiv . They're a partner in EXFILES. What can you provide to contribute to the overall objectives in the project?

OK, and we'll talk a little bit more about the technology later. So you come from Synacktiv , the company is called Synacktiv . They're a partner in EXFILES. What can you provide to contribute to the overall objectives in the project?

Yeah, Synacktiv it's a company founded nearly 10 years ago in Paris by Nicholas and myself. We both had a background as security auditors, and Nicholas had a background in development, but mostly we were doing, you know, consulting jobs, looking for flaws and helping companies with securing the systems. And now it's about 90 people in several French cities. And so what do we do? We work on offensive security by offensive security means that we master, or at least we try to master the knowledge and the tools to find vulnerabilities and flaws in IT systems. Our work is to find security issues in many different systems. And on this project, we're actually looking at mobile phones. We have developed some skills on Android and iPhones and different phones on the market. And so we have started working on several European projects to help law enforcement on this technology. We have a small team of experienced and smart experts to find vulnerabilities and share them with trusted partners to help Europe building capacity in this field.

Yeah, Synacktiv it's a company founded nearly 10 years ago in Paris by Nicholas and myself. We both had a background as security auditors, and Nicholas had a background in development, but mostly we were doing, you know, consulting jobs, looking for flaws and helping companies with securing the systems. And now it's about 90 people in several French cities. And so what do we do? We work on offensive security by offensive security means that we master, or at least we try to master the knowledge and the tools to find vulnerabilities and flaws in IT systems. Our work is to find security issues in many different systems. And on this project, we're actually looking at mobile phones. We have developed some skills on Android and iPhones and different phones on the market. And so we have started working on several European projects to help law enforcement on this technology. We have a small team of experienced and smart experts to find vulnerabilities and share them with trusted partners to help Europe building capacity in this field.

So it sounds like your company is a perfect fit for EXFILES, and that's a great thing for the consortium.

So it sounds like your company is a perfect fit for EXFILES, and that's a great thing for the consortium.

Yeah, well, at least we try to. We try to help on the very technical part - some parts of the project are highly technical, and that's where we try to help.

Yeah, well, at least we try to. We try to help on the very technical part - some parts of the project are highly technical, and that's where we try to help.

Mm-Hmm. I was wondering also given the changing nature of technology and increased complexity and not to mention tighter security. Is this a realistic endeavor? I mean, what do you see as an endpoint or result in EXFILES?

Mm-Hmm. I was wondering also given the changing nature of technology and increased complexity and not to mention tighter security. Is this a realistic endeavor? I mean, what do you see as an endpoint or result in EXFILES?

That's a good question, and that's a real challenge. Everyone in the field knows that it's getting more and more difficult. The main phone manufacturers are just they are just doing genuine efforts to make their systems more and more secure that it's a good thing. And of course, everyone is pushing back against any law that would make, you know, compulsory legitimate access or what someone call what some people call a backdoor. No one wants any backdoor on mobile phone for police force on every mobile phone sold on the market. So yes, you have some phone manufacturers that are really increasing the security of the phone, and it's getting more and more difficult. And so now the police forces that are on their own with the phone in their hands and their skills and the skills of their team, and they need to find a way to to break into a specific phone. So of course, from time to time, you have very smart people in the team. They come and tell me, Yeah, Renaud, it's just getting more and more difficult. They have just added new security measures. I'm afraid we won't be able to find or exploit vulnerabilities one day and will fail, will stay in the dark and frustrated and useless. And it's, of course, part of our job to deal with this uncertainty and fear of not keeping up with the pace of new technologies. But of course, we have been doing that for a few years from now and and we actually see that it's still possible to find flaws and to help this investigation. So, yeah, it's getting more complex now. More and more connected systems are updated more and more frequently with new code and new features. But I'm confident that there will still be a number of ways to find bugs in systems. It will just require more efforts and more security researchers. To keep on with the pace of the better security that we have.

That's a good question, and that's a real challenge. Everyone in the field knows that it's getting more and more difficult. The main phone manufacturers are just they are just doing genuine efforts to make their systems more and more secure that it's a good thing. And of course, everyone is pushing back against any law that would make, you know, compulsory legitimate access or what someone call what some people call a backdoor. No one wants any backdoor on mobile phone for police force on every mobile phone sold on the market. So yes, you have some phone manufacturers that are really increasing the security of the phone, and it's getting more and more difficult. And so now the police forces that are on their own with the phone in their hands and their skills and the skills of their team, and they need to find a way to to break into a specific phone. So of course, from time to time, you have very smart people in the team. They come and tell me, Yeah, Renaud, it's just getting more and more difficult. They have just added new security measures. I'm afraid we won't be able to find or exploit vulnerabilities one day and will fail, will stay in the dark and frustrated and useless. And it's, of course, part of our job to deal with this uncertainty and fear of not keeping up with the pace of new technologies. But of course, we have been doing that for a few years from now and and we actually see that it's still possible to find flaws and to help this investigation. So, yeah, it's getting more complex now. More and more connected systems are updated more and more frequently with new code and new features. But I'm confident that there will still be a number of ways to find bugs in systems. It will just require more efforts and more security researchers. To keep on with the pace of the better security that we have.

Okay, and you mentioned bugs in systems, and maybe that's a hint to my next question, which is how actually do you do this? How do you seemingly bypass phone security?

Okay, and you mentioned bugs in systems, and maybe that's a hint to my next question, which is how actually do you do this? How do you seemingly bypass phone security?

Oh, it's it's difficult to explain without going into technical details, but basically it's about finding and exploiting vulnerabilities. Vulnerabilities is an error. It's a mistake in a system sometimes in the source code written by the developers, sometimes in the configuration made by the IT staff or the user. And there are a lot of techniques and tools to find these issues, but to make it simple. Most of the time, it's about extracting finding the software from a specific brand of mobile phones and then understanding its internals, how it's working, what it's doing. And we have some tools to actually understand what's what's going on, how specific software interacts with the hardware, how the data is processed and so on and so on. Of course, it's it's a difficult task because you're not the only one looking for issues. There are actually many people today looking for flaws in mobile phones. So you need to be smarter than the others, you need to understand the source code better than the others and sometimes even better than the developer who wrote the code, you know himself. And it's also it's a science, but it's also a kind of art because you need to read. You can't just read all the code. It's made by hundreds of developers, so you need some instinct to find places which are likely to contain bugs. And most of the time, it's quite good to focus on pieces of code that are very complex, very hard to understand, complex data parsing, memory management, interaction with hardware. So, yeah, we do need to be actually willing to go into the most difficult piece of code because that's usually where the flaws are and you need to read a lot, train a lot work a lot until you find an issue and help with the investigation.

Oh, it's it's difficult to explain without going into technical details, but basically it's about finding and exploiting vulnerabilities. Vulnerabilities is an error. It's a mistake in a system sometimes in the source code written by the developers, sometimes in the configuration made by the IT staff or the user. And there are a lot of techniques and tools to find these issues, but to make it simple. Most of the time, it's about extracting finding the software from a specific brand of mobile phones and then understanding its internals, how it's working, what it's doing. And we have some tools to actually understand what's what's going on, how specific software interacts with the hardware, how the data is processed and so on and so on. Of course, it's it's a difficult task because you're not the only one looking for issues. There are actually many people today looking for flaws in mobile phones. So you need to be smarter than the others, you need to understand the source code better than the others and sometimes even better than the developer who wrote the code, you know himself. And it's also it's a science, but it's also a kind of art because you need to read. You can't just read all the code. It's made by hundreds of developers, so you need some instinct to find places which are likely to contain bugs. And most of the time, it's quite good to focus on pieces of code that are very complex, very hard to understand, complex data parsing, memory management, interaction with hardware. So, yeah, we do need to be actually willing to go into the most difficult piece of code because that's usually where the flaws are and you need to read a lot, train a lot work a lot until you find an issue and help with the investigation.

Well, this answers a big question. I think this is the fact that you don't have hundreds of developers at your disposal and the fact that you have to really develop your instincts to know where their vulnerabilities are. I think that's really an important point to mention. I think also that this project is sort of surrounded in confidentiality that's sort of understood. But what about ethical issues? How do you deal with these ethical issues in EXFILES ?

Well, this answers a big question. I think this is the fact that you don't have hundreds of developers at your disposal and the fact that you have to really develop your instincts to know where their vulnerabilities are. I think that's really an important point to mention. I think also that this project is sort of surrounded in confidentiality that's sort of understood. But what about ethical issues? How do you deal with these ethical issues in EXFILES ?

Ethical issues is is a key consideration in this project, and we actually we actually do have some universities in the consortium and they are part of the project to actually think about the future of this kind of investigation and what is good and what is bad from an ethical perspective. Because on one hand, we need to provide tools to law enforcement for the investigation. And on the other hand, we need to make sure that these techniques are not used against innocent people. It's not. It's not a new subject. I don't believe it's a very difficult subject to deal with. I mean, law enforcement, they have privileges such as the legitimate use of violence to arrest someone dangerous. And in many countries, especially democratic countries, you have many laws to draw a line between what is allowed and what is not allowed. And you need, of course, strong overseeing bodies to make sure that these techniques are just used in criminal cases and against, you know, a person who have a significant likely or to be part of the criminal conspiracy. So I won't pretend to close the subject of my partners on on this side of the project, but it's kind of to me, it's kind of important to remember that it's not just about what we are doing, but for whom we are doing it, and we need to make sure that we are doing it for police forces in countries with a proper regulation of their own law enforcement capacities. And that's probably why the results are currently shared with only a small group of trusted law enforcement in Europe, and we have actually strong rules for dissemination of our work. And I guess it's countries with a strong history of democracy and control of their police forces because as you know, there there is a real threat today and there is a kind of distrust of some citizens against their own government. It's everywhere in the world. It's not only Europe. The main problem with this kind of distrust is that you have you have some security researcher will decide not to care anymore because they say, after all, if you keep, democracy cannot be trusted more than an authoritarian country. I can just work for anyone. And if your main skill is offensive security and if you're willing to make a living out of it, and if you believe that all government are bad, then you can just work for anyone. And of course, the issue is that today some governments which are not democratic at all, or at least they have a different approach to to to justice and fair trial. I think it's it's really good to remember that it's really about who you provide these tools to and making sure that they are properly used and overseen.

Ethical issues is is a key consideration in this project, and we actually we actually do have some universities in the consortium and they are part of the project to actually think about the future of this kind of investigation and what is good and what is bad from an ethical perspective. Because on one hand, we need to provide tools to law enforcement for the investigation. And on the other hand, we need to make sure that these techniques are not used against innocent people. It's not. It's not a new subject. I don't believe it's a very difficult subject to deal with. I mean, law enforcement, they have privileges such as the legitimate use of violence to arrest someone dangerous. And in many countries, especially democratic countries, you have many laws to draw a line between what is allowed and what is not allowed. And you need, of course, strong overseeing bodies to make sure that these techniques are just used in criminal cases and against, you know, a person who have a significant likely or to be part of the criminal conspiracy. So I won't pretend to close the subject of my partners on on this side of the project, but it's kind of to me, it's kind of important to remember that it's not just about what we are doing, but for whom we are doing it, and we need to make sure that we are doing it for police forces in countries with a proper regulation of their own law enforcement capacities. And that's probably why the results are currently shared with only a small group of trusted law enforcement in Europe, and we have actually strong rules for dissemination of our work. And I guess it's countries with a strong history of democracy and control of their police forces because as you know, there there is a real threat today and there is a kind of distrust of some citizens against their own government. It's everywhere in the world. It's not only Europe. The main problem with this kind of distrust is that you have you have some security researcher will decide not to care anymore because they say, after all, if you keep, democracy cannot be trusted more than an authoritarian country. I can just work for anyone. And if your main skill is offensive security and if you're willing to make a living out of it, and if you believe that all government are bad, then you can just work for anyone. And of course, the issue is that today some governments which are not democratic at all, or at least they have a different approach to to to justice and fair trial. I think it's it's really good to remember that it's really about who you provide these tools to and making sure that they are properly used and overseen.

And from what I know about EXFILES , from what I've read and what you could find on the website, this is all very closely adhered to. Things are very controlled and regulated.

And from what I know about EXFILES , from what I've read and what you could find on the website, this is all very closely adhered to. Things are very controlled and regulated.

There is a strong policy when it comes to dissemination and use of these sensitive tools.

There is a strong policy when it comes to dissemination and use of these sensitive tools.

Right? Let me ask you this: What if EXFILES didn't exist? What effect would we see in the law enforcement community

Right? Let me ask you this: What if EXFILES didn't exist? What effect would we see in the law enforcement community

Law enforcement? They have a lot of challenges when it comes to cybersecurity. You have a new wave of criminals. They they commit crimes even on the internet itself. For example, ransomware, everyone is talking today about ransomware. Everything happened over the internet. The targeting of the victims, the attack itself. Even the negotiation and the ransom. And even the payments using cryptocurrency. So the game has moved significantly and law enforcement, they need to be able to investigate any piece of electronic device, mobile phone computers that they have, because that's today, that's where the evidence is. And even for crimes that happened in the real world. Communications, as I was mentioning previously are now made using encrypted application, which are not easy to intercept. So you actually need to be able to get the information that is stored on the mobile itself and sometimes the computers and yet to answer your question. I think that if if we lose this battle, it will just become more and more difficult for police to investigate modern crimes and they will just be left in the dark, with a very hard time finding evidences when it's stored on a modern mobile phone.

Law enforcement? They have a lot of challenges when it comes to cybersecurity. You have a new wave of criminals. They they commit crimes even on the internet itself. For example, ransomware, everyone is talking today about ransomware. Everything happened over the internet. The targeting of the victims, the attack itself. Even the negotiation and the ransom. And even the payments using cryptocurrency. So the game has moved significantly and law enforcement, they need to be able to investigate any piece of electronic device, mobile phone computers that they have, because that's today, that's where the evidence is. And even for crimes that happened in the real world. Communications, as I was mentioning previously are now made using encrypted application, which are not easy to intercept. So you actually need to be able to get the information that is stored on the mobile itself and sometimes the computers and yet to answer your question. I think that if if we lose this battle, it will just become more and more difficult for police to investigate modern crimes and they will just be left in the dark, with a very hard time finding evidences when it's stored on a modern mobile phone.

And that's a scenario that just can't happen.

And that's a scenario that just can't happen.

It would be very difficult, I mean, on on large crimes , which need to be solved.

It would be very difficult, I mean, on on large crimes , which need to be solved.

Sure. Now let's look at the consortium for a moment. This concept of cross-border cooperation is only as new as the EU itself. In the past, individual states have operated autonomously. And I'm wondering, how is this cooperation working in a project like this?

Sure. Now let's look at the consortium for a moment. This concept of cross-border cooperation is only as new as the EU itself. In the past, individual states have operated autonomously. And I'm wondering, how is this cooperation working in a project like this?

Yeah, you're right. In the past, cybersecurity was, in my opinion, seen as a sovereign power of each countries and especially when it comes to offensive capacity. Every country just wanted its own tools and techniques. Most of them, by the way, just failed to build any significant capacity on their own. But those who did succeed never wanted to share it with someone else, probably because how could you be sure that this country wouldn't use your own tool to spy on you? So, but anyway, given the challenges of today, I mean the growing difficulties to gain access to secret information, it's obvious that cooperation is necessary. In many cases, you need to share not only information on ongoing investigations, but also technical information. We, we I've said it before. It gets more difficult from a technical perspective, so you need to share your knowledge. The specific country may have a technical solution for part of the problem, another country for other part of the same problem. And sometimes the solution is just to merge the two parts and solve the puzzle. All the criminal case that is behind this technical puzzle. So yeah, it's really fantastic today to be able to to share information with a trusted a number of partners and even to actually welcome them in Paris when they can travel. So it's really it's really good. And of course, I'm not into geopolitics, but we need to make sure that these capacities are used for a common good for the interest of Europe and to protect the citizens and not just for the interest of specific countries. And these are well known challenges of any cooperation between different entities, and it's a challenge that Europe will continue to address.

Yeah, you're right. In the past, cybersecurity was, in my opinion, seen as a sovereign power of each countries and especially when it comes to offensive capacity. Every country just wanted its own tools and techniques. Most of them, by the way, just failed to build any significant capacity on their own. But those who did succeed never wanted to share it with someone else, probably because how could you be sure that this country wouldn't use your own tool to spy on you? So, but anyway, given the challenges of today, I mean the growing difficulties to gain access to secret information, it's obvious that cooperation is necessary. In many cases, you need to share not only information on ongoing investigations, but also technical information. We, we I've said it before. It gets more difficult from a technical perspective, so you need to share your knowledge. The specific country may have a technical solution for part of the problem, another country for other part of the same problem. And sometimes the solution is just to merge the two parts and solve the puzzle. All the criminal case that is behind this technical puzzle. So yeah, it's really fantastic today to be able to to share information with a trusted a number of partners and even to actually welcome them in Paris when they can travel. So it's really it's really good. And of course, I'm not into geopolitics, but we need to make sure that these capacities are used for a common good for the interest of Europe and to protect the citizens and not just for the interest of specific countries. And these are well known challenges of any cooperation between different entities, and it's a challenge that Europe will continue to address.

Right, and it sounds like in many of these H2020 projects, this is exactly the case that these countries are coming together for a common good, for sure. And I wonder when we look at EXFILES , how would you say that this project would advance these cybersecurity efforts that are happening in the EU right now?

Right, and it sounds like in many of these H2020 projects, this is exactly the case that these countries are coming together for a common good, for sure. And I wonder when we look at EXFILES , how would you say that this project would advance these cybersecurity efforts that are happening in the EU right now?

Yeah, ultimately, it's about knowing if Europe wants to improve its capacity to investigate crimes, modern crimes on its own or if we are happy to rely on technology mastered only by some foreign countries. Of course, today you have competitors doing mobile phone forensic, especially Israel and the US. They are willing sometimes to sell their tools to law enforcement in Europe, or at least some of their capacity. Not all. But it's it's very expensive. You don't always control the data in specific cases you had, actually, you were actually requested to send the phone abroad. We sold the data for the investigation and so on, and especially one day they may decide to stop providing specific tools and capacities, maybe a little bit like the facemask at the peak of the COVID crisis. You know, it's the kind of critical capacity that maybe one day too sensitive to be shared with other countries. And in that case, you know, Europe would be left without any tools to investigate a modern smartphone. So I think it's really a key issue for for the future.

Yeah, ultimately, it's about knowing if Europe wants to improve its capacity to investigate crimes, modern crimes on its own or if we are happy to rely on technology mastered only by some foreign countries. Of course, today you have competitors doing mobile phone forensic, especially Israel and the US. They are willing sometimes to sell their tools to law enforcement in Europe, or at least some of their capacity. Not all. But it's it's very expensive. You don't always control the data in specific cases you had, actually, you were actually requested to send the phone abroad. We sold the data for the investigation and so on, and especially one day they may decide to stop providing specific tools and capacities, maybe a little bit like the facemask at the peak of the COVID crisis. You know, it's the kind of critical capacity that maybe one day too sensitive to be shared with other countries. And in that case, you know, Europe would be left without any tools to investigate a modern smartphone. So I think it's really a key issue for for the future.

OK, and it sounds like then that EXFILES is a project that will sort of ensure the autonomy of the EU when solving crimes that happen within our borders. So this is an interesting project, and we look forward to finding out more about it as time goes on. But thank you for your insights today and we appreciate the information.

OK, and it sounds like then that EXFILES is a project that will sort of ensure the autonomy of the EU when solving crimes that happen within our borders. So this is an interesting project, and we look forward to finding out more about it as time goes on. But thank you for your insights today and we appreciate the information.

Thank you, Peter, for having me.

Thank you, Peter, for having me.

For more information about EXFILES , go to exfiles.eu . The EXFILES project has received funding from the European Union's Horizon 2020 research and innovation program under the grant agreement number 883156 .

For more information about EXFILES , go to exfiles.eu . The EXFILES project has received funding from the European Union's Horizon 2020 research and innovation program under the grant agreement number 883156 .