Sony Pictures. Ashley Madison. Twitch. Patreon. Snapchat. LinkedIn. Last.fm… Those are just a handful of the companies that have suffered massive password-related breaches in recent years. Bulk password theft is the scourge of our digital times.
Cambridge-based U.K. startup Silicon:Safe reckons it has the answer to these kind of massive password hacks. For the last three years it’s been developing a piece of hardware that’s designed to store passwords so the data cannot be read from outside. The box can only be queried to specify whether a password is valid or not valid. The actual password data never leaves its hardware prison.
Silicon:Safe is touting “100% protection from password theft” on its website. Albeit co-founder and product designer, Dr Will Harwood, is careful to specify the solution is specifically aimed at fixing password theft in bulk.
“We are about preventing theft of the data from the enterprise. So we’re very much about protecting the enterprise, making sure the enterprise cannot be blamed, if you like, for the username and passwords being stolen. Or certainly being stolen in bulk form,” he tells TechCrunch.
“I would not make the claims that this is a universal solution in the sense that there’ll be other places where the passwords reside temporarily in an enterprise’s computer architecture where potentially you could steal them from. If you send your password to a front end web server, you could steal it from there.”
The startup has various ideas for applying its tech to address other sensitive data areas in future — including credit card data and biometrics storage — but it’s starting off with a password storage product, called Password Protect, due to launch in April.
Harwood, who used to work at Citrix, said he came up with the idea for the product after finishing a security-related PhD, and casting around for potential research areas to move into academia proper.
“I wandered along to a workshop that was taking place in Cambridge on four methods applied to security. This was in early 2013 and at the workshop somebody stop up and basically said look this really nasty thing has happened to Sony [and lots of other companies]… This is going to be a problem. And we need to find better cryptographic solutions to deal with it,” he says.
“I was thinking about this and realized that there was a problem which amounted to cryptographic solutions weren’t actually good enough for dealing with the problems that the businesses had.”
Although initially Harwood was considering using the idea for an academic research proposal, an encounter with his now co-founder, Roger Gross, convinced him to attempt the commercialization route instead — and the pair co-founded the business in late 2013, bringing Nick Lowe (ex-AppSense) on board as CEO.
Harwood argues the core of the problem for businesses is actually the reputational damage caused by bulk data theft. Because even if stolen data was properly encrypted — so it’s highly unlikely any passwords will ever be compromised — they still have to tell their users to change their passwords, just to be on the safe side. And thus the reputational damage is done.
“Cryptography is great. This is not an argument against cryptography,” he says. “This is an argument that says you have to stop the theft.”
So what exactly has Harwood designed? “Quite simply it’s a box, you put your user IDs and passwords in… and once you’ve registered a user account with a user ID and password it will never release the password out of the box,” he explains. “So if you want to know if a user has a particular password you ask the box does this user have this password — and it tells you yes or no.”
The Ethernet-connected device is installed in the datacenter, linked to a company’s front end webservers. It runs proprietary firmware, rather than an OS.
“Essentially we have a platform where instead of millions of lines of code we have… ten thousand lines of code,” says Harwood. “We don’t have an operating system there. It’s bare metal programmed. And it’s programmed on a machine architecture which will not allow things like code injection attacks… The administrator cannot get the passwords out of the box.”
“We avoid as far as possible relying on complicated software when we can actually do things directly in the hardware,” he adds. “So for example the Ethernet connectivity and the TCP connections are actually hardware TCP chips, which we can get, rather than actually having a complicated TCP stack. And that also has a secondary advantage of having defense in depth. Because a standard way of attacking a system is smashing the TCP stack… Which is perfectly possible if it’s in software but it’s not really feasible when you talk about hardware implementation of the TCP.”
The concept is a bit similar to hardware security modules that store encryption keys. But instead of just storing keys, Silicon:Safe’s tech is designed to store bulk sensitive data such as passwords. So it’s effectively treating passwords (or other sensitive data targeted for bulk hacking) with the same storage sensitivity as encryption keys.
The firmware is not open source but Harwood says it will be letting customers review the product’s code to workaround the trust issue. It’s also not yet had the tech independently verified by a security researcher but has let some third party penetration testers at it — and Harwood claims they weren’t able to extract any data or significantly affect the system.
So if it’s so secure, why hasn’t someone else thought of doing this before? According to Harwood there are various factors explaining why hardware has been overlooked as a security solution for bulk data theft, not least the industry’s general focus on software.
He also points to the fact that the hardware industry has historically been based on using commodity hardware — e.g. Intel or ARM processors — to make products, because these chipsets were cheap and plentiful. Which meant, in years past, it would have been very expensive to develop proprietary hardware such as this. But the cost of prototyping hardware has decreased significantly over the past decade.
“One thing that’s changed it is the IoT [Internet of Things] movement has been pushing the price of hardware down and making it more widely available. And generally there’s been a drop in price of electronics so the cost of prototyping something has dropped from… hundreds of thousands to tens of thousands. In over a ten year period. So we can basically now sort of start building things in hardware which we’d think well it wasn’t worth the effort previously because of the cost barrier,” he says.
Silicon:Safe has filed several patents around the core concept at this point — including in the UK, the US and internationally. It is also about to start on worldwide patent filing. And Harwood says it will also now start filing patents covering specific elements of the design.
It’s raised $1 million in seed funding from private investors to fund development thus far. And has four beta testers trying out the system at present — including a U.K. high street retail bank, a telecoms organization, a pension company and a financial investments organization (it’s not disclosing any customer names yet). Lowe says it would be happy if it has “half a dozen” customers signed up a year from now, as it works to prove its hardware concept in a marketplace used to paying for software security solutions.
In Harwood’s view the biggest operational cost to users of the tech is exactly this change to a new way of doing things. “As a commercial activity we’re working to minimize that so our objective is to have the integration time down to between half a day and two days into an existing infrastructure,” he says.
“Part of our commercial route is to develop plug-and-play kits which will allow you to plug a piece of software into an existing identity management solution and then plug our box into that software,” he adds.
The other big cost is the hardware price-tag itself, of course. One of the Password Protect boxes is likely to cost around £100,000, and the pair say a company would likely need at least two for a “minimal configuration”, and perhaps up to four for the purposes of data replication and if operating from multiple data centers.
But they do also plan to launch a SaaS-style version of the product in future, for smaller businesses to be able to “offload critical data storage into a cloud service” without having to spend such large sums up front on buying the hardware themselves.
The team is also already working on their next produce — involving credit card data storage. “That presents some slightly different challenges,” says Harwood. “It has some of the same challenges, but it also, unlike passwords, you do disclose details of the credit card transaction to the acquiring bank.
“As far as the user and the enterprise are concerned it’s just like passwords. But it has this exception that it has this secure channel to the bank. Now the secure channel to the bank is something which is well defined in credit card processing. So what we do with that is, inside our box, we have… almost like an air gap process between handling everything on the merchant side, on the enterprise side, and then saying — once you’ve sorted everything out — then saying to the bank now do this transaction.”
The big selling point it sees for this future product is to help merchants who want to be able to process credit card transactions achieve plug-and-play PCI compliance. Harwood notes that achieving the highest level of PCI compliance protects a merchant against credit card fraud but that advantage is off-set against the cost of achieving and maintaining top tier PCI compliance.
“Essentially what we’ll be saying to a merchant, here is a box that it’s already been agreed that it’s PCI compliant. If you plug it into your infrastructure in this way you will have your highest level of PCI compliance,” he says.
On the biometrics side, Silicon:Safe will be designing a security product for the kind of large scale, often government run databases that store biometrics en masse for authentication purposes — and also, therefore, present an attractive target for hackers.
And the really big problem with stolen biometrics? You can’t exactly ask people to change their fingerprints ‘just to be safe’… Ergo, there’s even more of a critical case for rock-solid security for this type of data. And Silicon:Safe hopes its hardware ‘digital safe’ is the answer.