The web of Internet of Things (IoT) devices continues to grow each day. In fact, by the year 2020, Gartner predicts that 95% of new electronic product designs will contain IoT technology; Forbes expects at least 80 billion IoT devices to be available by 2025. But with such a vast number of devices in use across the world, how can you hope to find flaws and address vulnerability concerns in a timely manner within your own IoT products?
In order to operate efficiently, many IoT devices need to have certain features — they are often low-powered, run on battery power, are meant to last for decades, and are able to be accessed remotely. These factors help them fulfill their role in society, but also pose unique challenges. In your plan for successfully maintaining security in embedded open source IoT devices, you should consider the following:
Volume of Vulnerabilities
IoT devices are no exception to the storm of vulnerabilities that developers have to weather to protect their products. With tens of thousands of Common Vulnerabilities and Exposures (CVEs) discovered every year, it’s safe to say you’ll need to constantly monitor and patch your IoT devices throughout their lifespan.
You must be ready to constantly track security databases and mailing lists for new CVEs and patches that apply to your software. Our previous blog takes a closer look at the steps for monitoring and managing vulnerabilities.
Countless IoT devices are being deployed to users spread across great distances, making it impossible to address the security of each one on an individual basis. You must find a way to deploy updates and patches to all devices quickly and simultaneously to ensure a product’s continued functionality.
On a similar note, you probably won’t have constant direct access to devices already in the field. You must develop a plan to apply updates and patches remotely, so you can still address vulnerabilities without dangerous delays that can put your product at risk.
IoT devices have a lot of components: sensors, gateways, cloud infrastructure, and remote access ports, to name a few. Unfortunately, each of those components serves as an increased attack surface for vulnerabilities to appear. You must address flaws at each of these points to ensure the complete protection of your devices.
Since it would be too expensive to replace IoT devices made for various industries every few years, most are built to last — some will continue to function for more than two decades. Because of their significant lifespan, you must be ready to provide updates over the years to ensure their longevity.
Devices meant to be cost-efficient and run on batteries for years are also designed to be as low-power as possible. Often, developers might decide prioritize this need over initial security considerations in order to make their devices more appealing. That makes it even more important for you to streamline security updates, to ensure the protection of intellectual property and confidential data once a device is launched.
A Proactive Solution
These challenges highlight the complexities of managing IoT products at scale. Even if you know how to tackle them individually, addressing every one of these challenges can take significant time and energy, and that’s a luxury you might not have. The longer it takes to discover and fix vulnerabilities, the more risks your product might face.
Fortunately, Timesys has the experience in embedded open source systems to help you address these challenges. Together, we can shorten the “discovery-to-fix” gap (the cycle between discovering a vulnerability in your device and implementing a fix). Timesys’ TRST (Threat Resistance Security Technology) Product Protection Solutions offers Security Vulnerability and Patch Notification service and Field Update services to reach all of your IoT devices in a timely, efficient manner.
Our Security Vulnerability service monitors security databases and mailing lists for you, highlighting vulnerabilities that apply to your unique build and categorizing them based on severity, so you can choose which to address.
Then, our Patch Notification service provides you with fixes that put you on the road to a solution. You can add or update the meta-timesys-security layer to apply fixes to your software, and configure your recipes to selectively include only the patches you want. You’ll also have access to all of your build configurations in LinuxLink, so you can see how the threats to your product have evolved over time.
As long as there are security vulnerabilities, there will be “discovery-to-fix” gaps. Timesys can help you efficiently manage IoT updates at scale, so you can reduce the gap and stay secure.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.