Inside the North Baltimore company that discovered some of tech’s biggest security vulnerabilities

The team at North Baltimore’s Independent Security Evaluators (ISE) has long been making headlines.

The company’s first big moment came in 2005, before it was even a company. That’s when the group of then-Johns Hopkins graduate students that formed the firm — overseen by Professor Aviel Rubin and including ISE CEO Steve Bono as well as Adam Stubblefield and Matt Green — broke the encryption on Texas Instruments‘ RFID-based chips that were designed to secure car keys, and prevent theft.

“This system was considered to be unbreakable,” ISE Executive Partner Ted Harrington said recently.

A couple years later, there was the iPhone, then just a few months old. Now working under the ISE banner, a team led by Dr. Charles Miller showed how a security flaw allowed an attacker to access personal information. Apple promptly made a fix to that issue, but it was just the beginning of a series of patches Miller and team would prompt in the company’s products.

Then it was on to Android, hospitals and, just this year, password managers.

While the press may not please execs, the research is designed to help. By identifying these potential issues but bringing awareness rather than exploiting it, Harrington said the research acts as a “change agent” at the companies and firms.

“It prompts them to take action,” he said.

Such is the work of the ethical hacker. White hats, if you will. Based from a headquarters just outside Cylburn Arboretum and an office in San Diego, ISE’s team of 45 people looks to identify how attackers could break into software before an actual breach happens. The research that’s made publicly available is only part of its work, as most of ISE’s business involves work directly with the companies building software or setting up systems to find flaws.

Harrington points to what he calls an “objective truth” about these efforts: “We’ve never not found a vulnerability,” he said.

That’s not to say that developers and the companies they work for are completely neglecting security, but instead an acknowledgement of the challenge it presents. Not to mention the difference between the people who build the technology and those who seek to exploit it.

As Harrington puts it, “the mindset to build something is very different from the mindset to break something.” Plus, he said, there’s a difference in time constraints. Unlike developers, the attackers are spending all of their time figuring out how to break in. ISE offers insight from that perspective.

“We want to help companies on their quest for security excellence,” he said.

These efforts involve work with firms of varying sizes, whether it’s a startup or a big enterprise. As opposed to networks, the work mostly involves assessing applications and how they’re constructed. This includes looking at, “What are different areas that attackers might launch a campaign, where are there coding errors built into it?” Harrington said. “Once we help them find issues, we’ll advise them on how to fix it.”

Being close to Baltimore’s universities — first Johns Hopkins, where the initial team that cracked the car key got started, and increasingly UMBC — has been a benefit for attracting talent, Harrington said. The company looks to give that talent a chance to be leaders in the security community, too: It created its own version of 20% time, which allows space for work on special projects, research or blogs and other content.

And it’s also looking to have a role in bringing that community together and addressing bigger challenges. ISE organizes the IoT Village, a series of events inside larger conferences (it was recently at RSA) that aims to raise awareness about security vulnerabilities in the internet of things devices that power connected homes and cities. Given how an attack on these could affect key machines and appliances that are used in every day life, it’s an area that keeps cybersecurity leaders up at night. So the company set up a place for dialogue, as well as some ethical hacking.

“We want that experience to be one that galvanizes a community that is bigger than us,” Harrington said. “This is about an entire community of researchers all collaborating, because we can achieve so much more together than we can ever achieve alone.”