What CISOs Get Wrong About Connected Device Security (And Why You Should Care)

By Chad Cox

Embedded Computing Design

October 08, 2021


What CISOs Get Wrong About Connected Device Security (And Why You Should Care)
Image Courtesy of Finite State

Insufficient security costs companies hundreds of millions of dollars annually, and sometimes more than money is at stake. For example, Swiss Log, a manufacturer of pneumatic tubes for hospitals, was found to have vulnerabilities in their system. If exploited, hackers can easily manipulate testing logs, gain access to test results, and worse.

Why is something that so desperately needs to be secure, not? Often, it comes down to integrating third-party code into embedded systems during the development lifecycle.

Jeanette Sherman, Sr. Director Product Development at Finite State, believes the problem now starts with companies predominately looking at a software bill of materials, but only the software BoM.

“That’s great, but we think it doesn’t go far enough because it doesn’t detect all of the components on a connected or embedded device.”

Because of the growing amount of code in embedded systems (whether developed in house, licensed from a commercial vendor, or sourced from the Internet) it’s difficult to sufficiently test every part of a software stack. When companies put most of their resources into checking the software BoM, they are often able to fairly easily issue patches and updates that address bugs and vulnerabilities in broad swaths of their software stack.

However, these often don’t capture issues in the hardest-to-reach portions of a design – namely, where custom coding and integration work has been performed. That’s a problem for ioT devices that will be updated remotely with new software and firmware post-deployment. It’s an even bigger issue for “set-and-forget” embedded devices that will never be updated in the field if the issues aren’t caught before final production begins.

So how can a company make sure their products are secure, especially when most of their IP is stitching together third-party code? Finite State has come up with a solution that combines all of a product’s hardware and software components and configurations on a final finished set of binaries that can be scanned for vulnerabilities.

“We don’t look at everything before it is compiled and configured. Sometimes those hardcoded credentials come in during configuration,” says Sherman. “We find, and this is the big mistake CISOs make: they’re not looking at those final binaries.”

The Finite State platform provides continuous monitoring of embedded system components, both pre- and post-deployment, so that engineers don’t have to manually check for bugs. If issues are uncovered, the platform can alert users and/or administrators of the device, component, error type, etc.

To learn more about security best practices for IoT devices, attend Sherman's session at the 2021 IoT Device Security Conference, “What CISOs Get Wrong About Connected Device Security (And Why You Should Care)” on November 9th. Registration is free.