A Timesys Ghoulish Edition Embedded Systems Newsletter

October 2022

Cybersecurity in the News: Critical Vulnerability Fix: OpenSSL version 3.0.7 to fix highest severity issue announced since 2014

According to HelpNetSecurity: “The OpenSSL Project team has announced that, on November 1, 2022, they will release OpenSSL version 3.0.7, which will fix a critical vulnerability in the popular open-source cryptographic library (but does not affect OpenSSL versions before 3.0).

No details have been shared with the public about the vulnerability and, according to OpenSSL core team member Mark J. Cox, attackers are unlikely to ferret out the vulnerability before the fixed version is widely deployed. “Given the number of changes in 3.0 and the lack of any other context information, [attackers successfully scouring the commit history between 3.0 and the current version] is very highly unlikely,” he opined.”

There are no CVE details on this vulnerability at this time. This is an early notification.

Want to stay ahead of threats? Lucky you: we launched the Timesys CVE Dashboard and update it weekly with details on the dangerous security vulnerabilities that could be affecting your device.

Take me to the CVE Dashboard

Conference Recap

Timesys Revealed 5 Tips for SBOM Management at 3rd Annual Medical Device & Diagnostic Cybersecurity Conference

Get early access to the results from our industry-wide survey

Whether you are looking to embrace security automation or trying to meet regulatory compliance requirements, SCAP can play an important part of your security toolbox. Leveraging the OpenSCAP project, one can get a jumpstart in building secure devices that can be easily audited in an automated fashion.

New Features

Code Signing Key Protection Added to VigiShield

Timesys is excited to announce that code signing key protection has been added as a new feature to VigiShield! With this new feature, the code signing key is stored on the hardware security module (HSM) and the build system requests signing using the PKCS#11 interface. Now with VigiShield Secure by Design, you can implement the core security features your device needs with an easy-to-understand, PSA certified, maintainable Yocto security layer and a high-level of security for your keys.

Feature benefits of code signing key protection include:

  • A high level of security for keys: Keys are never exposed outside of HSM, you can avoid leaving keys on unsecure developer laptops or ex-employees taking keys, and avoid accidental costly leaks of code signing keys.
  • Meets compliance such as FIPS 140-2, Level 3
  • Simplify and standardize your signing process with a unified way of key management across all products

With VigiShield Secure by Design add-on services, Timesys also offers engineering services to help your team integrate this new feature into your custom signing solution or other third party and cloud-based solutions.

Embedded Board Farm New Feature

Sneak Peak: Hosted EBF Enables Internet-Access for Anyone With Proper Credentials

Timesys is excited to provide a sneak peak into a new EBF feature: internet accessibility. Timesys has partnered with Lineo and select semiconductor vendors to offer Hosted Embedded Board Farm, powered by Timesys Embedded Board Farm and Test Automation solutions. The hosted feature allows anyone with proper credentials to access the hosted boards from anywhere over the internet without requiring a VPN setup.

Hosted Embedded Board Farm eases embedded development Kit supply chain issues and improves the workflow for work-from-home developers and engineers.

Key Features:

  • Enables you to either self-host or have Timesys and their partners host development kits for pre-sales evaluation.
  • Allows early silicon access to selected customers in a very cost-effective manner, resulting in efficient management of alpha and beta releases.
  • Timeshare development kits in a secure fashion, alleviating the already constrained supply chain.
  • Train companies without spending resources on buying and maintaining labs.
  • Remote developers, field, and support engineers can work from home using the same workflow as the on-prem capabilities without requiring a VPN setup.
  • Allows field engineers to show demos, R&D to train field and support engineers, and more.

Timesys Vulnerability Management Survey

 

When’s the Last Time You Got What You Really Wanted?

Make your dreams a reality. Your vulnerability management dreams. Help us out with your feedback and you can guide the roadmap for the vulnerability management features that make it faster to build and maintain secure products which let you sleep easier at night.

Plus, you could win a $50 gift card!

Learn with Timesys

 

Securing Build Infrastructure: Code Signing Key Protection

How to use code signing techniques to avoid being hacked

Recently, there was a hack published for Hyundai’s Linux based infotainment head unit. The device itself had implemented security features such as signed/authenticated and encrypted images. However, the encryption key was stored in the Linux build system (Yocto) setup script. The script was inadvertently published as part of open source compliance. To make things worse, the code signing key used wasn’t unique and the hacker was able to “google it” based on the public key. What are some ways of securing keys to avoid such scenarios? Find out in our newest blog:

 

Embedded Board Farm Solutions

The Brains Connecting to Your Device: Timesys ZOMBIES

How can you make your boards remotely accessible for collaborative software development, test automation, and debugging from anywhere in the world?

The Timesys Embedded Board Farm (EBF) and Zombies, a custom Timesys developed hardware that can support up to 4 DUTs and be placed anywhere within your corporate network, offers a unique and immediate solution that bridges geographical gaps and adds your embedded products to your CI/CT process for higher quality and efficiency.

Vulnerability Management for Embedded

Tools & Techniques to Monitor and Remediate Vulnerabilities in Your SBOM
November 10 @ 12 PM EDT / 9 AM PT

In this monthly live webinar and Q&A session, you’ll learn essential ways to avoid a five-figure mistake along with:

– Why you need to manage your open-source software risks 
– How to generate an accurate SBOM (Software Bills of Materials) and why it matters
– Tools and techniques to monitor and remediate vulnerabilities in your SBOM

– And much more!

Yes! I want to register for the live webinar and Q&A

Subscribe to our newsletter so you don’t miss a thing.