A pair of former defense industry cyber security contractors is launching IDVector, a service that creates encrypted connections through an anonymizing network to shield users’ locations and to protect their machines from internet-borne attacks.
IDVector Network passes customer traffic through a multi-node encrypted path before dropping it onto the open internet at locations removed from customers’ actual geographical locations.
That tunneling makes it difficult for eavesdroppers to snoop content and identify where customers are located, making it possible for customers to use public Wi-Fi safely, say the company’s founders, CEO Ben Baumgartner and CTO Andrew Boyce.
Customers connect their computers via a VPN tunnel created by an IDVector client that connects to the company’s network in the cloud, securing the initial link from eavesdropping and man-in-the-middle attacks. Once connected, they jump on an encrypted path that bounces their traffic around and drops it on the open internet at some remote location.
That would be attractive to international travelers worried about the safety of Wi-Fi networks they connect to as well as business people who need to use untrusted Wi-Fi networks as they discuss sensitive information, says David Monahan, an analyst with Enterprise Management Associates.
When using the network, customers can create a custom path that bounces off an intermediate, cloud-based virtual machine and pops out to the general internet from an exit node, which is also a cloud-based virtual machine. This is similar to the intermediate-relay model used by the onion router (Tor) network that is used to anonymize traffic.
The service is potentially safer than Tor, says Monahan, since Tor’s integrity has come into question. Intermediate nodes in Tor are run by volunteers and some of these nodes may be run by people who compromise their hidden services.
Baumgartner says the potential exists for their service to be used for illegal purposes, but it would be more difficult to do so than it is with Tor. Unlike Tor, IDVector has no mechanism for creating hidden services – such as criminal marketplaces like the notorious Silk Road – which would make illegal use of IDVector that much more difficult.
The IDVector virtual machines that serve as bounce nodes and exit nodes are hosted in public clouds run by Amazon, Rackspace or DigitalOcean, although IDVector may expand to use others. IDVector’s backend network is hosted by Amazon.
The IDVector paths are encrypted from the customer’s device to the exit node using AES 256-bit OpenVPN, and the leg of the path between the bounce node and the exit node is further encrypted in an AES 256-bit IPsec VPN. All the encryption keys are kept only on the customer’s device.
To call up a path, users connect to IDVector’s and choose either a pre-provisioned path shared by others or create a custom path. The pre-provisioned paths are set up and torn down regularly to make it more difficult to figure out where a particular path starts and ends, Baumgartner says.
If customers choose custom paths, they get to pick the location of the bounce and egress nodes by specifying one or two of the hosting partner’s networks and by specifying the geographical locations of the nodes they want to create. Setting up a custom node takes about 30 seconds, sometimes more, the founders say.
To use the service, customers need a client, which comes in two forms. First, there is an IDVector for iOS software client that makes the connection to the provisioning server. The client uses an Apple API to make sure any communication coming from the device tunnels into the IDVector Path.
The other client, IDVector Pro USB Client, is a physical Wi-Fi dongle that plugs into a USB port on a computer. Like the software client, it creates a tunnel to the IDVector network. The clients also spoof the MAC address of the Wi-Fi adapter on the customer’s device so the address can’t be used to gather information about what sites it connects to.
The iOS client uses Apple’s Network Extension Framework VPN (NEVPN) APIs to ensure that all communications originating on the mobile device are directed into the IDVector Path (and VPN) of choice. The dongle uses custom software written by IDVector to do the same.
An Android client is planned, as is an enterprise version of the service that adds more functionality and speed and perhaps a 1U box form factor. For example, the enterprise version might include an incident response kit that is accessed remotely through IDVector, Boyce says. So if a network is compromised, mitigating the breach could be done from a response package that has been isolated from the rest of the network and can only be accessed using an IDVector client.
Pricing starts with a basic subscription, called the IDVector Access Pass, that includes use of shared paths for $5 per week or $15 per month so long as data transferred doesn’t exceed 20GB per month. Access to private paths can be added to a pass for $1 per day, with packages for seven and 30 days. Actually using a private path is billed by the minute, but the company doesn’t say what the per minute cost is.
Baumgartner and Boyce started collaborating remotely on the technology in October 2014. They met as defense contractors working on attribution management systems. The company has been funded by the tech incubator Kyrus Tech, which has nurtured successful security startups Carbon Black and Red Canary. Baumgartner and Boyce say they hope the company will be revenue-positive early next year.