Taking on the Chinese in Cyberspace

Note: Welcome to the epic fifth installment of my mailing list series we used at ReFirm Labs. Now, if you really want to be part of this wild ride and truly appreciate the awesomeness of my marketing concept focused on origin stories, you gotta read the previous installments, my friend. Seriously, they lay down the foundation and bring you up to speed on the journey so far. Trust me. ??

Peter and I weighed the pros and cons of accepting outside investment from DataTribe. Tactical Network Solutions had been bootstrapped with a mere $10,000 when I launched it in 2007. It had been profitable every year since, and we never needed additional funds. Moreover, Peter and I wholly owned the company, making outside involvement unappealing.

However, DataTribe made an impressive argument. They presented well-researched studies about the cybersecurity risks associated with IoT devices, painting a grim picture of insufficient security solutions. We found ourselves agreeing with their analysis. After all, we exploited IoT devices for government and military clients for years!

Evidently, there was both a market opportunity and a need for a platform like Centrifuge. Limiting its use to offensive cyber purposes significantly reduced our market, catering only to entities authorized to execute cyber-attacks. Our customer base, both foreign and domestic, was small.

After months of careful consideration and discussions with DataTribe, we accepted their $1.5M investment.

However, we had a condition.

Peter and I were adamant that DataTribe should not invest in Tactical Network Solutions. We had built a strong reputation with governments, intelligence agencies, and the military and were unwilling to risk that. We also wanted to avoid sending mixed messages to our customers about our commitment to the offensive cyber mission. Informing them about outside investors with a defensive-focused agenda would be poorly received.

So, Peter and I proposed an entirely different approach.

We suggested spinning out the Centrifuge platform and its core development team into a new, independent company separate from the offensive realm of Tactical Network Solutions. This new company would focus solely on helping customers rapidly identify firmware vulnerabilities in IoT devices before adversaries could exploit them.

Thus, on July 5, 2017, ReFirm Labs, Inc. was established with a $1.5M seed investment. Peter and I owned over 60% of the company, while DataTribe held the remainder. Tactical Network Solutions continued to operate independently, with Peter and I retaining full ownership.

In October of that year, I was introduced to the head of digital security at a Fortune 500 company. A former CIA agent, he had extensive experience dealing with nation-state actors and their attempts to steal US intellectual property.

His request was straightforward: he wanted ReFirm Labs to examine the firmware of the surveillance cameras installed around the company's headquarters and other high-profile properties. He harbored suspicions about Chinese-manufactured electronics.

The ReFirm Labs team obtained the same Dahua camera model the Fortune 500 client used. Dahua is China's second-largest surveillance camera manufacturer, just behind Hikvision.

Upon uploading the Dahua firmware into the Centrifuge platform, we immediately identified numerous buffer overflows and command injection vulnerabilities. This typically indicated careless and insecure coding practices, with no use of source code auditing tools during development. Some of these vulnerabilities could be weaponized if discovered by someone with malicious intentions.

Our lead reverse engineer, Craig Heffner, found something more alarming: an intentional backdoor deeply embedded within the Dahua cameras' firmware. His final report summarized the issue:

"... this vulnerability is not the result of an accidental logic error or poor programming practice, but rather an intentional backdoor placed into the product by the vendor. Given that many other Dahua products contain this exact same backdoor, we strongly recommend against connecting any Dahua products to critical or sensitive networks."

We promptly informed our Fortune 500 client of our findings, which confirmed his suspicions and gave him the evidence needed to recommend immediate replacement of the cameras. We also advised him to alert the company's security operations center (SOC) to monitor any suspicious network traffic from the cameras.

Our client agreed to let us publish a public research report on our findings as long as we kept his identity and company anonymous. With DataTribe's help, we secured press coverage from the Washington Post, Fortune, and FOX News to spread awareness of the issue. We also contacted Dahua to inform them of our discovery and our intention to go public, but they never responded. The news was scheduled to be released at 6:00AM ET on November 15, 2017.

The day before our findings were set to go public, I received a text from our Fortune 500 client:

"You guys were spot on! Look what we found..."

Upon viewing the log, the chilling sensation that ran through my veins was reminiscent of the day I was led to the principal's office in high school and confronted by a Perkins police officer.

I couldn't believe what I was seeing.

Terry Dunlap co-founded Tactical Network Solutions, ReFirm Labs, and?Gray Hat Academy. Before that, he worked at the US National Security Agency developing hacking tools and exploit capabilities, which would have landed him in jail in any other capacity.