Renowned security expert Window Snyder, whose experience includes helping companies such as Apple, Microsoft, and Mozilla bolster the security of their products, is betting she can do the same thing for IoT device manufacturers.
Snyder’s company Thistle Technologies today is making generally available a new platform that aims to help IoT manufacturers securely deploy updates and implement capabilities for secure communications and memory management into their devices. The new Thistle Security Platform will give development teams working for embedded device manufacturers a way to directly incorporate security functionality into their products during the build phase.
Snyder says the technology is crucial because embedded devices are like fully functional computers that face the same kind of threats that operating systems and applications software do, but often don’t have basic security mechanisms for protecting against them.
“What we are trying to do is democratize security,” says Snyder, who launched Thistle in early 2021 after a stint as chief security officer at financial technology company Square. The goal is to give IoT and embedded device makers an infrastructure for quickly adding security functions to their devices without needing to develop it themselves. “These devices have all the same type of threats that general purpose operating systems have but with a lot less security,” she says.
Thistle’s set of security tools and services include an update component, a memory allocator, and an integrated memory-safe Transport Layer Security (TLS) stack for secure communications.
The update client, for Linux and Windows-based devices, enables IoT manufacturers to securely deliver signed updates to their device fleet from a single, central location. The updates could include new device features, security functions, and vulnerability fixes. It includes a failover feature that allows a device to return to a last known good state–without having to reboot—in case an update creates problems. The update client also supports vulnerability monitoring and access control capabilities. Thistle’s memory allocator manages device memory in such a way as to mitigate buffer overflows and other common memory-related issues.
When implemented, Thistle’s technology will enable IoT devices to receive automated updates in much the same way that general-purpose operating systems and applications receive updates. When a vulnerability surfaces in a product, or new functionality becomes available for it, the device manufacturer then can securely push the update out centrally to all installed devices, thereby eliminating the need for manual intervention.
In her various stints as a senior security executive at some of the world’s largest technology companies, Snyder has contributed to advances in areas such as secure software development lifecycles, memory management ,and attack surface reduction.
She perceives the technology her company is now bringing to the IoT market as giving resource-strapped device manufacturers a way to integrate baseline security features—such as encrypted communications and memory management capabilities—into their devices. Her hope is that device makers will then leverage her company’s platform to build on those features going forward.
Thistle’s immediate focus will be on IoT players in key markets such as automotive, power, water, networking, and the industrial sector.
Update mechanisms—when they exist—in the IoT space can be buggy and unreliable, Snyder says. She points to multiple incidents when a bad update bricked a device or caused other problems. One example: a 2017 incident where a bad firmware update bricked hundreds of smart locks from Lockstate that Airbnb was using as part of a program for its hosts. There have been other instances where key fobs and even cars have been bricked because of a faulty update, Snyder notes.
“The tolerance for update mechanisms is incredibly low,” Snyder says. “When you have really low tolerance for update failures, you need to have an update mechanism that is highly reliable in addition to being supported.”
Integration with Build Environments
The new Thistle security platform integrates with build environments and provides developers with tools such as those for integrating Thistle’s security features into their devices and for things like signing and processing updates. Thistle’s platform integrates with the open-source Yocto build system, which allows developers to add features to Linux products relatively quickly. It also integrates with the OpenWrt router operating system and with the U-Boot open-source bootloader.
Christ Wysopal, founder and chief technology officer at Veracode and seed investor in Thistle, says many of the capabilities that the company is making available are new to the space — especially among smaller IoT device makers. The technology should help embedded device makers implement a secure by design approach where key security features get integrated into the product.
“Thistle is making it easier for people to incorporate this technology at a price point they can afford,” Wysopal says. “It is changing the market by making security functionality available where it wasn’t before.”
Thistle’s platform launch comes at a time when interest in technologies for securely updating IoT devices appears to be increasing. In recent years, vendors and security researchers have been reporting a growing number of vulnerabilities in IoT products.
A report from Claroty last year showed that in the first half of 2022, IoT vulnerabilities accounted for 15% of all vulnerabilities in the so-called Extended IoT (XIoT) compromised of all connected cyber-physical systems. In the previous six-month period, IoT vulnerabilities accounted for just 9% of all XIoT vulnerabilities.
Pressure Mounts on Device Makers
The trend is significant because organizations across industries such as transportation, telecommunications, manufacturing, and other sectors are connecting all sorts of embedded devices to their networks to support digital transformation and operational requirements.
“The devices have a unique profile because they are not a general-purpose computer and yet they have a processor, memory, are connected to the network and a lot of the time are doing something critical,” Wysopal says.
He expects that enterprise organizations are going to increasingly demand better security capabilities from their IoT suppliers. The availability of technologies like that from Thistle is going to make it harder for device manufacturers to explain away their failure to implement fundamental security mechanisms in their products, Wysopal says.
Just this week the National Institute of Standards and Technology released a new encryption standard for IoT devices, which means enterprise organizations and consumers could soon begin expecting device makers to implement it in their products.
Measures like the Internet of Things Cybersecurity Improvement Act of 2020 are another factor because they require organizations selling IoT devices to government agencies to ensure minimum security standards for their technologies.
Embedded and IoT device makers are feeling more pressure than before to respond to security threats, Snyder says.
“Customers are also asking better questions and there have been more and more demonstrations over time that these devices are deeply vulnerable,” she says.