In late 2017, an anonymous owner of several IoT devices received a wakeup call when a hacker infiltrated the mobile app he was using to control the many smart home appliances at his residence. The hacker got remote access to the camera in the robot vacuum cleaner and used the video feed to spy on the unwitting owner. To make matters worse, the hacker posted videos online as a way to celebrate his conquest. The under-fire manufacturer of the vacuum cleaner promptly released a firmware update to patch the security glitch. However, the incident proved how an entire home can be exposed to hackers with a simple fault in a mobile app.

Since most IoT devices come with embedded WiFi and Bluetooth and are “always on” by default, they are almost designed to infiltrate a home network. This is why owners of IoT devices are advised to religiously change the default password on their devices and ensure that all appliances are up-to-date with the latest software. Despite taking these precautions, there is a growing sentiment that IoT security is either being ignored, or not keeping up with the pace of growth; a recent survey indicates that total units of global IoT devices will hit 50 billion by 2020.

Phosphorus Cybersecurity, an emerging connected security solution provider, is focused on the remediation of the vulnerabilities produced by IoT devices. While acknowledging that the two most common exploitation techniques used by IoT hackers are vulnerabilities emanating from out-of-date firmware, and the false, embedded usernames and passwords, Chris Rouland—the CEO and co-founder of Phosphorus Cybersecurity—explains why IoT devices aren’t easy to patch. “It’s very common today; a new IoT device would have a 20-year-old firmware on it. When it comes to PCs, enterprises could easily patch old software because they had to deal with just one vendor like Microsoft or CISCO; on the other hand, every IoT device has a different vendor. Before our arrival, enterprises couldn’t patch IoT devices due to their heterogeneous nature,” explains Rouland.

In a heterogeneous IoT environment, there is no central management console to secure multiple devices. Whereas, in the PC world, companies like BigFix and Tanium specialize in patching. Rouland, who has founded and led several multi-million dollar cybersecurity firms such as Bastille and Endgame, saw the need to focus on securing IoT devices a few years ago. “When I saw this problem in 2017, I decided to make some inventions, to automate the management of IoT devices without running an agent.
That’s where our core intellectual property is—we are able to secure a massive ecosystem of IoT devices without running an agent, making it possible for easy and rapid deployment of our technology,” says Rouland.

That’s where our core intellectual property is—we are able to secure a massive ecosystem of IoT devices without running an agent, making it possible for easy and rapid deployment of our technology

With manufacturing, industrial (IIoT), healthcare, finserv and retail industries wholeheartedly embracing IoT, Phosphorus Cybersecurity’s primary focus is at the traditional enterprise level. Though still at an infantry stage, the company is already changing life for its clients. Take the example of this manufacturing unit that wanted Phosphorus Cybersecurity to manage and secure approximately 10,000 IoT devices. “By providing Unicorn firmware, we didn’t just prevent cyber threats; in fact, we improved their manufacturing numbers by five percent. Our focus was not even on improving their performance, but by providing up-to-date firmware, we enhanced more than just security,” adds Rouland.

In addition to the management of device firmware, Phosphorus Cybersecurity has also solved the “default credential” problem with common passwords across IoT devices. Phosphorus integrates with PAM/IAM tools to store and rotate unique passwords, helping organizations stay compliant with required password policy, and solving the other huge vector of attack on IoT.

Over the next 12 months, Phosphorus Cybersecurity has ambitions that extend beyond just successful deployments for clients. Since most of its customers already use other products for helpdesk, firewall, and security management console integration, Phosphorus Cybersecurity plans to integrate its solution with the rest of security products that exist in an enterprise.