From Hacker to IoT Security Hero? Red Balloon Floats New Solution
The same person who once hacked HP printers and other telecommunications products to demonstrate the vulnerability of embedded devices has now developed a platform-independent real-time host-based intrusion defense system designed to secure all embedded products, regardless of vendor or operating system.
Red Balloon Security's offering is, claims CEO and chief scientist Ang Cui, the opening salvo in the battle on embedded insecurities; just as Norton Antivirus altered the way in which computer users combatted desktop malware, Red Balloon's approach will change how embedded systems – the billions of components making up the Internet of Things, communications, and peripherals – are protected. In its first volley, the company announced a partnership to deploy its host-based defense technology on three new HP LaserJet Enterprise printers and multi-function printers planned for this fall, as well as all Future Smart-enabled HP LaserJet Enterprise printers already sold.
"Every part of our modern existence is controlled by our tiny, vulnerable embedded devices. The important thing about what we did was not just point out the flaws but how to protect all these devices – and do it practically," Cui told EnterpriseTech. "They're proprietary. They're black boxes. Getting access to the source code is impossible. There are tens of thousands of OS variations out there. It would be prohibitive unless you had a fundamental shift in the way security technology worked."
The developer, a spinout from Columbia University where Cui earned his PhD, received funding from the educational institution, as well as government agencies such as the Federal Bureau of Investigation (FBI), the Defense Advanced Research Projects Agency (DARPA), and the United States Air Force, according to Cui. Red Balloon produced a secure router for the Air Force and demonstrated its capabilities in other secret implementations, he said. The developer came up with a wish list of capabilities, and then designed the technology from the ground up, said Cui. As a result, its Symbiote Defense system delivers similar security capabilities to those found on a desktop or laptop, he said.
"A commercial version of this technology has been used in vulnerable legacy routers within the Air Force environment," said Cui. "Our technology has been tested and funded by the U.S. government. It's got a proven track record of being effective in high-demand environments."
At the Black Hat conference in Las Vegas this summer, Red Balloon demonstrated how to sneak out network data via a laser printer and the AM-band of a radio without detection. A datacenter's thick cables act as the antenna, transforming the printer's adjusted chip-circuits electromagnetic waves into code. Acting as amplifiers, the cables emit the code to a receiver – the radio – that hackers then use to steal data, CNN reported. Cui also gained notoriety for hacking Cisco phones.
The IoT is expected to incorporate more than 26 billion devices by 2020, according to Gartner. Organizations are adding sensors to everything from pacemakers and implants to garage doors and light fixtures, but without one standard to follow, they adopt multiple OSes and platforms to enable their solutions. Securing these products on a case-by-case basis would be cost-prohibitive, if feasible, Cui said.
That's not to say Red Balloon is not working closely with vendors. The company is teaming up with developers, starting with today's HP announcements. It plans to next introduce the same level of defense into other printer lines and partner with more vendors across not only printers. but a slew of potential products and devices, Cui envisioned.
"We would be able to stop exploits against ATMs, pacemakers, critical infrastructure," he said.
However, Red Balloon could not legally provide enterprises with the option to secure all their IoT devices and peripherals with its technology, he said, since that would breach current user licensing agreements (ULAs), he said. In the future, this could change if user organizations and vendors team up, as they did to combat malware on desktops and laptops, said Cui. After all, most IoT and peripherals makers have little desire to be security developers, he said.
"That's why I think the technology we're introducing is such a game-changer. If there was a cheap and effective security solution, it will benefit the organization. It will benefit the vendor because, all of a sudden, they don't have to be a device company and a security company at the same time," Cui said. "I think over next few years we're going to come up with news ways of selling embedded devices and pricing them and the software that goes into them."