29 January 2025 by Phillip JohnstonIn March 2024, the U.S. Federal Communications Commission (FCC) formally adopted rules for creating a cybersecurity labelling program (The Internet of Things Cybersecurity Labelling Program and an associated “Cyber Trust Mark”). This was the continuation of the efforts that were defined in the 2023 U.S. National Cybersecurity Strategy). The goal here is to create a program that operates similarly to ENERGY STAR labelling: by putting a label onto products and making it easier to access relevant information, consumers can more easily consider security when purchasing a connected device. Unlike the EU CRA, which is compulsory, …
Continue reading “U.S. Cybersecurity Labelling Program and Cyber Trust Mark”
Today we have a guest post from Dave Goldberg. Dave is an embedded software engineer based in Boston, MA. He enjoys problem solving, mentoring junior engineers, and preaching the importance of quality and security. You can find Dave on LinkedIn. In this article we’ll investigate how a particular Wi-Fi connected sensor (in this case a …
Continue reading "Reclaim Your Data: Freeing a Wi-Fi Sensor from the Cloud"
27 October 2023 by Phillip JohnstonThere have been several recent instances where Arm GCC toolchain compiler bugs rendered stack smashing protection incomplete or easily defeated. 32-bit Arm Error: Comparison Against the Address, not the Value We have written about implementing stack smashing protection for microcontrollers. Someone commented on that article pointing out that stack smashing protection in the GNU ARM compiler has been broken for quite a while: safe version seem to be up to 8.3.1, and after 10.2.1. Details about the problem can be found in the write-up linked in the comment: Faulty Stack Smashing Protection on ARM Systems. …
Continue reading “Broken Stack Smashing Protection in GCC ARM Compilers”
Your toolchain is a useful place to start when incorporating security into your development process. There are several warnings and program augmentations that help harden your application. This article focuses on GCC and Clang, as that's what I primarily use. I'm happy to take suggestions from readers for other toolchains. The flags in this option …
Continue reading "Leveraging Your Toolchain to Improve Security"
7 September 2023 by Phillip JohnstonThis is a report put out by the World Economic Forum. The report was actually an interesting read, though I focused on the most interesting details for technical teams in the summary below. Abstract As the world begins to emerge from the COVID-19 pandemic, technological advances, such as the internet of things (IoT) and related technologies, have offered an exceptional opportunity to help build a more prosperous and sustainable future. The pandemic has emphasized the importance of IoT and related technologies in people’s lives and work; from contact tracing to wearable devices, these technologies provide …
Continue reading “WEF State of the Connected World, 2023 Edition”
7 September 2023 by Phillip JohnstonAbstract The PSA Certified 2023 Security Report, gathered from a survey of 1,240 technology decision makers, reveals that security certification is now an essential part of the customer purchasing decision. Security investment costs are increasing as a result: the advantage belongs to those who can comply with regulation and set the conversation. Files PDF Report Reading Club Discussion This paper was selected for our members’ reading club. Follow this link to discuss the paper. Summary I didn’t find as much interesting insights in this survey as I have in others. General impressions are useful, however. …
Continue reading “PSA Certified 2023 Report”
31 August 2023 by Phillip JohnstonBroadly speaking, there are two ways to improve at anything: acquiring new knowledge/skills and reducing errors. The former tends to be prioritized, as many mentally equate proficiency and mastery with a a broad repertoire of skills. But after a certain point, you are hindered much more by weaknesses and errors than a lack of skill or knowledge. You can make significant gains by addressing your weaknesses and eliminating errors. This aspect of improving by eliminating errors stands out to us after reviewing MITRE’s 2023 list of the Top 25 Most Dangerous Software Weaknesses. This is …
Continue reading “MITRE’s 2023 List of Top 25 Most Dangerous Software Weaknesses”
31 August 2023 by Phillip Johnston • Last updated 29 February 2024RepoJacking is a type of Supply Chain Attack that GitHub repositories can become vulnerable to. RepoJacking can occur when a GitHub user or organization changes its name. GitHub automatically creates links between older names and newer names, such that any uses of the older names will redirect to the new one. This is done to prevent dependencies from breaking when a rename occurs. However, the previous user name or organization name can now be used by others. If a new user or organization is created with the old name, …
Continue reading “RepoJacking Vulnerability”
Embedded Artistry and Memfault are joining forces to host a quarterly embedded discussion panel that is focused on the technical aspects of building embedded systems at scale. We will be featuring guest panel members who are at the cutting edge of embedded development. Our goal is to spread beneficial techniques and practices throughout the industry. …
Continue reading "Best Practices for Safeguarding Your Connected Devices"
28 August 2023 by Phillip Johnston • Last updated 24 February 2025In our careers, we will build relatively few systems. Our experience will be limited. If we want to expand our horizons beyond the narrow subset of systems we have worked on, we need to study the works of others. We collect case studies of systems and events that we believe are worth studying due to the lessons and insights they provide. These case studies specifically focus on security. Vulnerabilities can give you insight into how your systems can be abused to achieve some other end. Often, in a way …
Continue reading “Security Case Studies”
