If you haven’t yet heard of Sonavation, you probably aren’t alone, but the company has done something unprecedented: it’s shrunk a $100k ultrasound machine to the size of a fingerprint module. We interviewed Bob Stewart, COO of Sonavation, for his take on what makes the company such a standout:
"I came here from EMC Corporation, where I was the CTO of Global Security Solutions and most of the projects that I was working on were military intelligence based. One in particular was for a ground-based intelligent surveillance electronics platform. It was basically Google Streetview on steroids for Afghanistans.
One of the advisors to that company was an advisor to this company and he said 'We want to come up with a fingerprint sensor that can’t be defeated and we heard about this company called Sonavation. We know that they’re using ultrasound,' which to them meant it would work even better if it had some greasy, grimey sweaty bloody war kind of environment because, you know, in ultrasound you put the goop on the transistor to see the baby. Then they also knew that it was made out of ceramic material, which is the darling of military industrial: it’s tough and rugged…”
Bob met with a Dr. Schmidt, who ran the Ultrasonic Research Institute in Germany for 18 years before coming to the US to found Fraunhofer US and Dr. Schmidt was then recruited by Crossmatch Technologies to start working on this ultrasound sensor.
"Crossmatch is the world’s leader in multi-factor biometric. They’re the ones who invented the optical fingerprint recognition system used in all the customs and border stations, airports, etc. [When capturing Saddam Hussein, the US relied on Crossmatch’s technology to make sure they had the right guy.] They knew even back in the late 90s that fingerprints were considered public record data. Even though people didn’t widely give out their fingerprints, if you ever got arrested, they took your fingerprint and biographic information and took a photograph of you and that all went to a database. So this idea of a surface biometric has long been known to be considered a public record and left behind on everything you touch. It’s a great solution."
Bob Stewart, COO of Sonavation
Sonavation was born during the crucible of the early 2000’s market crash. Bob recommended EMC buy Sonavation, but the suggestion fell on deaf ears: ironically, too, since EMC is a wholly-owned subsidiary of RSA, which had just been hacked (the Chinese used that hack to gain access to Lockheed-Martin). But EMC was too busy panicking to heed Bob’s suggestion, and so he left the company to join Sonavation.
“You just don’t see a sensor class gain a dimension and this is what I saw…I knew the fact that this could read not only the fingerprint, but the microvasculature underneath the finger and the bone structure and tissue density and blood pressure and heartbeat. That means with a single touch of a finger you could get multi-factor biometric information. It captures multiple images in real time, just like looking at a baby in real time: you can see the baby move. You can see the blood flow.”
In 2012, Bob joined the company. The response to the technology was intense: Sonavation had a facility that could produce a million units a month—one of their first clients asked for 500 million the first year. With a ramp of 1.2 billion the next year. With greater understanding of the sheer volume the mobile marketplace would demand, Bob and his team took a year to reanalyze their supply chain so they could provide for all tier-one manufacturers.
“Not only can we image through glass, we’re working on technology that can read through metal. With some improvements on the power side, we can see this going into mobiles and wearables.”
Sonavation got to work hiring Booz Allen to build a secure data center and also created a strong crypto key on every single chip while it was still in wafer form. By the time it goes into the supply chain, there’s no chance of swapping out the AFIs that drive the sensor.
Sonavation's product takes biometric data through glass.
"If you have the ability to scan biometric information that’s not a part of public record—subcutaneous or micron information—now you’ve got an ability to enroll someone with information that no one can get access to because if they don’t know the algorithm you’re using for imaging the inside of the fingertip, there’s no way for them to recreate that. They can’t create a template or a fake finger and they can’t use that to defeat the system.”
The subcutaneous view is valuable because it’s the private entity, whereas the fingerprint is the public entity. That can solve the issue of password authentication because, of course, passwords are a security nightmare.
“Security isn’t something that you can do halfway….People will find the weakness in the system and then find a way to exploit it because that’s what criminals do. What we did is when we built the PKI infrastructure we built it to what they call a FIPS 140-2 levels 234, identifying increasingly stringent requirements for the integrity of that system. We can sell this solution to the government and all the other standards are beneath that. HIPAA compliance is lower than that. It set the bar very high and it was a one-time investment as far as maintenance, but now we’re able to address solutions that play very well in the healthcare markets and retail and banking and finance markets.“
Bob demonstrates the sensor at ISC West
Part of the reason for this high level of security is that the biometric information never leaves the sensor. All sensitive information is on the hardware itself, unlike the fingerprint technology used on most mobile phones, which stores information in the software. And passwords are on their way out, as indicated by the formation of the FIDO alliance. Adhering to the FIDO protocol means apps on the phone can bypass the operating system to authenticate. That means the software essentially never has access to the biometric information.
Sonavation has good news for developers, too:
"In the next month, we’ll be shipping our first dev kit, which looks a little like a Raspberry Pi board. Our sensor modules plug into it and it’s got a bunch of pins and switches and micro USB cable. We’re going to deliver that with JAVA libraries for embedded and mobile as well as apps and their source code for Android and iOS. People can start immediately integrating this into their devices.
In 2013, Ted Johnson, the Chairman and CEO of Sonavation, passed away and left the majority of his estate to the MD Anderson Cancer Research Center. As part of that legacy, 1/3 of all the value of Sonavation's technology is being donated directly to cancer research.
It seems Sonavation isn't content with its impact on security: it also wants to make the world a healthier, happier place.