Late 2013 and early 2014 proved to be a watershed with regards to public understanding of digital privacy and security. We learned a lot about what intelligence organizations, both U.S. and foreign, had been doing in terms of surveillance both domestically and internationally. I’d hypothesize that many — ?most? — Information Security professionals assumed the level of intelligence collection capabilities that the Snowden leaks proved…but no-one had ever confirmed it. Obviously, no-one SHOULD have confirmed anything, but… that’s what happened. Due to breaches at Target, Home Depot, Dairy Queen, Albertsons, UPS, JP Morgan Chase, Staples and KMart, the security of our commerce and communications systems was repeatedly called into question. The fact that service providers were snooping into our lives and turning us into commodities became common knowledge. These revelations about government and corporate access to our personal data and communications brought Internet privacy and security to the forefront of our collective consciousness. Topics that had previously been the domain of old UNIX greybeards and IT nerds became hot topics for the nightly news and congressional hearings.
With these events as a backdrop, the company that I work for, Kyrus Tech, announced it was looking for a new technology to incubate and launch. I spent a considerable amount of time building systems for the government in the areas of attribution management and online anonymity. My experience working in and for the government drove me to the conclusion that Internet privacy presents three fundamental problems:
In other words, I saw a set of problems or harms that would never be solved by those who should solve them. To do so would undermine their real goal: making money at the expense of our privacy. I decided to do something about it and Kyrus backed my idea. Our goal: Create a scalable cloud platform to provide privacy, security, and anonymity — accessible to all Internet users. Strong security, delivered simply.
IDVector addresses critical data protection and privacy concerns by providing a simple, scalable solution to encrypt your data in transit and provide diversified Internet access paths to ensure privacy, security, and anonymity when required.
To do this, we’ve devised several core technologies which fall into two basic categories:
There are currently two clients: the IDVector Pro USB client and the IDVector Mobile client for iOS. The Pro client is a small form factor USB powered device that has at its core an Atmel System on Chip and WiFi chipset. It is runs a custom Linux implementation and uses both proprietary (patent pending) client software and commodity Open Source VPN software. A hardware device allows us to solve some problems that software solutions simply cannot do alone.
First and most simply, we provide an additional layer of security — good old defense-in-depth. By using an offboard WiFi device, we move the external facing surface area off of a user’s laptop hardware and software. In other words, we keep your laptop’s hardware and Operating System isolated from unknown and possibly insecure WiFi while still allowing you to access the Internet via these free connections.
Second, we introduce some new concepts and features. We created a pre-negotiation or captive portal protection proxy which ensures that you can’t be attacked while your computer is negotiating your connection. This functionality was inspired by a series of attacks against business travelers, nicknamed “Darkhotel”. In these attacks, the captive portal systems at hotels were compromised and malware was installed that would target specific travelers based on their personal details. This malware presented itself while users were negotiating the hotel captive portal (entering their room number, last name, etc). Most importantly, the malware was presented to the travelers as a legitimate software update with a valid (though weak) cryptographic signature, and so the target systems downloaded and installed it as if it were a valid update. Our captive portal protection proxy technology prevents binary code from reaching the client computer by stopping it at the IDVector Pro client layer. We also allow users to automatically and randomly change the WiFi MAC address of their IDVector Pro client. This helps to prevent “free WiFi” providers from profiling users or targeting them based on a previously collected MAC address.
Finally, IDVector clients allow the user to choose to access the Internet via an IDVector Shared Path or a custom Private Path. Shared paths are inexpensive and available to all IDVector users. Shared paths have a limited lifespan and are automatically created and destroyed periodically using new server instances, new cryptographic keys and new IP addresses. IDVector Private Paths are completely private — they are hosted on dedicated cloud servers that are literally created and destroyed at the click of a button. With both Shared and Private Paths you choose where in the world you want to appear on the Internet. The cryptographic material that secures the Pro client’s connection to both types of paths is never used for more than one connection and is generated on the IDVector Pro client. The IDVector servers never possess the client’s cryptographic keys.
On the mobile side, we provide an iOS app that does many of the same things as the Pro client, from within the Apple iOS platform. Because Apple and iOS are somewhat restrictive, there are some limitations. For example, we can’t implement the captive portal protection proxy because Apple has its own iOS device captive portal negotiation mechanism. Much of the rest of the IDVector technology passes straight through to the iOS client. You can use Shared Paths or Private Paths and all of your data goes through the secure and private VPN technology exiting the path wherever you want it to, world wide. Our IDVector Mobile client for Android should be available early in the 4th quarter of 2016.
In the Cloud we use a variety of providers to achieve global coverage. We leverage Apache LibCloud to control our cloud instances. LibCloud allows us to quickly and easily add more providers as demand increases for particular regions. Our Cloud infrastructure is incredibly scalable; we’re excited to test how far it can grow. As noted above, because cryptographic material for Pro Client VPN connections is generated on the client device, we (as the service provider) CANNOT snoop on the traffic of our customers. All VPN paths use IKEv2 with Perfect Forward Secrecy as a default. We designed the system from the start to take ourselves out of the loop.
All of your important data should already be encrypted between your web browser and the server, but with IDVector neither we nor the big data collection platforms can tell who you are, where your data originated, and in many cases, where it is eventually ending up. Even if you use a corporate or personal VPN to encrypt traffic from your system to your remote work environment and/or the Internet, your system is still directly connected to insecure WiFi and is therefore vulnerable to local attacks as well as data collection schemes that can see the source and destination of your encrypted data streams. IDVector blocks those attacks and masks the endpoint of all of your network traffic. There is a diagram on our web page that shows (at a high level) how it all works.
Because we truly think that privacy, security, and anonymity are important, we allow users to pay for IDVector service through anonymous mechanisms. To that end, we have selected Stripe as our payment processing partner in part because they accept BitCoin. If you aren’t interested in the cryptocurrency space, the best “old fashioned” anonymous payment mechanism is prepaid cards — which Stripe also supports.
We think everyone needs IDVector — we’re all travelers in a perimeter-free world. As a starting point, we’re focusing on 5 core groups:
Our long term road-map includes an Enterprise offering as well as exploring incorporation of IDVector technology into small office and home office (SoHo) routers. We believe geographically dispersed teams should be able to create dynamic secure and private shared work spaces. We believe every individual ought to be able to surf from their home without fear of their service provider snooping into their traffic. Enterprise and SoHo versions of IDVector technology will enable these scenarios.