Thistle Technologies emerged this week to tackle the problem of delivering security updates to the internet of things (IoT).
The IoT market — which includes printers, edge devices, remote systems, consumer electronics, and automobiles — is booming, and security experts worry about the expanding attack surface. There are ways to update traditional networked devices, such as routers, cameras, and printers, but that isn’t the case for IoT. Each of these devices is now a mini-computer on the network, and a software vulnerability on any one of them means a network compromise. Once in, the attacker can move around looking for other systems to compromise and information to steal.
How it works
Thistle, led by security veteran Window Snyder, launched on Thursday with $2.5 million in seed funding from True Ventures. The startup plans to address the vulnerability by helping IoT manufacturers securely and reliably deploy updates to their products.
Thistle will build a framework for securing printers, ATMs, consumer electronics, and automobiles. The goal is to give embedded device manufacturers the ability to integrate updated mechanisms into their products. “Security-sensitive mechanisms, like updates, should be built and tested by an experienced security team,” the company said in a statement.
Snyder has spent over 20 years making some of the biggest brands more secure. She worked in senior cybersecurity positions at Apple, Intel, and Microsoft and was chief security officer at Mozilla, Square, and Fastly. While at Microsoft, she contributed to the Security Design Lifecycle (SDL) and codeveloped the methodology for threat modeling software. She was also part of the effort to reduce Microsoft Windows’ attack surface and make the operating system more resilient to attack.
That kind of resiliency is currently missing in the IoT space. If there is a vulnerability in sensors deployed over a large geographic area or in medical devices in a health care setting, the flaws remain unfixed until the system can be replaced. Many of these devices cannot be updated at all, or have a very difficult update mechanism, which means the owners are less likely to bother with the update.
Vulnerable IoT used in attacks
These vulnerable devices can cause a lot of problems beyond giving attackers a way to break into a target network. Botnets are networks of hijacked devices used to launch distributed denial-of-service (DDoS) attacks that flood websites and other online services with junk traffic to knock them offline. Last year, BitDefender researchers uncovered the “dark_nexus” botnet, which specifically preys on vulnerable IoT. The botnet compromised more than a thousand connected devices, including home and small office routers, thermal cameras, and video recorders from multiple vendors. Another IoT botnet, Mirai, launched a DDoS attack on internet infrastructure giant Dyn back in 2016 that was devastating enough to knock several major brands — including Shopify — offline and cripple parts of the internet for hours.
There are many reasons it is difficult to securely update connected devices. The manufacturer may not know how to build resilience and security updates into its devices. When the goal is speed to market, the developers and engineers often prioritize features over security. Or the device may have limited processing power and memory — just enough to do the task it is designed to do, but not much else. In critical environments, restarting the devices to install updates may not be an option. And in situations where IoT is designed to be deployed over a large geographic area for long periods of time, delivering security updates can be a logistical challenge. Some devices are off-network most of the time and connect only briefly to send data, which may not be enough time to receive and install an update.
And it’s a problem that’s just going to get bigger. IoT is well-entrenched in businesses, homes, and industrial plants. Current estimates peg the number of connected devices worldwide at around 25 billion, and that number is expected to explode with the rollout of 5G networks. Data from International Data Corporation (IDC) predicts there will be 55.7 billion connected devices worldwide by the end of 2025, of which 75% will be connected to some kind of IoT platform.
“We’re making it easier for device makers to deliver on their security requirements,” Snyder said in a statement. “When the update mechanism is resilient and reliable, the business can leverage that beyond security fixes to provide updates for new features with confidence.”
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.
Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more