LinuxLink Login   |   1.866.392.4897 |   sales@timesys.com    |  Contact Us            English EN French FR German DE Japanese JA

Open Source Embedded Software Development and Security Blog

CVE Monitoring & Management: Timesys’ Akshay Bhat Offers Security Guidance for Embedded Open Source Systems Part 2

As discussed in last week’s posting, central to the device maintenance process and keeping devices secure after they’ve been deployed is the ongoing monitoring and managing of CVEs that affect your product components. Therefore, it’s essential to have a clear view of relevant CVEs because there are many moving parts that need to be managed.
 

read more

CVE Monitoring & Management: Timesys’ Akshay Bhat Offers Security Guidance for Embedded Open Source Systems Part 1

Timesys’ Director of Engineering, Akshay Bhat, presented a session on Open Source Security at the Embedded Linux Conference North America 2019 in August. For this two-part Q&A interview, our VP of Marketing Adam Boone asked Akshay to share his views on the challenges and best practices for maintaining security in Open Source Embedded System products.
 

read more

Open Source CVE Monitoring and Management: Learn the Latest at Embedded Linux Conference 2019

Every week, more than 300 new vulnerabilities affecting software systems are disclosed by security reporting services such as the Common Vulnerabilities & Exposures (CVE) database operated by the US National Institute of Standards and Technology (NIST).

If you develop embedded systems or embedded devices, keeping pace with the constant flood of new vulnerabilities, knowing which directly affect …
 

read more

Vulnerability Management: Making proactive security maintenance a part of your product support processes

Too often, it seems the first notification of a software vulnerability comes from an affected customer or the publicity surrounding a high-profile data breach. Then follows the mad scramble to mitigate the vulnerability, notify customers, update products in the field and so on.

This reactive approach to vulnerability management for your embedded system products simply doesn’t fly in today’s heightened vulnerability environment.
 

read more

Security Maintenance: Three essential tasks for maintaining embedded system security after release

The product development and release maintenance cycle has many predictable elements.

You know you will face time constraints for engineering to develop, test and prepare the product for production release based on the product roadmap and schedule. You’ll likewise face constraints around engineering resources, including the people and tools needed to hit the development targets.
 

read more

Secure Product Management: Reducing Security Trade-offs Part 2

As discussed in last week’s posting, security often ends up taking a backseat to other considerations when you are bringing products to market or supporting ones already in production deployment.

Product managers often are faced with delivering baseline product functionality and dealing with constraints around timelines and budget. That means broader security considerations fall out of the product when these constraints force trade-offs and fundamental product requirements take priority.
 

read more

Vulnerability Management: Automation ends the pain of manual DIY security

Every week, more than 300 new vulnerabilities affecting software systems are disclosed by security reporting services such as the Common Vulnerabilities & Exposures (CVE) database operated by the US National Institute of Standards and Technology (NIST).

These vulnerabilities run the gamut of low risk security concerns to critical issues. Some vulnerabilities can allow an attacker to take control of a company’s IT systems, gain access to sensitive information …
 

read more

Here comes the ‘stick’ for IoT security … or can we self-police?

Poor security of Internet of Things has led the US Federal Government to (again) consider legislation to force makers of IoT devices to improve security.

And the proposed bill comes on the heels of industry concern that IoT attacks against the US power grid are increasingly common and threaten public safety.

This week a bipartisan group of four US senators introduced the “Internet of Things (IoT) Cybersecurity ...
 

read more

Embedded World Highlights: Build it faster & with stronger security

Security is becoming a critical differentiator in embedded system products across a wide range of applications.

And the tools are now available to ensure products can be more secure without sacrificing time-to-market and, in some cases, even accelerating development.

Those are key takeaways from this year’s Embedded World Exhibition and Conference that took place in Germany last week.
 

read more

Continuous Testing Delivers Quality with Faster Time-to-Market

System quality requirements have never been higher. But time-to-market pressures have also never been greater. How do you meet one without sacrificing the other?

Embedded systems users expect bug free, responsive and stable applications that provide the best user experience.

The consequence of failing to meet user expectations can result in more than just application abandonment. With the power of social media, it also can quickly lead to a …
 

read more

Build it fast, and build it secure: see the latest at Embedded World

The world of embedded systems has gone through a massive transformation in recent years.

The rise of smart devices, the Internet of Things, mobile computing platforms, connected devices and a range of other innovations have driven embedded system deployments through the roof. Industry observers estimate IoT deployments alone account for 23 billion device deployments in 2018, up from 15 million in 2015. And that number is projected to triple in the next six years.
 

read more

Tracking and Maintaining the Security of Embedded Systems

The deployment modes and functionality of embedded systems have evolved rapidly in recent years, thanks to widespread connectivity of Internet of Things devices and associated systems.

Yet the common security practices for most embedded systems remain largely unchanged from the days when they were isolated, air-gapped systems.

The shortfall in embedded system security is leading to sharply escalating risk of cyberbreaches. The trend …
 

read more

The Risks of a ‘Stale, Abandoned’ Product

Some product management decisions are hard. Product managers are constantly weighing trade-offs among time-to-market, functionality, competitive differentiation, development costs and other factors.

But some product decisions seem like no-brainers. Would you bring an IT product to market that puts customers at significantly increased risk of security breaches, privacy violations, potentially massive fines and lawsuits?

“Of course not. That would be lunacy,” you can imagine the typical product manager as saying. Yet companies are shipping products every day that introduce this sort of …
 

read more

On-Premises Board Farm Cloud

In the past few years, there has been an explosive growth in the use of various types of mobile and IoT devices and use of open source based operating systems like Linux and Android. These use cases have forced application developers to test their applications against a rising number of devices with their current and legacy versions of operating systems.

This trend has made the Board Farm concept into an effective and efficient tool for solving these expanding test challenges, especially if configured as a cloud.

The time-to-market (TTM) for a new product introduction
 

read more

Who is attacking IoT? What do they want?

The motivation of hackers sometimes can be plain as day. Other times, not so much.

As attacks on Internet of Things (IoT) devices and deployments escalate, it is important to understand what these attackers are trying to accomplish. Understanding these motives, after all, can help us to pinpoint why a security vulnerability represents a risk, to prioritize mitigation and defenses, and to focus responses to attacks.

This analysis is especially important if you provide products and platforms to companies deploying IoT …
 

read more

New IDE version produces shorter time-to-market for secure IoT devices and embedded Linux applications

This week we announced a new release of our TimeStorm Integrated Development Environment (IDE). TimeStorm 5.3.2 IDE is designed to streamline, simplify and accelerate the development of secure Internet of Things (IoT) and embedded Linux applications.

In an era of heightened awareness of embedded software security and device security risks, product developers need to be able to adopt security best practices without delaying the development and release …
 

read more

Progress toward IoT security … a little less conversation, a little more action please

Research, reporting and commentary about Internet of Things security has made a flurry of technology headlines over the past several years. And industry observers are commenting that IoT security may finally be gaining the attention it deserves among technology decision makers.

So will 2019 be a milestone year for IoT security?

Or will more IoT security failures lead to more industry regulation, more vendor criticism and more conversation, not enough action?
 

read more

‘Be Secure or Be Fined’ … 2018’s major milestones in IoT and embedded system security

As 2018 draws to a close, we’ve seen a landmark year in cybersecurity for embedded systems and the Internet of Things (IoT), marked by escalating threats, new regulation, and broader attacks.

Here’s a look back at three important IT security milestones in 2018 and a look forward with some predictions for 2019 and beyond.

2018: Year of Record Vulnerabilities
With a few days remaining in the year, the number of …
 

read more

Another Record Year for Vulnerabilities … Time to Join the CIA?

This blog post is published in full as a guest post on Embedded Computing Design.

In mid-November, the total count of vulnerabilities reported in 2018 surpassed the total for 2017, setting a new record for vulnerabilities with six weeks left in the calendar year.

At this pace, we are on track to see the count of Common Vulnerabilities & Exposures (CVEs), the authoritative index of confirmed IT system vulnerabilities, reach 16,000 or more vulnerabilities for this year, according to …
 

read more

Ready to tackle embedded Linux MPU development with Windows … Do you know your options?

Have you been developing embedded devices for years? Are you considering building your first operating system based product and looking at using embedded Linux? You are not alone.

Many companies that have historically been developing MCU based products are now being pushed by market and customer requirements to offer better, more feature-rich and more capable devices. In order to deliver the desired features, many new designs require a …
 

read more

Can products be developed quickly and be secure at the same time?

It’s perhaps the longest standing myth in IT:

You can deploy IT quickly, or you can deploy it securely. But you can’t do both.

This supposed trade-off touches virtually every aspect of IT, from product development, to market release, to customer deployment, production product maintenance, and all associated stages.

Of course, like many myths, there is a bit of truth to the trade-off. Viewed in the extreme, you could spend
 

read more

The new focus on ‘Security by Design’

As the flood of vulnerabilities continues to rise, attention is turning to how embedded system products can be made more secure.

Almost 20 years ago, the concept of security by design was a popular new trend in software development. The focus on baking in security at product design stages was driven by the massive rise in on-line applications, e-commerce features and other Internet-connected, web-enabled software.

As these systems and applications were deployed and became widespread, the expanding attack surface made
 

read more

Vulnerabilities keep piling up … time to make security a product differentiator?

Is your product the “Volvo” of embedded system products? For decades, carmaker Volvo has been known as a maker of safe vehicles.

While all makes of cars are generally much safer than in decades past, and some observers rank some other brands’ models higher in safety, there is no dispute that Volvo has made safety a cornerstone of its brand. Like other car brands have focused on qualities like luxury, reliability or the driving experience, Volvo has emphasized safety as a chief value of its products.
 

read more

Another record year in vulnerabilities as the CVE storm continues

The vulnerability storm continues unabated.

The count of security vulnerabilities has reached another annual record, with six weeks remaining in the calendar year. This week the number of Common Vulnerabilities and Exposures (CVEs) hit 14,722, eclipsing last year’s total of 14,714, according to the tracking totals at CVE Details.

CVEs are being added this year at a rate of more than 300 per week on average. If that pace holds, the total should rise by another 2,000 CVEs by year’s end.
 

read more

Will more embedded device makers fix security before massive fines force them to do it?

Security of smart devices is getting worse, says a penetration testing expert, who blames suppliers of connected devices that ignore security and privacy issue notifications.

Is the answer more security regulations and laws, or is it better product strategy?

Computer Weekly reported this week on security expert Ken Munro’s comments in a conference presentation …
 

read more

Patch management for better embedded system security

Patch management remains a major headache for enterprises, according to researchers and security experts. With reported security vulnerabilities now climbing into the tens of thousands each year, busy IT departments struggle to identify and analyze the vulnerabilities that apply to their systems, and to manage all the patching needed to mitigate risks.

And the Internet of Things (IoT) poses even greater challenges for patch management.

“While IoT holds great promise for the future of analytics and automation, it also ushers in a new era of patch
 

read more

Monitoring and managing vulnerabilities for embedded systems built with Yocto

The Yocto Project is well known for enabling product developers to quickly and easily customize Linux for Internet of Things (IoT) devices and other embedded systems. But today’s environment is marked by heightened security concerns, skyrocketing vulnerability reports, and high-profile security breaches.

Getting your embedded system product to market fast is important. But getting to market fast without a secure design and a plan for managing future vulnerabilities is a huge mistake.
 

read more

Security vulnerabilities and medical devices: when the software update itself is the problem

A classic security breach vector involves exploiting weak authentication. As security researchers like to point out, failing to change default passwords for administrative access remains the top security issue for all types of IT systems.

But a related — and perhaps more devious — attack vector involves exploiting a weakness in a process that is supposed to help ensure device security in the first place: the remote system update.
 

read more

Embedded system security and the IT performance tradeoff

Embedded system products are often deployed by IT managers struggling with a longstanding tradeoff: Should you sacrifice IT performance to make IT more secure?

The performance-or-security tradeoff has been the subject of technology research and industry analysis for many years. The analysis often focuses on issues like network performance or business application performance and how security measures may impede or otherwise affect throughput or access.
 

read more

Security testing of embedded open source systems creates a stronger enterprise security posture

Researchers and the technology media are reporting that the average application now contains more open source software components than proprietary code. And the use of open source components in embedded systems such as Internet of Things (IoT) devices likewise is on the rise.

How is this trend affecting awareness of embedded system security and open source security best practices?
 

read more

Security vulnerabilities and the Internet of Things

We’re on the verge of setting another annual record in the number of security vulnerabilities being reported. And more and more vulnerability exploits are targeting the Internet of Things.

Botnet exploits are going after IP cameras. Smart home technologies are being hacked. Even children’s toys are being hacked and used for covert surveillance. And in one bizarre case, hackers gained access to a casino’s systems through a smart thermometer in the lobby fish tank.

But these cases raise the question of what really is a vulnerability?
 

read more

Vulnerability management for Internet of Things and embedded systems

The number of security vulnerabilities continues to skyrocket.

After setting a record last year, the number of reported Common Vulnerabilities and Exposures (CVEs) is on pace to set yet another record this year.

In 2017, more than 14,000 CVEs were reported, affecting a vast range of devices, systems and applications. So far in 2018, more than 12,000 CVEs have been reported, and if that pace continues, we should move past last year’s record number in the next two months.
 

read more

Laying down the law on IoT security

IoT device security vaulted into the public consciousness in recent years. Media coverage of successful attacks against IoT devices and supporting systems, botnets powered by compromised devices, and a range of other security issues have raised public concern.

But now California is on the verge of enacting the first actual law in the US to mandate IoT device security.

Unfortunately, according to some in the industry, the bill now awaiting the governor’s signature will do little in its present form to improve the security of IoT, or the companies deploying it, or the people using it.
 
 

read more

Security at IoT scale

It often helps to look at cybersecurity from the attacker’s point of view.

This approach, in fact, is the foundation of common techniques for penetration testing. That’s when “white hat” hackers will put a company’s IT systems through a range of attacks, looking for security vulnerability issues and defense gaps.

So when we consider Internet of Things device security and the defenses that protect an enterprise’s IoT deployments, it’s important to adopt the mindset of an attacker.

What’s an attacker looking for when they are prepping IoT attacks?
 

read more

‘Complexity is the enemy of security’ … especially in IoT

There is an old saying in the IT security space, one that applies really across any type of security: Complexity is the enemy of security.

It’s hard to pin down exactly who coined this phrase. Among the earliest references to it are from IT security guru Bruce Schneier. And Schneier’s discussion of this principle is probably among the clearest: systems get harder to secure as they get more complex. And since our systems are getting more complex all the time, security is becoming more challenging.

Today’s poster child for the Complexity-Security inverse correlation is Internet of Things device security.
 

read more

Secure boot on Snapdragon 410

Qualcomm Snapdragon processors support secure boot which ensures only authenticated software runs on the device. By configuring the processor for secure boot, unauthorized or modified code is prevented from being run. The authenticity of the image is verified by use digital signatures and certificate chain.

Secure boot process overview

On Qualcomm processors the first piece of software that runs is called Primary BootLoader (PBL) and it resides in immutable read-only-memory (ROM) of the processor. By configuring the processor for secure boot, PBL can verify the authenticity of the Secondary BootLoader (SBL) before executing it.
 

read more

IoT Security: Don’t Ship Product Without It

Devices connected via IoT technology are spreading across multiple industries at unprecedented rates. But the benefits of enhanced connectivity are accompanied by increased security risks.

IoT technology is used in everything from healthcare devices, to transportation infrastructure, to industrial control systems supporting operationally critical processes.

According to Forbes, some 80 billion devices will be connected to the internet by the year 2025. In terms of customer convenience and effective performance, this trend could be game-changing for people who rely on technology to explore, work, and live.
 

read more

The FBI Warns of IoT Security Issues Once Again

The US Federal Bureau of Investigation has issued a warning about Internet of Things device security issues, the latest in a continuing string of IoT attack and security vulnerability warnings from the US’s top law enforcement agency.

Attackers are using compromised IoT devices as proxies to mask various illicit activities, the FBI said, citing spamming, click-fraud, illegal trade, botnets for hire, and other crimes being committed using IoT devices.

The Bureau said IoT device vulnerabilities are being exploited by these attackers, naming routers, media streaming devices, Raspberry Pis, IP cameras, …
 

read more

Why is traditional IT security failing to protect the IoT?

The traditional IT security architecture has been through a mammoth, global stress test in recent years thanks to the environment of escalating attacks and huge data breaches.

But perhaps the biggest challenge of all to the traditional IT security architecture has been in the IT evolution driven by the Internet of Things (IoT), Cloud Computing, Edge Computing and related innovations.

Data breaches in recent years have already been reaching epidemic proportions with millions of records compromised in typical breaches. Researchers report that the number of data breaches in 2017 were an order of magnitude larger than in 2005.
 

read more

Make your device’s security posture stronger

If you make devices that support enterprise operational tasks, sensor data gathering, or a range of other enterprise processes, then your device’s security posture is a major concern for your customers.

But if you are not in the IT security industry, the security posture for your device may not even be something that is clearly defined in product requirements. Besides the obvious security-oriented features, such as encryption and authentication and compliance-mandated features, security requirements are often embedded in a host of other functions and processes that may be covered by your device requirements.
 

read more

Maintaining strong security for your IoT device BSP

IT security has never been more of a hot button topic than it is today. Increasingly, the focus is on the security of the Internet of Things (IoT) and the embedded systems that support these devices.

And so far, the traditional enterprise security architectures and procedures are failing to protect these systems from being compromised. The evidence is trumpeted in the headlines documenting successful compromises, emerging breach patterns, and the exploding volume of vulnerability advisories.
 

read more

Discovering and Fixing Vulnerabilities Quickly: Securing Embedded Open Source IoT Devices in the Wild

The web of Internet of Things (IoT) devices continues to grow each day. In fact, by the year 2020, Gartner predicts that 95% of new electronic product designs will contain IoT technology; Forbes expects at least 80 billion IoT devices to be available by 2025. But with such a vast number of devices in use across the world, how can you hope to find flaws and address vulnerability concerns in a timely manner within your own IoT products?
 

read more

Introducing TRST Product Protection Solutions for Devices Based on Embedded Open Source Software

Traditional IT security isn’t protecting embedded open source systems in IoT and IIoT deployments

Here at Timesys, we’ve been noticing some concerning trends when it comes to open source embedded software security and the rise of Internet of Things (ioT) and other intelligent devices. We’ve been hard at work developing a solution that can help ease your burden of carefully developing, monitoring, and maintaining security measures on your devices.
 

read more

Managing vulnerabilities: Understanding patch notifications and fixing CVEs

After Notification: The Next Steps

In a previous blog, we covered how Timesys handles security monitoring and notification of open source software vulnerabilities, how to generate reports on demand for the current state of a Yocto or Factory build on the desktop, and how to view, generate, and subscribe for reports on the web. If you missed it, now would be a good time to catch up before reading this post, because the next steps cover what to do …
 

read more

Meltdown and Spectre vulnerabilities

Google Project Zero team discovered a method to read privileged memory from user space by utilizing CPU data cache timing to leak information out of mis-speculated execution. Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For more details refer to this blogpost.
 

read more

Trusted Software Development Using OP-TEE

This blog aims to introduce the concept of Trusted Execution Environment (TEE) and how end users can leverage open source software to safely deploy applications that require handling confidential information.
 

read more

Secure Boot and Encrypted Data Storage

Secure boot ensures only authenticated software runs on the device and is achieved by verifying digital signatures of the software prior to executing that code. To achieve secure boot, processor/SoC support is required. In our experience, some of the more secure boot friendly processors with readily available documentation are NXP i.MX, Xilinx Zynq, and Atmel SAMA5 series. Some TI Sitara processors support secure boot, but might involve TI factory programming of signing keys and custom part numbers.
 

read more

Webinar: Building Embedded Software Efficiently with an IDE

Discover IDE-assisted software development best practices that can help you minimize the number of challenges you encounter and reduce development delays when building your value-add embedded application.

This four-session webinar series will utilize open source Linux and Timesys’ TimeStorm IDE for embedded application- and system-level development. You’ll see how TimeStorm provides a consistent development experience while providing application developers with the flexibility they need to be more efficient and productive.
 

read more

Securing Embedded Linux Devices

Embedded devices have unique security needs ranging from IP protection, anti-cloning / anti-counterfeit capability, device software integrity, user data protection, securing network communication, device authentication and ability to run only trusted applications. A wide range of open source technologies are available that can help implement the aforementioned security requirements. However, it is not always apparent which mechanisms are best suited for a given use case, resulting in a steep learning curve. This blog series aims at giving a high-level overview of the different methods to secure your product and help accelerate your trusted software deployment.
 

read more

Software / Firmware Update Design Considerations

The Internet of Things (IoT) has quickly led to the deployment of ubiquitous, unattended devices throughout our homes, offices, factories and public spaces. In this continuously expanding connected world of devices and IoT, the need to update/upgrade your product’s software/firmware is a certainty. There is no single software update approach that fits all, but there are key questions you should consider when designing your approach. They are: Why, When, What and How.
 

read more
Click to Hide Advanced Floating Content

Timesys Vigiles™
Vulnerability Management