Hotshot is a data privacy and security platform which enables businesses to protect data based upon specific geographical and time-based restriction policies. The startup combines the simplicity of a high-speed communications platform (like Slack) with identity and access management features for cloud platforms (like Okta). It is the first GDPR-compliant messaging, collaboration and identity platform to be released for use in the EU and North America. Aaron Turner, CEO and Cofounder of Hotshot believes that the EU’s leadership in this area will help the company build a platform which will serve the needs of the EU market as well as deliver technologies that will address the needs of new data privacy regulations in the US as well. Interview with the American serial entrepreneur.
(Featured Image: Aaron Turner, CEO & Cofounder of Hotshot / Image Credit © Hotshot)
What do you think about the startup environment of Luxembourg? How did it motivate you to open your EU headquarters in Luxembourg?
Over the last several months, as we have prepared to establish Hotshot’s EU headquarters and relocate (myself and my family) to Luxembourg, I’ve received many questions about why exactly we have chosen Luxembourg. In the very early days of Hotshot, when we were still effectively in ‘stealth’ mode, we were introduced to the great team at Tomorrow Street by one of our advisers. As a result of that introduction, we learned why leading organizations like Vodafone have partnered with Luxembourg’s Technoport, in the Tomorrow Street joint venture. It became obvious that there were many great reasons to set up a European-focused business in Luxembourg.
Diego De Biasio, of Technoport was very generous with his time, helping us understand the ways that Technoport accelerates innovation in the country and also facilitates connections within the business and technology development community of the EU.
As a serial entrepreneur, I know that any help you can get to bring a new technology to market is critical to succeeding in the fast-paced technology space, especially within the cyber security and compliance ecosystem that I have focused on for the last 25 years. I also appreciate how the close connections within the community of Luxembourg provide a young startup like Hotshot the opportunity to network very efficiently, obtaining important market intelligence and moving through feedback cycles much faster than in larger markets.
The bottom line for Hotshot as a company and myself as an entrepreneur is that when Technoport accepted Hotshot to be part of their acceleration and incubation programs, it was too significant of an opportunity to pass up. We look forward to expanding our EU presence through this hub.
“Moving our base of EU operations to Luxembourg will give us access to policy makers, business decision-makers and experts that would be difficult to reach if we remained in the United States.”
Do you think Luxembourg has a unique opportunity to lead in the security and privacy space in the EU?
As a company, we aim to lead the charge forward in providing the latest security and privacy technologies to EU companies. Moving our base of EU operations to Luxembourg will give us access to policy makers, business decision-makers and experts that would be difficult to reach if we remained in the United States. Proximity matters when you want to innovate and outperform, and I believe Hotshot can help Luxembourg become a true leader in the EU privacy and security technology ecosystem.
How did your past experiences with security and privacy motivate you to start Hotshot?
I began looking at security and privacy issues relating to computing systems and networks back in 1994. When I was doing my undergraduate work in college, I was operating a server which was compromised and an unauthorized user copied a large amount of inappropriate content to my server. It took me many months to figure out how to defend my server from those attacks, which motivated me to learn attackers’ techniques in order to better protect myself and the systems I was operating. By the late ‘90s, Microsoft had hired me, and I was dealing with security issues on a global scale. At one point, I was working on a team responsible for responding to security incidents involving billions of computers around the world. Those very difficult and challenging experiences motivated me to help build solutions to better protect all systems connected to the internet.
In the mid-2000s I was invited to participate in a US Government research project designed to protect critical infrastructure–such as electrical power grids and cellular communications networks–from cyber attacks. It was while doing that research in 2007 that I realized just how substantial the problem was going to be when internet-enabled cellular devices proliferated and became ubiquitous. I helped invent security technologies which would improve the mobile payments ecosystem as a result of that research and spent many years trying to deliver that technology to the marketplace in 2008. Mobile payment technologies sit at the intersection of two very volatile systems: fast-paced mobile technologies and legacy payment systems. I was a first-hand witness to the collision of those two worlds ten years ago. I saw how the inability of the mobile and payments communities to effectively collaborate slowed down the adoption of mobile payments technologies, which would have benefitted everyone in the market. The result was a continuation of the payment card fraud that we’ve seen over the last decade and the costs associated with that fraud should probably be measured in billions of euros.
“Most cellular networks are vulnerable to legacy protocol attacks which can give attackers access to all messages, calls and data which pass through the network.”
I think we’re seeing the same thing happen today when it comes to enterprise data management communities interacting with security and privacy experts. New regulations, such as the EU General Data Protection Regulation (GDPR), were designed to better protect data to benefit EU residents, but legacy technologies were never designed to deliver the security and privacy features necessary to truly comply with the new GDPR requirements. The result is a conflict between keeping IT and data systems running and keeping the data protected in a meaningful way.
Hotshot’s objective is to create a technology platform which effectively leapfrogs the current enterprise data protection, communications and digital identity technology platforms. Hotshot enables even the smallest of businesses to benefit from a new generation of security, privacy and identity capabilities. If we can only help a small fraction of EU businesses better protect the data of their customers, employees and business partners, then we will have achieved our mission. Of course, to reach our potential from a business perspective, we hope to help a large number of businesses, but at this stage we have our sights firmly set on helping every Hotshot customer enjoy the latest security technologies in a simple-to-deploy and cost-effective way.
When we position Hotshot’s technologies with business owners, we essentially tell them, “We have done the hard security and privacy work for you, so that you can focus on keeping your business running.”
What is your background around the mobile phone, IoT and cellular hacking?
My first exposure to mobile technologies and embedded systems was when I was a junior member of various security teams at Microsoft. My natural inclination is to be curious about all technologies, and I also had the tendency to volunteer for the projects that no one else wanted to do. My curiosity and volunteerism landed me in a position where I was asked to help review the security capabilities of Microsoft’s first mobile operating system (Windows Mobile). In 2003, I began teaching myself about how cellular radios were different from Wi-Fi interfaces and how the low-powered processors in the devices would rapidly drain their batteries with even the slightest bit of bad code. During those days I realized just how big of a problem mobile was going to be for everyone involved: OEMs, network operators, software developers and users.
“Over 60% of mobile device users are vulnerable to remotely-exploitable vulnerabilities because users do not properly maintain the software on their mobile devices.”
Based upon earlier Wi-Fi vulnerability research, I applied some of the same concepts to cellular communications with some degree of success. The biggest problem I had in doing that early cellular security research was having access to the equipment necessary to test my ideas. This was one of the reasons why I gravitated towards collaborating with government researchers –to gain access to that expensive hardware and test my ideas. By 2012 I had developed research relationships with a global network of cellular experts, and we were constantly collaborating and asking difficult-to-answer questions.
Very early throughout all of my research, I determined that the way that most users trust cellular networks is not appropriate when dealing with sensitive information. For example, most cellular networks are vulnerable to legacy protocol attacks which can give attackers access to all messages, calls and data which pass through the network. Some of these attacks are expensive (both in time and equipment), but others are quite the opposite– economical and highly efficient.
On several occasions I worked with other mobile security experts to uncover just how widespread cellular network hacking is. Most of these findings focused on what we discovered in the Washington, DC area in the capital of the United States. But, we have discovered similar vulnerabilities being exploited in most major cities around the world. More recently, I have been focusing on the vulnerabilities that exist on the back-end of mobile networks, specifically those that expose one-time-use codes delivered via SMS for banking and other sensitive online transactions.
I also worked with a team of experts to discover how attackers can manipulate software vulnerabilities on mobile devices to steal credentials and data. Some of those findings shocked me, with data that showed that over 60% of mobile device users are vulnerable to remotely-exploitable vulnerabilities because users do not properly maintain the software on their mobile devices.
All of this research has culminated in what we’re working on with Hotshot. We are delivering technology which helps protect sensitive data from even the most-sophisticated and well-resourced attackers.
Interview by C-L.M.