Every year at Blackhat there is a section of the show floor charmingly referred to as "Innovation City," which functions as an area for up-and-coming vendors to show their stuff. One of the citizens of Innovation City this year was x.o.ware, which bills itself as an "end-to-end encryption solution" that makes public Wi-Fi completely secure. At the risk of misrepresenting their product (I have not been officially briefed), essentially what they do is this: the customer buys a box (which is called XOnet and looks like a mini Wi-Fi router) that stays at home. With that box comes a small piece of rubber-covered hardware (which is called an XOkey); this key pairs with the box and then plugs into a laptop. Result? If I am at Starbucks on public Wi-Fi, I plug the encryption key into my computer, it uses the public Wi-Fi to tunnel back to my XOnet box at home, and voila! --my very insecure public Wi-Fi connection has become a secure home Wi-Fi connection. This is a very cool idea! But as cool as the idea is, I found myself wondering- are people ready to buy personal security hardware? Are people even thinking about this stuff?
In a vacuum (read: "in a world where the realities of sales and marketing don't exist"), I think that the answer to that is a resounding "yes." This type of innovation in the consumer market is what people are looking for. "Plug and play encryption for $99 a box" is the kind of sexy, interesting offering that the most security-savy users will pony up for. The benefits are clear, there is no ambiguity about what the customer is receiving, and there is no ongoing license agreement or annual subscription to worry about. It is simply something that can be bought to make a user more secure, and while it doesn't solve all of the problems, at least it solves one.
While I obviously think x.o.ware is on to something, the more important takeaway here is that we are living in a world where spending $100 to solve a single security problem is a justifiable--or even obvious-- purchase. In the same vein, we are seeing an acute rise in popularity of password managers, identity protection offerings, 2FA solutions, and more. Consumers are smart and getting smarter, and they are beginning to create their own security processes as they realize that they cannot rely on vendors or websites to protect them. At the moment, the project of securing one's personal life/data is utterly piecemeal--offerings do not yet come rolled up into a neat, convenient package, so everyone is responsible for arranging these things individually. But as more people get burned, and more people become more careful, and more people decide to improve their security posture? It seems clear that consumers will push the market towards providing more convenient offerings, and the first vendors to get there by putting together complete hardware/software security packages that cover various computing devices, OSs, and even IoT devices will have a big advantage.
The question at this point is no longer "do consumers want to buy advanced security solutions?" Rather, the question is "which vendor(s) can win the race to give consumers what they really need?"
Innovation City, indeed.