Our universe of connected things is expanding by the day: the number of objects with embedded processors now exceeds the number of smartphones globally and is projected to come some 18 billion devices by 2022. But just as that number is growing, so are the opportunities for malicious hackers to use these embedded devices to crack into networks, disrupting how these objects work and stealing information, a problem that analysts estimate will cost $18.3 billion to address by 2023. Now, an israeli startup named
VDOO has raised $32 million to address this, with a platform that identifies and fixes security vulnerabilities in IoT devices, and then tests to make sure that the fixes work.
The funding is being led by WRVI Capital and GGV Capital and also includes strategic investments from NTT DOCOMO (which works with VDOO), MS&AD Ventures (the quest arm of the intercontinental cyber insurance tight), and Avigdor Willenz (who founded both Galileo Technologies and Annapurna Labs, respectively acquired by Marvell and Amazon). 83North, Dell Technology Capital and David Strohm, who backed VDOO in its previous circular of $13 million in January 2018, also participated, bringing the total raised by VDOO now to $45 million.
VDOO — a reference to the Hebrew word that sounds like “vee-doo” and means “making sure” — was cofounded by Netanel Davidi (co-CEO), Uri modify (also co-CEO) and Asaf Karas (CTO). Davidi and modify previously co-founded Cyvera, a pioneer in endpoint security that was acquired by Palo Alto Networks and became the basis for its own endpoint security product; Karas meanwhile has extensive experience coming to VDOO of working, among other places, for the Israeli Defense Forces.
In an interview, Davidi noted that the company was created out of one of the biggest shortfalls of IoT.
“Many embedded systems have a low threshold for security because they were not created with security in mind,” he said, noting that this is partly due to concerns of how typical security fixes might impact performance, and the fact that this has typically not been a core competency for hardware makers, but something that is considered after devices are in the marketplace. At the same moment, a lot of security solutions today in the IoT space have focused on monitoring, but not fixing, he added. “Most companies have good solutions for the visibility of their systems, and are able to identify vulnerabilities on the network, but are not sufficient at protecting devices themselves.”
The sheer number of devices on the marketplace and their spread across a range of deployments from manufacturing and other industrial scenarios, through to in-home systems that can be vulnerable even when not connected to the internet, also makes for a complicated and uneven landscape.
VDOO’s reach was to born of a very lightweight implementation that sits on a tiny group of devices — “tiny” is relative here: the set was 16,000 objects — applying appliance learning to “learn” how distinct security vulnerabilities might behave to discover adjacent hacks that hadn’t yet been identified.
“For any kind of vulnerability, using deep binary analysis capabilities, we strive to understand the broader concept, to figure out how a similar vulnerability can emerge,” he said.
Part of the reach is to pare down security requirements and solutions to those pertinent to the machine in request, and providing clear advice to vendors for how to best dodge problems in the first place at the development level. VDOO then also generates exact “tailor-made on-machine micro-agents” to continue the detection and mend process. (Davidi likened it to a modern reach to some cancer care: preventive measures such as periodic monitoring checks; followed by a “tailored immunotherapy” based on prior analysis of DNA.)
It currently supports Linux- and Android-based operating systems, as well as FreeRTOS and assist for more systems coming soon, Davidi said. It sells its services primarily to machine makers, who can make over the breeze updates to their devices after they have been purchased and implemented to keep them up to date with the latest fixes. Typical devices currently secured with VDOO tech include safety and security devices such as surveillance cameras, NVRs & DVRs, fire alarm systems, access controls, routers, switches and access points, Davidi said.
It’s the focus on providing security services for hardware makers, in fact, that helps VDOO stand out from the others in the field.
“Among all startups for embedded systems, VDOO is the first to introduce a distinctive, holistic reach focusing on the machine vendors which are the focal enabler in truly securing devices,” said Lip-Bu Tan, founding partner of WRVI Capital. “We are delighted to back VDOO’s technology, and the exceptional group that has created advanced tools to allow vendors to secure devices as much as feasible without in-house security know-how, for the first moment in many decades, I see a clear require for security, as being raised constantly in many meetings with leading OEMs worldwide, as well as program giants.”
Over the last 18 months, as VDOO has continued to extend its own come, it has picked up customers along the path after identifying vulnerabilities in their devices. Its dataset covers some 70 million embedded systems’ binaries and more than 16,000 versions of embedded systems, and it has worked with customers to identify and address 150 zero-day vulnerabilities and 100,000 security issues that would have potentially impacted 1.5 billion devices.
Interestingly, while VDOO is construction its own IP, it is also working with a number of vendors to provide many of the fixes. Davidi says that VDOO and those vendors go through fairly rigorous screening processes before integrating, and the hope is that down the line there will more automation brought in for the “fixing” component using third-party solutions.
“VDOO brings a distinctive end-to-end security platform, answering the intercontinental connectivity trend and the emerging threats targeting embedded devices, to provide security as an essential enabler of extensive connected devices adoption. With its differentiated capabilities, VDOO has succeeded in acquiring intercontinental customers, including many top-tier brands. Moreover, VDOO’s ability to uncover and mitigate weaknesses created by external suppliers fits perfectly into our Supply Chain Security investment strategy,” said Glenn Solomon, managing partner at GGV Capital, in a statement. “This funding, together with the company’s fantastic technology, skilled entrepreneurs and one of the best teams we have seen, will allow VDOO to maintain its leadership position in IoT security and extend geographies while continuing to develop its state-of-the-art technology.”
Valuation is currently not being disclosed.