Qualcomm Snapdragon processors support secure boot which ensures only authenticated software runs on the device. By configuring the processor for secure boot, unauthorized or modified code is prevented from being run. The authenticity of the image is verified by use digital signatures and certificate chain.
Secure Boot process overview
On Qualcomm processors the first piece of software that runs is called Primary BootLoader (PBL) and it resides in immutable read-only-memory (ROM) of the processor. By configuring the processor for secure boot, PBL can verify the authenticity of the Secondary BootLoader (SBL) before executing it. Continue reading “Secure boot on Snapdragon 410” »
Devices connected via IoT technology are spreading across multiple industries at unprecedented rates. But the benefits of enhanced connectivity are accompanied by increased security risks.
IoT technology is used in everything from healthcare devices, to transportation infrastructure, to industrial control systems supporting operationally critical processes.
According to Forbes, some 80 billion devices will be connected to the internet by the year 2025. In terms of customer convenience and effective performance, this trend could be game-changing for people who rely on technology to explore, work, and live.
Continue reading “IoT Security: Don’t Ship Product Without It” »
The US Federal Bureau of Investigation has issued a warning about Internet of Things device security issues, the latest in a continuing string of IoT attack and security vulnerability warnings from the US’s top law enforcement agency.
Attackers are using compromised IoT devices as proxies to mask various illicit activities, the FBI said, citing spamming, click-fraud, illegal trade, botnets for hire, and other crimes being committed using IoT devices.
The Bureau said IoT device vulnerabilities are being exploited by these attackers, naming routers, media streaming devices, Raspberry Pis, IP cameras, network attached storage (NAS) devices as among the types of products covered by the warning.
Continue reading “The FBI Warns of IoT Security Issues Once Again” »
The traditional IT security architecture has been through a mammoth, global stress test in recent years thanks to the environment of escalating attacks and huge data breaches.
But perhaps the biggest challenge of all to the traditional IT security architecture has been in the IT evolution driven by the Internet of Things (IoT), Cloud Computing, Edge Computing and related innovations.
Continue reading “Why is traditional IT security failing to protect the IoT?” »
If you make devices that support enterprise operational tasks, sensor data gathering, or a range of other enterprise processes, then your device’s security posture is a major concern for your customers.
But if you are not in the IT security industry, the security posture for your device may not even be something that is clearly defined in product requirements. Besides the obvious security-oriented features, such as encryption and authentication and compliance-mandated features, security requirements are often embedded in a host of other functions and processes that may be covered by your device requirements.
Continue reading “Make your device’s security posture stronger” »
IT security has never been more of a hot button topic than it is today. Increasingly, the focus is on the security of the Internet of Things (IoT) and the embedded systems that support these devices.
And so far, the traditional enterprise security architectures and procedures are failing to protect these systems from being compromised. The evidence is trumpeted in the headlines documenting successful compromises, emerging breach patterns, and the exploding volume of vulnerability advisories.
Continue reading “Maintaining strong security for your IoT device BSP” »
The web of Internet of Things (IoT) devices continues to grow each day. In fact, by the year 2020, Gartner predicts that 95% of new electronic product designs will contain IoT technology; Forbes expects at least 80 billion IoT devices to be available by 2025. But with such a vast number of devices in use across the world, how can you hope to find flaws and address vulnerability concerns in a timely manner within your own IoT products?
Continue reading “Discovering and Fixing Vulnerabilities Quickly: Securing Embedded Open Source IoT Devices in the Wild” »
14,000+ CVEs were discovered in 2017. In April of 2018 the CVE list had surpassed 100,000 entries, and that number grows every day. So how do you protect your embedded devices and open source embedded systems in IoT and IIoT deployments from this endless onslaught of security threats?
With unpredictable and fast-paced discoveries, managing endless threats and maintaining the security of your embedded software throughout the product lifecycle can be a significant challenge — and a time-consuming one. If your plan is to weather the vulnerability storm yourself, then you’ll need to ask yourself the following questions:
Continue reading “Open Source CVE Monitoring and Management: Cutting Through the Vulnerability Storm” »
Traditional IT security isn’t protecting embedded open source systems in IoT and IIoT deployments
Here at Timesys, we’ve been noticing some concerning trends when it comes to open source embedded system security and the rise of Internet of Things (IoT) and other intelligent devices. We’ve been hard at work developing a solution that can help ease your burden of carefully developing, monitoring, and maintaining security measures on your devices.
More and more IoT and IIoT products are being built with open source embedded software — which we think is great. But because of the growing number of developers turning to open source components for their products, security processes can’t keep up with the rate at which open source devices are being deployed. Traditional IT security has been built with secure perimeters and trusted environments, and has fewer intelligent devices and smaller attack surfaces. But those parameters have begun to change. And with more products to target, the number of security threats will only increase as well.
Continue reading “Introducing Product Protection Solutions for Devices Based on Embedded Open Source Software” »
The content of this blog has been updated to reflect features and functionality that have been added to Timesys’ Vigiles Vulnerability Monitoring and Management.
After CVE Notification: The Next Steps
In a previous blog, we covered how Timesys handles security monitoring and notification of open source software vulnerabilities, how to generate reports on demand for the current state of a Yocto, Buildroot or Factory build on the desktop, and how to view and generate reports on the web. If you missed it, now would be a good time to catch up before reading this post, because the next steps cover what to do with the information contained in those reports. Specifically, you may have the following questions:
- What should I fix?
- Where do I find the fixes?
- How do I apply fixes to my build?
We’ll start by explaining the meaning of the subcategories of “Unfixed” CVEs and the “Attack Vector” column in the reports, and then break down each of the above questions. Along the way, you’ll see how the Vigiles Vulnerability Management solution offered by Timesys can save you countless hours spent searching for patches, applying them to your build, and dealing with conflicts that arise when upgrading.
Continue reading “Managing vulnerabilities: Understanding patch notifications and fixing CVEs” »