Cyberattacks could shine light on Chicago startup
Last week’s cyberattacks that caused widespread disruption on the Internet were a drag for anyone surfing the web. But they could give a big lift to a Chicago-based startup called Xaptum.
The company launched three years ago with the idea that security would be one of the major challenges for the Internet of Things, or the idea of connecting everything from cars to electric meters to computer systems.
“Every pitch I make to potential customers, I always say, ‘this is coming,’ ” says Rohit Pasam, CEO of Xaptum. “They always say, ‘Really? How can you be sure?’ This was proof. It’s time for us to rise and shine.”
The company raised $2 million earlier this year from some heavyweight investors, including former Sprint CEO Dan Hesse and former Cisco executive Wim Elfrink; Hardik Bhatt, chief information officer for the state of Illinois; Jai Shekhawat, founder of software maker Fieldglass; and Terry Diamond of KDWC Ventures.
When the malicious attacks that would cripple access to a bunch of prominent websites began Thursday, Pasam was on a panel at a tech conference in Silicon Valley, talking about the cybersecurity risk for “smart cities”—those using sensors connected to buses or water mains or garbage trucks to deliver services.
One of the reasons last week’s “denial of service” attacks were so effective and unusual is that web-connected devices such as video cameras were turned into bots that overwhelmed websites with more traffic than they could handle. In the past, hackers relied on spreading worms and viruses using individual computers.
Using unsecured IoT devices, which have IP addresses just like a computer or smartphone, made the attack faster and more severe. Hackers can get control of such devices because they’re often unsecured, using generic default username and password settings. Their IP addresses are static and often publicly available. The combination makes them easy to find and compromise.
For the past three years, Xaptum has been rethinking the basic network design for connecting autonomous dumb devices, rather than computers used by people. Its software sits between the device and the network to which it’s connected.
HOW IT WORKS
Xaptum’s approach offers two key advantages: It doesn’t rely on the the traditional DNS services provided by third parties, such as Dyn, the company that was the target of last week’s denial-of-service attacks. DNS services reconcile URLs or web addresses that users type in or search for with the numeric internet protocol addresses of actual servers that host those sites.
Another key change is to hide the identities of the IoT devices and make their assigned IP addresses random and ever-changing, so the devices themselves are harder to hack. Because the encryption keys that allow network access are randomly generated on the fly, and they aren’t kept in a master directory, they’re less vulnerable. It’s similar to how password-management apps work.
Access from the network to back-end computers is also controlled, rather than relying on an always-open gateway.
“It’s a system of a system problem,” says Pasam, a former biomedical engineer who became a computer coder, running a firm that did contract work for the former SBC in St. Louis. Among the work he did was networking for the earliest IoT devices, such as factory equipment, that sent data to a company over internal computer networks. “You’ve got to fix it at the infrastructure level.”
He says the internet was designed for the devices—originally computers—to be anonymous, which was fine when the primary purpose was to download information from the network. The internet of things is based on the idea of devices primarily uploading information—such as how a machine, like a generator at a cellphone tower, in a remote area is performing.
“With IoT you can’t be anonymous: you have to control the devices that are connected,” said Pasam, 37.
A long way to go
Xaptum is just getting started. The company has 15 employees, including recent hires with doctorates in computer engineering and physics. About half of the team is working out of 1871, the tech incubator at the Merchandise Mart.
Xaptum has built a test network and has been working with several corporate clients to evaluate its technology. It will have to raise more capital to build out the network for production scale.
The internet of things is in its infancy. Cisco, the Silicon Valley networking giant, expects that the number of machine-to-machine connections will more than double from 4.9 billion to 12.2 billion.
Xaptum’s solution won’t solve last week’s hacks that used older devices. Pasam and his team are building a solution for the next generation of equipment, which will have more sophisticated software to connect to networks. Equipment makers already are beginning to make the necessary upgrades, Pasam says.
But last week’s cyberattacks are likely a turning point, Bhatt said.
“This is a wake-up call, like the Target breach was,” he said. “Fortunately, it’s happening much earlier in the life cycle of IoT.”
Twitter @johnpletz
Read more on Crain’s Chicago Business