Startups
Growing Industries Month 2019

ReFirm Labs goes deep in the supply chain to get ahead of IoT security issues

The Fulton, Md.-based company wants to help spot security vulnerabilities in connected devices before they reach the market.

A screenshot of ReFirm Labs' Centrifuge Platform. (Courtesy image)
As the number of connected devices grows, the potential also exists that they could fall victim to a cyber attack.

As a company that focuses on Internet of Things (IoT) security, that’s a reality that members of the team at ReFirm Labs confronted first working at the National Security Agency, and now developing the Fulton, Md.-based company’s commercial product, called Centrifuge Platform.

The company’s own lifecycle to date shows a path through Maryland’s cybersecurity community: Members of the team honed experience inside NSA. Then they formed a company called Tactical Network Solutions. From that company’s work on the platform, ReFirm Labs spun out and received backing from DataTribe, a Fulton-based startup studio looking to support technologists who worked inside government agencies that are now building startups.

For his part, CEO Derick Naef, a two-decade veteran of leading startups in the region, joined the company in January. Cofounder Terry Dunlap, who was previously CEO, remains chief strategy officer.

While cybersecurity threats are often considered being directed toward a network or individual phones and computers, connected devices expand that realm to other things that are used in every day life. Naef sees awareness of the potential issues growing; there’s more media attention, for one. Yet the company is looking to address the issues in the place that’s further away from public gaze — in the factories and supply chains that produce the components for these devices to be made.

Putting together devices involves complex supply chains, so there could be vulnerabilities in a part that came from a manufacturer or another company — and that’s led to “a growing awareness that you need to look at not only the stuff you’re building, but also things you’re getting from suppliers,” Naef said. Ultimately, a security issue could lead to problems for the whole product, no matter where it came from.

The Centrifuge Platform is designed to help identify potential vulnerabilities by looking at images of the firmware that controls the devices to find potential vulnerabilities before attackers do.

ReFirm Labs looks to take a proactive approach: The Centrifuge Platform is designed to help identify potential vulnerabilities by looking at images of the firmware that controls the devices to find potential vulnerabilities before attackers do. The company is releasing a series of updates this spring, and among the new features is a malware and known exploits detector.

“As we identify exploits in different devices, we’re going to add that to our registry of exploits, and that will be something we’ll scan other firmware against to see if that’s present in other devices, as well,” Naef said.

Based out of the DataTribe, Naef said the eight-member team has also been adding customers. They’ve seen particular interest in the communication service provider market, which includes telecommunications companies, internet service providers, as well as cable and wireless companies, as well as from other industries.

“We’re seeing good customer uptake with the product,” Naef said.

These communication service companies send lots of devices out to customers, who use them to get internet and cable services in their homes, But the devices themselves are made by other suppliers who make and put together the component parts. So the firms want to know whether their could be potential security issues with a device like a router before it ends up in someone’s home.

ReFirm is also paying particular attention to malware known as LoJax, creating a tool to analyze the firmware which helps computer hardware communicate with software when a computer boots up known as UEFI.

Another sign that the company has been a leader is evident in an open source tool that was released before Centrifuge.

In 2010, principal reverse engineer Craig Heffner created an open source tool called Binwalk that’s designed to help researchers. It was designed as a resource, and Naef said said the tool has tens of thousands of users who are working on research to reverse engineer firmware images. The company wants to continue to support that community, and sees it as an “entry level tool.” So it’s continuing development with a new version called Binwalk Pro that has additional capabilities.

“It’s something we’ve built up to support the community, and we’d like to continue doing that,” Naef said.

This editorial article is a part of Technical.ly's Growing Industries month, when Technical.ly Baltimore is focusing extra reporting on the topic of cybersecurity.

Before you go...

Please consider supporting Technical.ly to keep our independent journalism strong. Unlike most business-focused media outlets, we don’t have a paywall. Instead, we count on your personal and organizational support.

3 ways to support our work:
  • Contribute to the Journalism Fund. Charitable giving ensures our information remains free and accessible for residents to discover workforce programs and entrepreneurship pathways. This includes philanthropic grants and individual tax-deductible donations from readers like you.
  • Use our Preferred Partners. Our directory of vetted providers offers high-quality recommendations for services our readers need, and each referral supports our journalism.
  • Use our services. If you need entrepreneurs and tech leaders to buy your services, are seeking technologists to hire or want more professionals to know about your ecosystem, Technical.ly has the biggest and most engaged audience in the mid-Atlantic. We help companies tell their stories and answer big questions to meet and serve our community.
The journalism fund Preferred partners Our services
Engagement

Join our growing Slack community

Join 5,000 tech professionals and entrepreneurs in our community Slack today!

Trending

Trump may kill the CHIPS and Science Act. Here’s what that means for your community.

Despite big raises and contracts, a tech training giant lays off staffers and loses its CEO

After nearly a decade, the federal program for immigrant entrepreneurs is finally working

Block the bots or feed them facts? How Technical.ly uses AI in journalism

Technically Media