The Yocto Project is well known for enabling product developers to quickly and easily customize Linux for Internet of Things (IoT) devices and other embedded systems. But today’s environment is marked by heightened security concerns, skyrocketing vulnerability reports, and high-profile security breaches.
Getting your embedded system product to market fast is important. But getting to market fast without a secure design and a plan for managing future vulnerabilities is a huge mistake. If you design, build and support products with embedded Linux using Yocto, it’s important to evaluate security of your system from the point of view of the end customer who will deploy it.
Continue reading “Monitoring and managing vulnerabilities for embedded systems built with Yocto” »
A classic security breach vector involves exploiting weak authentication. As security researchers like to point out, failing to change default passwords for administrative access remains the top security issue for all types of IT systems.
But a related — and perhaps more devious — attack vector involves exploiting a weakness in a process that is supposed to help ensure device security in the first place: the remote system update.
Continue reading “Security vulnerabilities and medical devices: when the software update itself is the problem” »
Embedded system products are often deployed by IT managers struggling with a longstanding tradeoff: Should you sacrifice IT performance to make IT more secure?
The performance-or-security tradeoff has been the subject of technology research and industry analysis for many years. The analysis often focuses on issues like network performance or business application performance and how security measures may impede or otherwise affect throughput or access. Continue reading “Embedded system security and the IT performance tradeoff” »
Researchers and the technology media are reporting that the average application now contains more open source software components than proprietary code. And the use of open source components in embedded systems such as Internet of Things (IoT) devices likewise is on the rise.
How is this trend affecting awareness of embedded system security and open source security best practices? If you bring embedded system products to market with open source components, how do these systems affect your customers’ security postures?
To evaluate these questions, it helps to explore how enterprises test and measure the security of IT systems.
Continue reading “Security testing of embedded open source systems creates a stronger enterprise security posture” »
We’re on the verge of setting another annual record in the number of security vulnerabilities being reported. And more and more vulnerability exploits are targeting the Internet of Things.
Botnet exploits are going after IP cameras. Smart home technologies are being hacked. Even children’s toys are being hacked and used for covert surveillance. And in one bizarre case, hackers gained access to a casino’s systems through a smart thermometer in the lobby fish tank.
But these cases raise the question of what really is a vulnerability?
Continue reading “Security vulnerabilities and the Internet of Things” »
The number of security vulnerabilities continues to skyrocket. After setting a record last year, the number of reported Common Vulnerabilities and Exposures (CVEs) is on pace to set yet another record this year.
In 2017, more than 14,000 CVEs were reported, affecting a vast range of devices, systems and applications. So far in 2018, more than 12,000 CVEs have been reported, and if that pace continues, we should move past last year’s record number in the next two months.
Continue reading “Vulnerability management for Internet of Things and embedded systems” »
IoT device security vaulted into the public consciousness in recent years. Media coverage of successful attacks against IoT devices and supporting systems, botnets powered by compromised devices, and a range of other security issues have raised public concern.
But now California is on the verge of enacting the first actual law in the US to mandate IoT device security.
Unfortunately, according to some in the industry, the bill now awaiting the governor’s signature will do little in its present form to improve the security of IoT, or the companies deploying it, or the people using it.
Continue reading “Laying down the law on IoT security” »
It often helps to look at cybersecurity from the attacker’s point of view.
This approach, in fact, is the foundation of common techniques for penetration testing. That’s when “white hat” hackers will put a company’s IT systems through a range of attacks, looking for security vulnerability issues and defense gaps.
So when we consider Internet of Things device security and the defenses that protect an enterprise’s IoT deployments, it’s important to adopt the mindset of an attacker.
What’s an attacker looking for when they are prepping IoT attacks?
Continue reading “Security at IoT scale” »
There is an old saying in the IT security space, one that applies really across any type of security: Complexity is the enemy of security.
It’s hard to pin down exactly who coined this phrase. Among the earliest references to it are from IT security guru Bruce Schneier. And Schneier’s discussion of this principle is probably among the clearest: systems get harder to secure as they get more complex. And since our systems are getting more complex all the time, security is becoming more challenging.
Today’s poster child for the Complexity-Security inverse correlation is Internet of Things device security.
Continue reading “‘Complexity is the enemy of security’ … especially in IoT” »
Qualcomm Snapdragon processors support secure boot which ensures only authenticated software runs on the device. By configuring the processor for secure boot, unauthorized or modified code is prevented from being run. The authenticity of the image is verified by use digital signatures and certificate chain.
Secure Boot process overview
On Qualcomm processors the first piece of software that runs is called Primary BootLoader (PBL) and it resides in immutable read-only-memory (ROM) of the processor. By configuring the processor for secure boot, PBL can verify the authenticity of the Secondary BootLoader (SBL) before executing it. Continue reading “Secure boot on Snapdragon 410” »