Proving the Business Case for the Internet of Things

IoT security start-up Vdoo raises $32m

Steve Rogerson
May 2, 2019
Israeli IoT security start-up Vdoo has raised $32m in series B funding to increase market adoption of its IoT security platform while expanding its technical capabilities. This brings the company’s total funding to $45m.
The company has set its sights on becoming the industry’s first end-to-end security offering for embedded devices of any type.
“At a time when embedded devices already deployed in the field not only collect data but actually control our physical environment, affecting both business operations and our personal lives, it’s hard to imagine a future where all of these devices can be exploited,” said Netanel Davidi, co-CEO and co-founder of Vdoo. “The reality is that devices are highly vulnerable and there is a reasonable chance they will be under a massive attack in the near future. Our vision is to make them more secure as we continue to build an automated security platform that meets the demands of an increasingly connected world. Corporations, standardisation bodies, regulators and cyber insurers all understand that it's time for a change and that security for the connected environment is essential. The funding will enable us to accelerate market education by working closely with these bodies to make a significant change in approach to embedded devices security."
The funding round was led by venture capital firms WRVI Capital and GGV Capital, with participation from NTT Docomo Ventures, which joined the round based on earlier successful cooperation, MS&AD Ventures, an affiliate of a global cyber insurance firm, and strategic individual investor Avigdor Willenz, founder of Galileo Technologies and Annapurna Lab. Dell Technology Capital, 83North and David Strohm, who led the company's initial financing, also participated in the B round.
“Among all start-ups for embedded systems, Vdoo is the first to introduce a unique, holistic approach focusing on the device vendors which are the focal enabler in truly securing devices,” said Lip-Bu Tan, founding partner of WRVI Capital. “We are delighted to back Vdoo’s technology, and the exceptional team that has created advanced tools to allow vendors to secure devices as much as possible without in-house security know-how. For the first time in many decades, I see a clear demand for security, as being raised constantly in many meetings with leading OEMs worldwide, as well as software giants.”
The funds will be used to accelerate product innovation in the form of a comprehensive set of automated analysis capabilities, including zero-day vulnerabilities detection, which enable device vendors to implement security levels at scale, both for new and legacy devices. In addition, the round will fuel the expansion of a rapidly growing partner and distribution network, which already includes NTT Advanced Technologies, Macnica, DNP and Fujisoft in Japan.
Vdoo’s partners help IoT makers secure their devices, address their customers’ security expectations, and comply with emerging IoT regulatory actions and industry standards.
“Vdoo brings a unique end-to-end security platform, answering the global connectivity trend and the emerging threats targeting embedded devices, to provide security as an essential enabler of extensive connected devices adoption,” said Glenn Solomon, managing partner at GGV Capital. “With its differentiated capabilities, Vdoo has succeeded in acquiring global customers, including many top-tier brands. Moreover, Vdoo’s ability to uncover and mitigate weaknesses created by external suppliers fits perfectly into our supply-chain security investment strategy. This funding, together with the company’s great technology, skilled entrepreneurs and one of the best teams we have seen, will allow Vdoo to maintain its leadership position in IoT security and expand geographies while continuing to develop its state-of-the-art technology.”
Vdoo’s automation platform lets IoT manufacturers raise the security bar in a scalable manner by implementing only device-specific security requirements, which include step-by-step guidance to help the vendor mitigate the security threats in a cost-effective manner. The security requirements are integrated into common task management and development environments. On top of that, the technology improves the device’s security even more by automatically generating tailor-made on-device micro-agents for active real-time protection against known and unknown threats, including exploits that use advanced methods.
The security automation technology leverages machine learning capabilities to create a security profile for any embedded device by defining its unique threat landscape, conducting designated penetration testing and performing a complete security gap analysis, all in an automated manner. The capabilities are based on deep analysis on a data set of 70 million embedded systems' binaries and more than 16,000 versions of embedded systems.
During the past 18 months, Vdoo has helped dozens of vendors address an aggregated total of 150 zero-day vulnerabilities and more than 100,000 security issues. These vulnerabilities could allow cyber criminals to takeover or completely destroy more than 1.5bn devices, even when not connected to the internet.
The research shows that the embedded devices security problem is not vertical specific as this dataset is comprised of firmware of devices from multiple verticals – safety and security, smart buildings, medical, industrial, automotive, enterprise appliances, telecoms and smart home. Many of the vulnerable devices identified are connected directly to the internet and are widely spread across device types such as video surveillance equipment and security cameras, with NVRs and DVRs topping the list, followed by network elements such as gateways, routers, switches, STBs and modems.
Security issues were also found in IT and OT appliances such as NAS servers, industrial control switches, printers, VoIP gateways and conference extensions, as well as in fire alarms, PLCs, access control and medical devices. Such devices were found exposed to complicated attacks using software vulnerability exploitation as well as to basic attacks.
In the consumer sector, security issues were found in smart watches, light bulbs, printers, tracking devices, smart TVs, personal alarms and many other popular smart home devices. Such devices were found to lack the basic security building blocks such as traffic encryption, default password change and boot process integrity.
Most devices analysed by Vdoo were vulnerable to command injection and command execution attacks, followed by memory corruption exploitation and common logic flaws. In addition, most devices consisted of embedded credentials that were easy to decrypt in a few hours.
The vulnerable devices can be exploited in a way that could enable large-scale cyber attacks that could disable an enterprise’s operations and critical functions. This, in turn, may lead to loss of trust in IoT devices, interfere with connected technologies adoption and prevent the digital revolution from taking place.