We’re on the verge of setting another annual record in the number of security vulnerabilities being reported. And more and more vulnerability exploits are targeting the Internet of Things.
Botnet exploits are going after IP cameras. Smart home technologies are being hacked. Even children’s toys are being hacked and used for covert surveillance. And in one bizarre case, hackers gained access to a casino’s systems through a smart thermometer in the lobby fish tank.
But these cases raise the question of what really is a vulnerability?
The classic description of an IT security vulnerability is probably the buffer overflow, in which an attacker exploits a system memory buffer flaw that causes the system’s executable code to be overwritten with malicious code.
But a vulnerability might just as well be a simple case of bad configuration. Does a networked system have a particular port open for access that is not needed for its particular application? Does it have access enabled and a default password in place? While not strictly speaking a bug or system design flaw, this type of misconfiguration can create an opening for an attacker to gain access and control of the system.
If you bring IoT devices or other embedded systems to market, it’s essential to stay on top of the vulnerabilities of all types that may affect your products or the systems and components they contain.
Internet of Things device security is especially critical since so many exploits are emerging and attackers increasingly focus on these widely deployed devices.
But with the Common Vulnerabilities and Exposures (CVEs) database on track to set another record this year in terms of reported vulnerabilities, how do you stay on top of the flood of vulnerabilities that need to be tracked, analyzed and potentially fixed to ensure your customers are not put at risk?
We have worked with leading device makers to understand and mitigate the vulnerabilities that could put their customers at risk of a data breach.
For example, we assist IoT device developers with device security auditing, which is an important first step in hardening a device to prevent compromise and reduce the impact of an attack.
Device security auditing is a type of security risk assessment that evaluates the potential vulnerabilities or configuration issues that could create an opening for an attacker.
Part of an audit may be to evaluate which embedded systems are present in the device and whether those systems and packages up-to-date with the latest versions. This also can help a device developer to consider patch management processes that will be essential for maintaining the device’s security posture over time when it is in deployment.
Security testing in an audit may also consider results from a vulnerability scanner, which would inspect the potential areas of security gaps and the possible areas of exploit that could result in a compromise.
Our Secure by Design offering includes security audits and device hardening to enable your products to be more secure from the ground up. The audit service includes:
- Detailed review of packages and default system configuration
- Analysis of reports from audit and scanning tools
- End-to end-review of system security
- Risk management and recovery plan
In addition to our secure design offerings, our TRST (Threat Resistance Security Technology) Product Protection Solutions also help to maintain your product’s security posture into the future.
Our CVE monitoring and notification service enables you to cut through the flood of CVE notifications and understand which of them need your attention to mitigate and which you can safely ignore.
At Timesys we help device developers to improve embedded system IoT security across a wide range of device types and applications., including IoT, used in a variety of security sensitive industries, including medical devices, transportation, industrial controls and others.
Our embedded system security offerings simplify IoT device security and reduce risk for you and your customers.
Contact us to learn more.
About Timesys
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.