Read the feature on Connected Device Security Solutions, including an interview with Finite State's Mark Harris:
Connected devices are increasingly associated with cyber risk. The sheer number of devices present in most environments combined with the number of software-defined functions, as well as a complex supply chain and easy physical access—all contribute to making these devices “low hanging fruit.” Security teams need to be able to see a greater level of detail into their device composition, but in practice this has not been an easy requirement to meet.
The Finite State platform is designed to address connected device risk. The platform was designed to give visibility into connected devices procured through a supply chain partner, or even developed locally. Such visibility enables deeper analysis of cyber risk for security engineers by exposing any exploitable vulnerabilities that might be present.
TAG Cyber: What is the central problem the Finite State team solves for customers?
FINITE STATE: Many device manufacturers are competing to gain market share with their latest iterations of connected devices. In that race to success, they use anything and everything to their advantage, especially third-party and open source software to reduce development costs and time to market. Being the first to market is a coveted position, as it usually means being the market leader for a notable period of time. But where does all this code being used come from? Who wrote it? Is it being maintained? How much do you trust your vendors? Are there critical vulnerabilities in these libraries affecting the integrity or availability of a device?
The answer to this last question is almost always yes. Finite State discovers vulnerabilities in embedded products before they are ever released to customers. In addition to open-source and proprietary third-party software, Finite State identifies vulnerabilities in first-party code that is most often associated with what embedded developers refer to as user application code.
TAG Cyber: How does your solution work?
FINITE STATE: We analyze the final firmware binary images, uploaded by device manufacturers via API or web browser. Device manufacturers with mature product security organizations integrate Finite State into their build process, so vulnerabilities are discovered as soon as developers or their upstream software supply chains introduce them during a project. This provides the ultimate latitude for product security organizations to work with their engineering, product, and project management counterparts to meet key product launch deadlines without putting their customers or product revenue at unnecessary risk.
TAG Cyber: Do you see more emphasis on determining the components that comprise a given device or system?
FINITE STATE: Yes, the executive order from President Biden set the stage for a long-needed journey to software transparency based on a software bill of materials (SBOM), which lists all of the software used in embedded devices. With an open communication channel sharing information about all of the code inside a device, organizations can start to have a joint conversation about securing embedded devices together from both the device manufacturers and their asset or device owners.
TAG Cyber: How does your solution work with open-source components in products?
FINITE STATE: We have already analyzed millions of open-source packages from all of the major sources embedded developers commonly use. Everything from plain old Linux distributions like openSUSE and Debian to newer projects like yocto and OpenEmbedded can all be analyzed by Finite State. We don’t stop there; we also analyze more exotic embedded software such as real-time operating systems like VxWorks, QNX Neutrino, and FreeRTOS. Embedded manufacturers often take the same open-source software found in traditional Linux distributions and statically compile them into a single binary firmware custom built for custom chipsets only found in embedded devices.
TAG Cyber: Do you have any predictions about emerging cyber threats?
FINITE STATE: I’m expecting to see an uptick in large scale supply chain attacks. Attackers have realized they can get in undetected through trusted supply chains. Most of us have been through the required annual security training that teaches us how to recognize things like email based phishing attacks, but how many of us have been trained not to trust the Setup Guide downloaded from a brand new device’s embedded web server? An attacker could strategically place a malformed PDF document that exploits a zero-day vulnerability offering up remote code execution capabilities. The truth is most device manufacturers do not scan these basic artifacts, making it easy for attackers to slip in exploits completely undetected.