Our CTO & Co-founder, Song Li, shared his experience founding a startup, and his insights into IoT market in China with VoiceAmerica Business Channel host, Michelle Zou.
<a href="https://medium.com/media/a92f6b8010a3b8c643598b235330014f/href">https://medium.com/media/a92f6b8010a3b8c643598b235330014f/href</a>Michelle: What is the IoT, the Internet of things?
Song: The internet of things is pretty much everything that can connect to the internet. It is small computers that connect to the internet. You might be wondering what they are. Actually, they’re all over the world. If you’re driving, you have computers in your cars. Your smart TV and your smart refrigerators are also IoT. Your Fitbit is considered an internet of things device as well.
Michelle: Why is it important to secure the internet of things?
Song: If you think about how many devices are out there, you might be surprised to find that the actual number of things that are connected surpasses the number of people in the world. According to Gartner, 70% of them are not properly connected to the Internet, meaning they can somehow be hacked. The CEO of Softbank, Masayoshi Son, once said that the two most important things about the internet of things are: number one, security; and number two, connection. He didn’t really say connection and security, he said security first and then connection. Our company provides secure links between devices and the internet, and our mission is securing every device in the world.
Michelle: Wow, that’s a big mission! So many devices out there, and the number you pointed out is “70%”. That’s scary. So, think about a device. When it’s not connected, it’s safe, but it’s also useless. When it’s connected, there are opportunities for some people to hack into it.
Song: Exactly. Bad guys can really hack into it, stealing your data, or copying your files, or maybe getting your personal information. Sometimes, they even send malicious commands to the device to make it do bad things.
Michelle: How did you guys start NewSky Security?
Song: In 2014, I was a software engineer working at eBay. One day, I heard that Costco’s website got hacked. I was worried, because I sent my photos to Costco to print, and I didn’t know whether I was also sending photos to the hackers. My cell phone had a Costco app installed, and I did what most security researchers would: I audited Costco’s app. After poking around for about two nights, I found a way to fabricate a malicious QR code that Costco could scan and that would put me in control of the phone.
Michelle: Hold on. You created a QR code to hack yourself, not anybody else.
Song: Exactly. Hacking somebody else is the last thing I would do, but hacking myself is part of the research. After my own research, I realized that this was not uncommon. So I shared my research with my neighbor, Scott Wu. Back then, I didn’t know Scott was actually on the defense side. When I am doing research, I am the attacker. Scott was the defender. He worked for McAfee and Symantec before. Scott told me that it was great to find vulnerability in Costco’s app, and that we needed to notify Costco.
Michelle: So your partner, Scott, works for those famous anti-virus companies. If you are doing bad things, he will be the person to find you.
Song: Yes. I’m the white hat hacker, and he is the defender. We teamed up to notify Costco because it was our obligation to let the manufacturer know that their software had a vulnerability and that they had to fix it.
Michelle: Why did you say this was your obligation?
Song: Because we are the good guys: we should not take advantage of that. In fact, the obligation extends beyond notifying the manufacturer. After probably 3 to 6 months, we need to let the general public know that devices or software that they might be using have this vulnerability, so that the public have a choice to either stop using it or get a new one. But first, we needed to let the manufacturer know so that they had a chance to fix it.
Michelle: Why did you wait 3 to 6 months?
Song: Because we needed to give the manufacturer enough time to create a patch or create a new version of software to fix the vulnerability. Otherwise, bad people would find out, and then they could take advantage of it. In the Costco case, Costco reacted very fast, and they fixed the problem. We still waited for 3 months before we came up with the research paper and published it at an international security conference. In the paper, we basically said that we found this problem and that we worked with Costco to fix it; Here’s why the problem happened; and In the future, we should avoid this kind of mistake. We were fortunate to meet some investors that liked what we were doing and decided to give us seed money to do more research and to build a tool so that people could find more vulnerabilities. This is how this company got started.
Michelle: Before you guys went to this conference, you haven’t started the company?
Song: No, we were just good friends poking around.
Michelle: Did investors help you found this company?
Song: Yes. Before that, we only thought this as a technical discovery, and we didn’t know there was a market potential. But the investor believed that there was a great potential for fixing vulnerabilities in the mobile devices and the internet of things.
Michelle: How did you start the startup in the US, and get customers in China?
Song: Actually, I think the technology led us to China. Initially, we started the company in Seattle because we live here, and we know talents in this area. After we started the project, particularly after buying devices and looking at their mobile apps, we discovered that most of the connected devices are built in China. Chinese companies build those devices where we found vulnerabilities. And we need to talk with them to let them know their vulnerabilities. We bought cameras; we bought smart locks; we bought smart pos(point-of-sales) machines; we even bought a computer inside a car. After we opened up these boxes, and they all had “Made In China” labels.
Michelle: Even though some products are in the US market with US brands, but their manufacturers are probably in China, right?
Song: Yes, many of them are. I’m not blaming those Chinese manufactures. Some of those devices have the software designs that were supposed to be used only in China. When the US market needed it, companies just simply put a different brand label and shipped it overseas. One example is that a camera in the US was sending data to a server in China. The reason turns out to be that nobody updated its software.But consumers are suspicious, wondering why their home cameras are talking to a server in China. If the camera company updates the software before they send it out, it would be perfectly safe. I also want to point out that most of software developers are trained to build good and functional software, but not trained to build secure things. When it comes to the security part, developers are just not aware that there are hackers in the dark who could potentially hack into their devices. If developers know it in advance, they would be more careful, and build a safer software.
Michelle: Maybe people are mostly looking at the product functionality. They haven’t realized the importance of security.
Song: Exactly. They haven’t really thought too much about it. Most of the software developers that I used to manage are really great guys. They directly joined the company after graduating from schools, with very little knowledge about the black hat hackers. Unfortunately, there is a scary world out there, especially with IoT devices. They are no longer only being used in the labs or companies. IoT devices are being used in our daily lives, and the bad guys could potentially get their hands on those devices. This is a market change. The new IoT market exposes these connected computers to the bad guys.
Michelle: Who will pay for your IoT security service?
Song: We found out that not just IoT device manufactures, but also the service providers, all have concerns on the security. We talked to a franchise company who purchased POS (point-of-sales) machines from a vendor. The company distributed those POS machines to their franchise stores. Your know, POS machine is one of the top targets for IoT hackers because the device sends credit card information to the cloud and receives financial data from the cloud. This company turned out to be our first customer in China because they wanted to ensure that their customers’ financial data on their POS machines is secure. After our first success, we started to look at more and more devices, and got more and more customers. Overall, the Chinese manufactures of IoT devices brought us to China. Also, to be fair, China is using more connected devices for automation than any other countries.
Michelle: China is more advancing in IoT compared to the US?
Song: At least in the aspect of using connected devices. If you go to China today, you would notice the large shared bike systems, like Mobike or ofo. In China, people are using their small phones to scan QR codes to unlock bikes and to make payments. In China, there are a lot of monetary transactions going through smart phones and smart POS machines. Today, there are many IoT devices in China. You are using them everyday without knowing that hackers can actually get into them. The mobile carriers in China are very aggressive on IoT expansion. They give out free devices, such as routers, to acquire more revenues. The mobile carriers worry about security as well. Our customers are China Telecom, China Mobile and China Unicom — the top three Chinese mobile carriers.
Michelle: These carries have over one billion users. So what exactly are the products you are selling to them?
Song: Our first product helps carriers scan vulnerabilities in mobile apps. Soon, mobile carriers want us to build a product that can protect their IoT devices.
Michelle: So, the first one is more like a doctor exam, checking if there are any problems. The second one is like the medicine that can actually treat the problem, right?
Song: Exactly, we basically say that we are the doctors for IoT devices. These devices are just like human. They can catch a cold, and we can treat them. Our second product is called IoT Halo. It can protect mobile carriers’ IoT system against hackers. When the threat comes, the halo just lights up. In the Costco case, it typically takes the device manufacturer or the software manufacturer 3 to 6 months to create a patch for their vulnerable device. With IoT Halo, there is the instant protection. We taught IoT Halo about hackers’ tricks, and with the help of AI, IoT Halo can detect the threat immediately and protect it right at the spot. Even though the hacker knows it’s a vulnerable device, with IoT Halo’s protection, he still couldn’t attack that device.
Michelle: It’s like a net. Usually, it’s invisible, but when there is a threat, it protects the system. In this way, the manufacturer would have more time to do their real patch.
Song: Exactly!
Michelle: How big is the company now?
Song: Our company is amazingly small. I always give this metaphor about hackers: They are actually living in the fourth dimension.
Michelle: Fourth dimension?
Song: Most people are living in a three-dimensional world. Hackers can live in the fourth dimension because they can get to a place to achieve their goals with an amazing fast speed, and in a very efficient way. A hacker can attack a system that is built by hundreds or even thousands of software engineers. To prevent the hackers, you need the most brilliant people in the world. We want to hire the best to fight the most dangerous criminals. Right now, we have people in the US, China, Australia, India and Russia. In total, we have less than 50 people.
Michelle: What’s your business growth strategy?
Song: IoT has 2 parts: “Internet” and “Things”. For “Internet”, Chinese mobile carriers are pushing very hard on building the network. US is catching up in terms of the mobile coverage and the 5G network. So these two countries are our most important markets. For “Things”, Chinese manufactures build most of the small “Things”, such as cameras, routers, and POS machines. Whereas, US builds most of the big “Things”, like airplanes and cars. From this perspective, China and US are our main markets as well. In terms of regulation, data is the most valuable thing in the internet of things industry. Hackers want to get your healthcare data, your financial data, and other monetizable data. US has the more advancing data protection regulation than China, which gives us more opportunities in China as our system protects data breach.
Michelle: That’s very interesting! Because Chinese regulation is not very sophisticated on data protection, so people in China don’t respect data privacy as much as in other countries. This creates a lot of opportunities for hackers to do bad things, which creates a lot opportunities for you guys to protect.
Song: Yes, exactly! Michelle, you made a very good point earlier about how China jumped from cash directly to cashless economy. I think it’s because China used to totally ignore the technological benefits of doing business. People had to use no choice but cash to do everything, even sometimes for buying a house. The growing financial technology helped China leap forward, skipping credit card to cashless society. I think there is also a chance that China will leap forward on data protection. To make this leap happen, technology companies, like us, need to play a part. It’s just like Tencent or Alibaba who played a big part in promoting the mobile payment, and eventually transformed China into cashless economy. We can do the same things here, using technology to protect IoT data.
Michelle: What are the opportunities and risks of doing business in China?
Song: I like your question. It’s very hacker-minded, knowing both the opportunities and the risks. For the opportunities, there is a very good formula: Compare the US and China markets, and see what are missing in China. Look at what are available in the US, and spend some time in China, living there for one month. Observe and record everything that gives you a culture shock. The things you write down are the candidates of your business opportunities in China.
Michelle: That’s one little tip. Go to China, bring your fresh eyes, experience, and record.
Song: Yes. This also gives you the risks of doing business in China. You need to look at your list and ask questions. Why is it not available in China? It’s because that people don’t know how to do it; or people haven’t realized how to do it; or is there a good reason that it should not be there; or the government forbids people to do it? China is very different from 40 years ago. When China just opened up back then, China learned everything quickly from the western world. Today, people in China are more independent and confident. They know what they want to do, and what they should not do.
Listen to the full episode on iTunes Podcast or VoiceAmerica.
Opportunities and Risks of the Internet of Things (IoT) Market in China was originally published in NewSky Security on Medium, where people are continuing the conversation by highlighting and responding to this story.