Tim Junio was a young security consultant for DARPA, the tech research division of the U.S. Department of Defense, when the agency called for responses to an interesting challenge.
That was: Propose a way that a bad actor could cause catastrophic harm to the nation’s economy just by tapping into data that is generally available.
Junio already had an idea in mind. The former CIA analyst had been inspired by University of Michigan researchers who in 2012 reported on their quick new method to scan and identify Web-connected devices on a broad scale. While the researchers understood that the method could be used to cause harm, their intent was to create a new security tool. Building on that open source work, Junio co-founded Qadium, a data security startup that has landed more than $10 million in Defense Department contracts and earned revenues from Fortune 500 business clients. The company announced a $20 million Series A venture fundraising round this week.
San Francisco-based Qadium can take a rapid global census of the hundreds of millions of devices that connect to the public Internet—computers, routers, CCTV cameras, tablets, and so on. Qadium calls its product the “Google Street View” of Internet-connected devices. Beyond those listings, though, Qadium also serves as a search engine to reveal relationships, trends, and weak spots amid the universe of devices.
The company’s granular scans yield a mass of data that could empower malicious hackers if it fell into the wrong hands. But it can also help government agencies and businesses visualize the vulnerable points in their electronic networks and better defend themselves, Qadium CEO Junio says.
The young company takes advantage of an intrinsic design feature of the Internet—one that helps two machines start a conversation. Devices automatically introduce themselves to each other, like a crowd of name badge-wearing conventioneers eager to network. And they respond to such approaches in turn by volunteering information about themselves. “A printer announces itself as a printer,” Junio says.
In its comprehensive scans, Qadium sends out “tell me about yourself” messages to all 4.3 billion Web addresses available on the world’s most commonly used Internet protocol, IPv4. That includes addresses that have yet to be assigned, Junio says. The company collects the high-level identifying information routinely shared in response by the devices in dog-park-friendly style.
That machine ID can include the manufacturer’s name, the software it runs, and the “services” it offers—such as entree to a Web page. The device may even reveal its age, model number, and serial number. In ordinary Internet traffic, those shared IDs serve as a prelude to the machine-to-machine “handshakes” that open an exchange of data, such as a computer sending a page to a compatible printer.
But Qadium uses the machine IDs instead to analyze the hardware universe for its clients, who may not be aware of the total number of devices capable of tapping into their proprietary data or influencing their business operations. An organization’s network can now include employees’ personal smartphones used outside the office via insecure WiFi connections at a coffee shop; or a vendor’s laptop; or a business partner’s iPad, for example.
Junio won’t reveal exactly how Qadium can sift through the global constellation of devices it scans and tell which of them belong to a specific client’s network. But he says the proprietary process involves looking for the customer’s “unique signature” to create a network graph. Qadium doesn’t rely on detecting traffic between devices, and it doesn’t need passwords or access permissions from clients for the analysis, Junio says.
In every case, the startup has found devices the client didn’t know about, Junio says. The unaccounted-for devices may be leftovers from mergers, acquisitions, or the closure of business units, for example.
In addition to mapping the extent of a customer’s network, Qadium’s scans can flag vulnerabilities in devices, such as an ancient router long overdue for a security update, or a setting left in a default configuration that’s a known entry point for hackers.
In less than two hours, Qadium can complete an Internet-wide query to assess a specific kind of target, such as the mail server protocol SMTP, Junio says.
That’s the type of power explored by the University of Michigan researchers who inspired Junio by creating their fast Internet-wide network scanning tool, ZMap. The researchers, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman, sent out a customized probe that uncovered more than 3 million devices with vulnerable versions of an Intel SDK (software development kit).
Such discoveries could be used to alert potential victims so they can patch the security hole. But the Michigan researchers also acknowledged in their 2012 article that rapid global network scanning could also be a formidable offensive weapon for criminals. Hackers could probe for specific weaknesses and target millions of vulnerable devices within minutes of finding them.
ZMap’s creators also warned that mass IP scanning could pose threats to privacy, such as the ability to track travelers as they move from one device to another. (Another privacy concern: The Internet scanning site Shodan identifies Web cams that casual snoops can use to spy on others through video baby monitors and other unsecured household devices, according to ZDNet.)
A more somber possibility is cyber warfare—a nation exploiting vulnerabilities in another country’s networks.
Qadium asserts that it “will not support offensive cyber operations” with its technology, and it holds that stance for the government agencies such as DARPA (Defense Advanced Research Projects Agency) that nurtured it from its founding in 2012, as well as its current military clients including US Cyber Command.
“Qadium does not, has not, and will not support offensive cyber operations or provide bulk Internet sensing data to any government,” according to the company website.
Junio doesn’t even want journalists to describe the device ID information Qadium collects as “metadata,” a word that became familiar to more Americans when they learned from Edward Snowden’s leaks that
