Until recently, I was running a small security testing company called Theia Labs.  Theia was small, just myself and a few other contractors, but we built a solid reputation within the auto industry.  During that time, I even wrote the book the Car Hacker's Handbook. When Rapid7 approached me about potentially acquiring Theia Labs, I was really excited. Joining Rapid7 allowed me to move my tools and continue working on my research as I had before. However, now I have a larger team to collaborate with and the ability and support to expand my reach!  In the past, I was primarily focused on automotive research and, while I had a few projects in other spaces, I didn't have the time or resources to give those other industries the attention that they need. Now, as part of Rapid7, I am able to tackle all things transportation!

One of my favorite things about Rapid7 is that they allow me to focus on solving problems the right way.  Often security companies spread themselves too thin and operate as if, because they do web security, they can handle all sectors of security. While these teams often have great talent, they miss a lot of subtleties  that come from having specialist knowledge within a particular industry.  For instance, many security companies see un-encrypted communication and immediately want to lock it down with AES 256, PKI-based code signing, etc.  While this isn't necessarily bad conceptually, in practice it's not the actual issue, and they tend to not understand that there maybe a very good reason those channels were not encrypted to begin with.  Most people who buy vehicles feel they have the right to work on them or take them to an independent mechanic.  How do you do that if all the devices have been locked down so only the manufacturer has a key?  If you need to send a single bit that says "brake now!" do you really want to hamper the speed of decoding that message with layers of encryption?  What is the core problem you are trying to solve?  These are the kinds of problems that we work on solving.

I now have the resources to sit down with engineers at design time and all the way through their design and engineering processes.  We have to make the right decisions about security, usability, and function – and can creatively find ways to mitigate potential issues without causing unnecessary restrictions on your engineers or customers. This helps prevent developers from creating costly issues such as producing millions of PCB boards, with serious security flaws that are only discovered after the fact  Ensuring secure design principles are considered at the outset can reduce the number of late-stage security issues and make solving security problems much easier.  Rapid7 already has a host of solutions for the enterprise and is committed to making organizations more secure.  With new research we can integrate IoT, transportation, manufacturing and all other aspects of your business directly into the security pipeline.

Planes, trains, automobiles, ships, satellites, drones ... fun times ahead!

Read more about our new services and how you can engage with us here.

Craig Smith