Qadium Reaps $20M Venture Round For IoT Device Search Engine

Tim Junio was a young security consultant for DARPA, the tech research division of the U.S. Department of Defense, when the agency called for responses to an interesting challenge.

That was: Propose a way that a bad actor could cause catastrophic harm to the nation’s economy just by tapping into data that is generally available.

Junio already had an idea in mind. The former CIA analyst had been inspired by University of Michigan researchers who in 2012 reported on their quick new method to scan and identify Web-connected devices on a broad scale. While the researchers understood that the method could be used to cause harm, their intent was to create a new security tool. Building on that open source work, Junio co-founded Qadium, a data security startup that has landed more than $10 million in Defense Department contracts and earned revenues from Fortune 500 business clients. The company announced a $20 million Series A venture fundraising round this week.

San Francisco-based Qadium can take a rapid global census of the hundreds of millions of devices that connect to the public Internet—computers, routers, CCTV cameras, tablets, and so on. Qadium calls its product the “Google Street View” of Internet-connected devices. Beyond those listings, though, Qadium also serves as a search engine to reveal relationships, trends, and weak spots amid the universe of devices.

The company’s granular scans yield a mass of data that could empower malicious hackers if it fell into the wrong hands. But it can also help government agencies and businesses visualize the vulnerable points in their electronic networks and better defend themselves, Qadium CEO Junio says.

The young company takes advantage of an intrinsic design feature of the Internet—one that helps two machines start a conversation. Devices automatically introduce themselves to each other, like a crowd of name badge-wearing conventioneers eager to network. And they respond to such approaches in turn by volunteering information about themselves. “A printer announces itself as a printer,” Junio says.

In its comprehensive scans, Qadium sends out “tell me about yourself” messages to all 4.3 billion Web addresses available on the world’s most commonly used Internet protocol, IPv4. That includes addresses that have yet to be assigned, Junio says. The company collects the high-level identifying information routinely shared in response by the devices in dog-park-friendly style.

That machine ID can include the manufacturer’s name, the software it runs, and the “services” it offers—such as entree to a Web page. The device may even reveal its age, model number, and serial number. In ordinary Internet traffic, those shared IDs serve as a prelude to the machine-to-machine “handshakes” that open an exchange of data, such as a computer sending a page to a compatible printer.

But Qadium uses the machine IDs instead to analyze the hardware universe for its clients, who may not be aware of the total number of devices capable of tapping into their proprietary data or influencing their business operations. An organization’s network can now include employees’ personal smartphones used outside the office via insecure WiFi connections at a coffee shop; or a vendor’s laptop; or a business partner’s iPad, for example.

Junio won’t reveal exactly how Qadium can sift through the global constellation of devices it scans and tell which of them belong to a specific client’s network. But he says the proprietary process involves looking for the customer’s “unique signature” to create a network graph. Qadium doesn’t rely on detecting traffic between devices, and it doesn’t need passwords or access permissions from clients for the analysis, Junio says.

In every case, the startup has found devices the client didn’t know about, Junio says. The unaccounted-for devices may be leftovers from mergers, acquisitions, or the closure of business units, for example.

In addition to mapping the extent of a customer’s network, Qadium’s scans can flag vulnerabilities in devices, such as an ancient router long overdue for a security update, or a setting left in a default configuration that’s a known entry point for hackers.

In less than two hours, Qadium can complete an Internet-wide query to assess a specific kind of target, such as the mail server protocol SMTP, Junio says.

That’s the type of power explored by the University of Michigan researchers who inspired Junio by creating their fast Internet-wide network scanning tool, ZMap. The researchers, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman, sent out a customized probe that uncovered more than 3 million devices with vulnerable versions of an Intel SDK (software development kit).

Such discoveries could be used to alert potential victims so they can patch the security hole. But the Michigan researchers also acknowledged in their 2012 article that rapid global network scanning could also be a formidable offensive weapon for criminals. Hackers could probe for specific weaknesses and target millions of vulnerable devices within minutes of finding them.

ZMap’s creators also warned that mass IP scanning could pose threats to privacy, such as the ability to track travelers as they move from one device to another. (Another privacy concern: The Internet scanning site Shodan identifies Web cams that casual snoops can use to spy on others through video baby monitors and other unsecured household devices, according to ZDNet.)

A more somber possibility is cyber warfare—a nation exploiting vulnerabilities in another country’s networks.

Qadium asserts that it “will not support offensive cyber operations” with its technology, and it holds that stance for the government agencies such as DARPA (Defense Advanced Research Projects Agency) that nurtured it from its founding in 2012, as well as its current military clients including US Cyber Command.

“Qadium does not, has not, and will not support offensive cyber operations or provide bulk Internet sensing data to any government,” according to the company website.

Junio doesn’t even want journalists to describe the device ID information Qadium collects as “metadata,” a word that became familiar to more Americans when they learned from Edward Snowden’s leaks that the National Security Agency was harvesting basic information on most telephone calls in the United States. That metadata included the phone number originating the call, the number called, and the length of the conversation, according to the investigative reporting unit ProPublica.

Junio says Qadium provides clients information related only to their own networks, for the purpose of defending themselves against intrusions. The company’s software can detect when firewalls are down, for example, or when a device is inadvertently unprotected by a firewall.

Business clients can pay Qadium for similar information to assess the security of their franchisees, subsidiaries, vendors, and competitors, Junio says. Qadium provides only aggregate information about third parties, however—-not data at the level of specific Internet addresses, he says.

Junio says Qadium is the first security company doing Internet-scale scanning. Its technology can’t detect the locations of network devices, but it subscribes to a geolocation service so it can add that data to customers’ network profiles, he says. In another limitation, Qadium’s scans don’t pick up devices that are part of a properly configured virtual private network.

The startup competes in the growing sector of security risk-scoring companies such as New York-based SecurityScorecard and Cambridge, MA-based BitSight, and vulnerability scanning companies such as Redwood City, CA-based Qualys, he says.

Other companies are using various technical approaches to identify devices that share, or threaten, business and organizational networks. For example, Boston-based Pwnie Express uses sensors inside client locations to detect nearby wired or wireless devices that could attempt to siphon off data or infiltrate company networks. Cambridge, MA-based Lexumo keeps track of open source code components in connected devices that can provide entry points for hackers.

Qadium received early backing from DARPA, then raised $6 million in 2015 in a seed funding round led by Founders Fund, joined by OATV, Susa Ventures, and angel investors. Its $20 million Series A fundraising round was led by NEA managing partner Scott Sandell and joined by prior investors including Founders Fund.

Junio says the company will use its new capital to beef up its engineering unit, hire a sales staff, and improve its product. A key goal is to determine how frequently Qadium should conduct its global scans. Junio declined to specify how often the company scans now. But he said Qadium will build up infrastructure to increase the rate of alerts it can send clients to let them know when a new device enters their network, for example, or when an existing device makes contact with an unsecured WiFi connection.

Information from all the Qadium scans is being archived, and together they form a data resource that could be useful to device manufacturers and industry analysts, Junio says.

The technology can not only chronicle the appearance of new devices in the Internet constellation, but also takes note when devices disappear because they’ve died or been replaced.

“We can tell manufacturers where they’re losing market share, and what products are doing better or worse,” Junio says. “We are certainly thinking about [business] dimensions other than security.”

Trending on Xconomy