When even Google (GOOG) falls victim to hackers, it's clear that traditional security software isn't getting the job done. Hackers, criminals, and spies have broken into the computer systems of thousands of companies, government agencies, and organizations. Eighty-five percent of companies and agencies surveyed by the Ponemon Institute, a research firm, have suffered security breaches and data losses over the previous year—roughly one-quarter of which involved hackers. The losses are pegged at more than $1 trillion per year. "The bad guys are getting better and better, and my money is on the bad guys," says security expert William R. Cheswick of AT&T Labs.
Against this darkening backdrop, a tiny, Herndon (Va.) startup called InZero Systems claims to have developed a hackproof hardware-based system—a boast that strikes some experts as far-fetched. In general, any company that says it can thwart all intruders "is run by idiots who don't deserve a second glance," warns Bruce Schneier, chief security technology officer at BT (BT), the British telecom giant.
Schneier has not evaluated InZero's technology. Many who have, however, say they are impressed. Its approach has been tested by the military's Defense Advanced Research Projects Agency (DARPA) and several companies that specialize in finding cracks in computer security. No one has broken in. "It was very secure, but we were concerned about its user friendliness," says former DARPA director Anthony J. Tether, who bought 10 devices to test just before he left the agency in early 2009. "As best we can tell, there isn't a way to circumvent it," says Ronald J. Dorman, vice-president of Telos (TLSRP.PK), a computer and network security company hired by InZero to evaluate the system.
The idea behind InZero was hatched in 2002 by Oleksiy Shevchenko, a computer engineer in Ukraine who was trying to address the Internet security concerns of a policeman friend. He steered clear of the traditional defense strategy, which uses software to look out for new viruses or intruders, then devises ways to thwart each. Because malware comes in many disguises, this approach leaves networks exposed in the early stages of a new attack. Instead, Shevchenko set up hardware that acts like a second computer (in geekspeak, a "sandbox") sitting between a vulnerable computer and the Internet.
When you venture out on the Web, it feels like you are using your own machine, but you are actually in InZero's sandbox. You can send e-mail and go anywhere in cyberspace, even to sites known to harbor hackers and viruses. The effect is similar to having a Webcam on your computer aimed at a second computer's screen, says cryptography expert Phil Zimmermann, who was asked by InZero to assess the technology. There's a barrier between the two systems that prevents anything bad from getting to your machine.
Since the operating system and memory in InZero's sandbox are read-only, they can't be changed by a virus, and hackers can't commandeer the device. "Whatever mayhem is on this other computer is not going to hurt you," says Zimmermann, who says he can't think of any way to break in. InZero CEO Louis R. Hughes offers a second analogy: that of a patient with an unknown disease quarantined behind a glass wall. "Our device is the equivalent of that glass wall," he says.
The idea of a second device acting as a barricade isn't new. Security experts often set up a buffer computer to interact with the larger world; if and when the machine gets infected, they simply wipe it clean and reinstall software. Many researchers have also latched onto the idea of a software sandbox—or virtual computer—that resides right inside a PC, says AT&T's Cheswick. What's different about InZero's approach is that it offers the protection of a second real computer, without having to go through the hassle of constantly wiping it down. The device that performs this task is no larger than a typical paperback book. "There isn't anyone else who has a solution like this in hardware," says Telos' Dorman.
Shevchenko dubbed the technology XB, after a Russian expression equivalent to a middle-finger salute. He found an angel investor in Ukraine, Alexander N. Dubrov, who came up with his own nickname: "Internet condom." Shevchenko filed patents and built three working prototypes. Then he ran a hacker contest, offering a Harley-Davidson (HOG) to anyone able to penetrate the system. No one did.
Alexander V. Pyntikov, a top Soviet Union government innovation official-turned-entrepreneur, got wind of the promising technology. Pyntikov introduced Shevchenko to Hughes, former president of General Motors' international operations and of Lockheed Martin (LMT). "I was very skeptical," recalls Hughes. "Here was this young guy saying he had invented a computer that totally protects from attacks."
Hughes became a believer after he arranged a test in 2003 at British Telecom's Ipswich labs and the company's computer scientists were unable to break in. He brought Shevchenko to the U.S., invested millions of his own dollars in a new U.S. company, InZero, and became its CEO, with Pyntikov as chief operating officer and Shevchenko as chief technology officer. (The name InZero nods to the claim that zero intruders can get in.) Since then the company has filed additional patents and spent several years simplifying the steps a user must take to operate the device. The current version has four processors and 60 million lines of software code. "It's a complicated little box," says Hughes.
At his office, the burly Shevchenko demonstrates how easy it is for a virus to penetrate a computer equipped with the latest updates of antivirus software and then send back information like credit-card numbers. The same virus is powerless against a computer equipped with the InZero device. Even so, he volunteers, "Our solution is not a panacea." It doesn't protect against so-called denial of service attacks, in which legions of PCs are infected with programs that can swamp a Web site by means of a coordinated assault. For just about everything else, from viruses to spying, the company claims the technology is a game-changer.
One of the most thorough evaluations to date was performed under contract by escrypt, a security company in Ann Arbor, Mich. Escrypt drums up new business finding security weaknesses and devising fixes, says CEO André Weimerskirch. So it was frustrating and surprising, he says, when a team of four people attacked InZero's system for more than two weeks without discovering a flaw.
Despite the successful tests, InZero still has hurdles ahead. The company has to prove to the U.S. government that its engineers, many of whom are in Kiev, haven't built in a back door for spies. "We have to show that nothing will be reported to Putin," says Pyntikov. Cost and complexity are also on Pyntikov's mind. The company hopes to market a family of devices for PCs, servers, and entire networks, with prices starting in the low hundreds. In two or three years, the hardware could be embedded into laptops, adding as little as $25 to hardware costs, says Pyntikov. If companies and consumers take the trouble to buy and set up the devices, there may finally be a gate that hackers can't storm.