IT security has never been more of a hot button topic than it is today. Increasingly, the focus is on the security of the Internet of Things (IoT) and the embedded systems that support these devices.
And so far, the traditional enterprise security architectures and procedures are failing to protect these systems from being compromised. The evidence is trumpeted in the headlines documenting successful compromises, emerging breach patterns, and the exploding volume of vulnerability advisories.
Continue reading “Maintaining strong security for your IoT device BSP” »
The web of Internet of Things (IoT) devices continues to grow each day. In fact, by the year 2020, Gartner predicts that 95% of new electronic product designs will contain IoT technology; Forbes expects at least 80 billion IoT devices to be available by 2025. But with such a vast number of devices in use across the world, how can you hope to find flaws and address vulnerability concerns in a timely manner within your own IoT products?
Continue reading “Discovering and Fixing Vulnerabilities Quickly: Securing Embedded Open Source IoT Devices in the Wild” »
14,000+ CVEs were discovered in 2017. In April of 2018 the CVE list had surpassed 100,000 entries, and that number grows every day. So how do you protect your embedded devices and open source embedded systems in IoT and IIoT deployments from this endless onslaught of security threats?
With unpredictable and fast-paced discoveries, managing endless threats and maintaining the security of your embedded software throughout the product lifecycle can be a significant challenge — and a time-consuming one. If your plan is to weather the vulnerability storm yourself, then you’ll need to ask yourself the following questions:
Continue reading “Open Source CVE Monitoring and Management: Cutting Through the Vulnerability Storm” »
Traditional IT security isn’t protecting embedded open source systems in IoT and IIoT deployments
Here at Timesys, we’ve been noticing some concerning trends when it comes to open source embedded system security and the rise of Internet of Things (IoT) and other intelligent devices. We’ve been hard at work developing a solution that can help ease your burden of carefully developing, monitoring, and maintaining security measures on your devices.
More and more IoT and IIoT products are being built with open source embedded software — which we think is great. But because of the growing number of developers turning to open source components for their products, security processes can’t keep up with the rate at which open source devices are being deployed. Traditional IT security has been built with secure perimeters and trusted environments, and has fewer intelligent devices and smaller attack surfaces. But those parameters have begun to change. And with more products to target, the number of security threats will only increase as well.
Continue reading “Introducing TRST Product Protection Solutions for Devices Based on Embedded Open Source Software” »
After Notification: The Next Steps
In a previous blog, we covered how Timesys handles security monitoring and notification of open source software vulnerabilities, how to generate reports on demand for the current state of a Yocto or Factory build on the desktop, and how to view, generate, and subscribe for reports on the web. If you missed it, now would be a good time to catch up before reading this post, because the next steps cover what to do with the information contained in those reports. Specifically, you may have the following questions:
- What should I fix?
- Where do I find the fixes?
- How do I apply fixes to my build?
We’ll start by explaining the meaning of the subcategories of “Unfixed” CVEs and the “Vector” column in the reports, and then break down each of the above questions. Along the way, you’ll see how the solutions offered by Timesys can save you countless hours spent searching for patches, applying them to your build, and dealing with conflicts that arise when upgrading.
Continue reading “Managing vulnerabilities: Understanding patch notifications and fixing CVEs” »
The security of your device systems and software is critical for your customers. Heightened cyber-attacks, stringent privacy requirements, and increased breach risks all demand that security is baked into your product design, not slapped on as an afterthought.
Continue reading “Webinar Series: Reduce Risk with RISC – Designing and Maintaining Secure Embedded Linux Devices with Advantech RISC Platforms” »
Security Is Important
No matter what industry you’re in, maintaining the security of your software is vital. It may be obvious that medical devices need to protect patients and their privacy, but a range of consumer gadgets fueling the IoT have also been targeted and used to cause real damage.
When security is an afterthought and products are near release, and especially when they are already in the field, addressing vulnerability issues becomes a lot riskier and much more costly. This is one reason that we advocate for designing with security in mind from the beginning. Since most open source vulnerabilities are fixed by upgrading to a new version or applying a patch, it’s important to make scanning for Common Vulnerabilities and Exposures (CVEs) and applying their fixes a regular part of the development process.
Continue reading “Managing vulnerabilities: The importance of security notification and how to leverage Timesys’ solution” »
Updated on 6/24/2018
Google Project Zero team discovered a method to read privileged memory from user space by utilizing CPU data cache timing to leak information out of mis-speculated execution. Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For more details refer to this blogpost.
So far, there are three known variants of the issue:
Variants 1 & 2 are referred to as Spectre and Variant 3 as Meltdown.
Timesys has been monitoring vendor websites and open source mailing lists regarding affected CPUs and software mitigation strategies, and below are our findings:
Continue reading “Meltdown and Spectre vulnerabilities” »
This blog aims to introduce the concept of Trusted Execution Environment (TEE) and how end users can leverage open source software to safely deploy applications that require handling confidential information.
Continue reading “Trusted Software Development Using OP-TEE” »
What is secure boot?
Secure boot ensures only authenticated software runs on the device and is achieved by verifying digital signatures of the software prior to executing that code. To achieve secure boot, processor/SoC support is required. In our experience, some of the more secure boot friendly processors with readily available documentation are NXP i.MX, Xilinx Zynq, and Atmel SAMA5 series. Some TI Sitara processors support secure boot, but might involve TI factory programming of signing keys and custom part numbers.
Continue reading “Secure Boot and Encrypted Data Storage” »