Passwords have long been seen as the weakest link in cybersecurity. That’s why we now have chip-and-pin, two-step verification and biometric solutions, among many other things.
However, few of these really work when it comes to Internet of Things (IoT) devices, which, unlike humans, can’t reset their passwords regularly and are often woefully secured.
“Today, 80% of all data traffic between smart devices is unprotected,” says Marek Ostafil, cofounder of Polish startup Cyberus Labs. “There are similar issues for satellites. In terms of IoT, we are using tools that are so vulnerable,” he adds.
Meanwhile, it’s estimated that by 2030 there could be upwards of 50bn IoT devices in use around the world.
Today, 80% of all data traffic between smart devices is unprotected.
“I think this will be one of the biggest challenges and one of the biggest investment opportunities in cybersecurity, because we don't have another choice,” says Ostafil.
The IoT market is rapidly developing. Not only are new devices constantly being developed, but they're also being deployed in new areas. “We are getting our homes stuffed with smart devices,” says Ostafil.
Yet at the same time, “very slowly, I think too slowly, we are starting to think about what these devices can do, like eavesdropping, what capabilities they have that can be exploited by cybercriminals,” he says.
When it comes to IoT devices, Ostafil adds, we didn't do our homework. “One of the biggest mistakes we’ve made was continuing using compromised authentication systems based on passwords in the world of IoT.”
3x a week
We tell you what's happening across startup Europe — and why it matters.
Cyberus Labs, which was founded in 2016, has a potential solution.
The Katowice-based startup has created a password-free solution designed to provide secure authentication and communication encryption using one-time-use tokens to authenticate both human users and smart devices.
The cloud-based Human-to-Machine element of the authentication is built around sound, which, Ostafil points out, is the most universal transport layer of communication. “All portable devices — laptops, smartphones — are by default equipped with a speaker and mic,” he says.
A sonic signal is simply sent from one device to another, without the need for actionable credentials like passwords.
“Instead of participating in this rat race with hackers and cyber criminals, we just decided to eliminate the problem itself — by eliminating passwords on all static credentials,” Ostafil says.
Cyberus Labs is far from alone in focusing on one-time codes as a cybersecurity solution. What’s unique in its solution is how the company distributes the one-time codes and how it manages the key exchange, says Ostafil.
“We spent many years developing this and a lot of money, thanks to the European Commission, to develop such a system. I think the beauty of this system is simplicity,” he says, declining for obvious reasons to give precise details.
In 2018, Cyberus Labs received a grant as part of the European Commission’s Horizon 2020 programme, which enabled it to push forward, also granting it greater credibility.
“We had the trust of the European Commission, which translates in our case into trust from others,” says Ostafil.
In the IoT space, the company operates in four main areas — industrial IoT, smart buildings, smart homes — including building management systems — and automotive, with clients in Poland, Spain, France, the US and New Zealand.
In 2019 it achieved a revenue of more than €300k and in 2020 it established a physical presence in France with an office in Paris, and a US presence in New York and California.
The startup is set to launch a lightweight encryption solution in early 2021 that will be available in a downloadable version. The team is currently working on adapting it so that it's available on the Microsoft Azure Marketplace platform.
“This is quite a step ahead because normally you don't sell encryption online,” says Ostafil. “Normally you can't just download the encryption system and deploy it on your smart devices, but this is actually what we’ve done.”
Internet of (protected) Things
Ostafil claims that Cyberus Labs’ competition isn’t around specific companies but established models of using passwords, which makes it more challenging.
“But we are succeeding and we are fighting our way through,” he says, while pointing out that there’s already been leaks of biometric data used for cybersecurity purposes, which shows the challenge facing all new potential solutions.
“I think trust is the most important thing, and the most difficult, especially if you're working in cybersecurity, and especially when you're bringing innovative solutions,” he says.
One thing is clear, however: that an effective solution for protecting IoT devices will be a real money maker.
Right now there is a little bit of panic trying to figure out how to protect all this mess.
“Machine-to-machine authentication of billions of devices has been based on passwords. I think one of the greatest investments in cybersecurity is to retrofit solutions for IoT,” Ostafil says. “Right now there is a little bit of panic trying to figure out how to protect all this mess.”
As for Cyberus Labs: “We’re not trying to build another wall of the fortress,” he says. "We just eliminated the weakest element.”
At Microsoft Central and Eastern Europe, our vision is to help the region advance as digital hotspot, by enabling local entrepreneurs and businesses to innovate and scale globally. The Microsoft for Startups programme is part of that vision, partnering with B2B startups in the region to provide technology and business support and help them realise their ambitions for growth. Connect with us today!