Renowned
security
expert
Window
Snyder,
whose
experience
includes
helping
companies
such
as
Apple,
Microsoft,
and
Mozilla
bolster
the
security
of
their
products,
is
betting
she
can
do
the
same
thing
for
Internet
of
Things
(IoT)
device
manufacturers.
Snyder’s
company
Thistle
Technologies
today
is
making
generally
available
a
new
platform
that
aims
to
help
IoT
manufacturers
securely
deploy
updates
and
implement
capabilities
for
secure
communications
and
memory
management
into
their
devices.
The
new
Thistle
Security
Platform
will
give
development
teams
working
for
embedded
device
manufacturers
a
way
to
directly
incorporate
security
functionality
into
their
products
during
the
build
phase.
Crucial
Capabilities
Snyder
says
the
technology
is
crucial
because
embedded
devices
are
like
fully
functional
computers
that
face
the
same
kind
of
threats
that
operating
systems
and
applications
software
do
but
often
don’t
have
basic
security
mechanisms
for
protecting
against
them.
“What
we
are
trying
to
do
is
democratize
security,”
says
Snyder,
who
launched
Thistle
in
early
2021
after
a
stint
as
chief
security
officer
at
financial
technology
company
Square.
The
goal
is
to
give
IoT
and
embedded-device
makers
an
infrastructure
for
quickly
adding
security
functions
to
their
devices
without
needing
to
develop
it
themselves.
“These
devices
have
all
the
same
type
of
threats
that
general-purpose
operating
systems
have
but
with
a
lot
less
security,”
she
says.
Thistle’s
set
of
security
tools
and
services
include
an
update
component,
a
memory
allocator,
and
an
integrated
memory-safe
Transport
Layer
Security
(TLS)
stack
for
secure
communications.
The
update
client,
for
Linux
and
Windows-based
devices,
enables
IoT
manufacturers
to
securely
deliver
signed
updates
to
their
device
fleet
from
a
single,
central
location.
The
updates
could
include
new
device
features,
security
functions,
and
vulnerability
fixes.
It
includes
a
failover
feature
that
allows
a
device
to
return
to
a
last
known
good
state
—
without
having
to
reboot
—
in
case
an
update
creates
problems.
The
update
client
also
supports
vulnerability
monitoring
and
access
control
capabilities.
Thistle’s
memory
allocator
manages
device
memory
in
such
a
way
as
to
mitigate
buffer
overflows
and
other
common
memory-related
issues.
Automated
Updates
When
implemented,
Thistle’s
technology
will
enable
IoT
devices
to
receive
automated
updates
the
same
way
that
general-purpose
operating
systems
and
applications
receive
updates.
When
a
vulnerability
surfaces
in
a
product,
or
new
functionality
becomes
available
for
it,
the
device
manufacturer
then
can
securely
push
the
update
out
centrally
to
all
installed
devices,
thereby
eliminating
the
need
for
manual
intervention.
In
her
various
stints
as
a
senior
security
executive
at
some
of
the
world’s
largest
technology
companies,
Snyder
has
contributed
to
advances
in
areas
such
as
secure
software
development
life
cycles,
memory
management,
and
attack
surface
reduction.
She
perceives
the
technology
her
company
is
now
bringing
to
the
IoT
market
as
giving
resource-strapped
device
manufacturers
a
way
to
integrate
baseline
security
features
—
such
as
encrypted
communications
and
memory
management
capabilities
—
into
their
devices.
Her
hope
is
that
device
makers
will
then
leverage
her
company’s
platform
to
build
on
those
features
going
forward.
Thistle’s
immediate
focus
will
be
on
IoT
players
in
key
markets
such
as
automotive,
power,
water,
networking,
and
the
industrial
sector.
Update
mechanisms
—
when
they
exist
—
in
the
IoT
space
can
be
buggy
and
unreliable,
Snyder
says.
She
points
to
multiple
incidents
when
a
bad
update
bricked
a
device
or
caused
other
problems.
One
example:
a
2017
incident
where
a
bad
firmware
update
bricked
hundreds
of
smart
locks
from
Lockstate
that
Airbnb
was
using
as
part
of
a
program
for
its
hosts.
There
have
been
other
instances
where
key
fobs
and
even
cars
have
been
bricked
because
of
a
faulty
update,
Snyder
notes.
“The
tolerance
for
update
mechanisms
is
incredibly
low,”
Snyder
says.
“When
you
have
really
low
tolerance
for
update
failures,
you
need
to
have
an
update
mechanism
that
is
highly
reliable
in
addition
to
being
supported.”
Integration
With
Build
Environments
The
new
Thistle
security
platform
integrates
with
build
environments
and
provides
developers
with
tools
such
as
those
for
integrating
Thistle’s
security
features
into
their
devices
and
for
things
like
signing
and
processing
updates.
Thistle’s
platform
integrates
with
the
open
source
Yocto
build
system,
which
allows
developers
to
add
features
to
Linux
products
relatively
quickly.
It
also
integrates
with
the
OpenWrt
router
operating
system
and
with
the
U-Boot
open
source
bootloader.
Christ
Wysopal,
founder
and
chief
technology
officer
at
Veracode
and
seed
investor
in
Thistle,
says
many
of
the
capabilities
that
the
company
is
making
available
are
new
to
the
space
—
especially
among
smaller
IoT
device
makers.
The
technology
should
help
embedded
device
makers
implement
a
secure
by
design
approach
where
key
security
features
get
integrated
into
the
product.
“Thistle
is
making
it
easier
for
people
to
incorporate
this
technology
at
a
price
point
they
can
afford,”
Wysopal
says.
“It
is
changing
the
market
by
making
security
functionality
available
where
it
wasn’t
before.”
Thistle’s
platform
launch
comes
at
a
time
when
interest
in
technologies
for
securely
updating
IoT
devices
appears
to
be
increasing.
In
recent
years,
vendors
and
security
researchers
have
been
reporting
a
growing
number
of
vulnerabilities
in
IoT
products.
A
report
from
Claroty
last
year
showed
that
in
the
first
half
of
2022,
IoT
vulnerabilities
accounted
for
15%
of
all
vulnerabilities
in
the
so-called
Extended
IoT
(XIoT)
compromised
of
all
connected
cyber-physical
systems.
In
the
previous
six-month
period,
IoT
vulnerabilities
accounted
for
just
9%
of
all
XIoT
vulnerabilities.
Pressure
Mounts
on
Device
Makers
The
trend
is
significant
because
organizations
across
industries
such
as
transportation,
telecommunications,
manufacturing,
and
other
sectors
are
connecting
all
sorts
of
embedded
devices
to
their
networks
to
support
digital
transformation
and
operational
requirements.
“The
devices
have
a
unique
profile
because
they
are
not
a
general-purpose
computer
and
yet
they
have
a
processor,
memory,
are
connected
to
the
network,
and
a
lot
of
the
time
are
doing
something
critical,”
Wysopal
says.
He
expects
that
enterprise
organizations
are
going
to
increasingly
demand
better
security
capabilities
from
their
IoT
suppliers.
The
availability
of
technologies
like
that
from
Thistle
is
going
to
make
it
harder
for
device
manufacturers
to
explain
away
their
failure
to
implement
fundamental
security
mechanisms
in
their
products,
Wysopal
says.
Just
this
week,
the
National
Institute
of
Standards
and
Technology
released
a
new
encryption
standard
for
IoT
devices,
which
means
enterprise
organizations
and
consumers
could
soon
begin
expecting
device
makers
to
implement
it
in
their
products.
Measures
like
the
Internet
of
Things
Cybersecurity
Improvement
Act
of
2020
are
another
factor
because
they
require
organizations
selling
IoT
devices
to
government
agencies
to
ensure
minimum
security
standards
for
their
technologies.
Embedded
and
IoT
device
makers
are
feeling
more
pressure
than
before
to
respond
to
security
threats,
Snyder
says.
“Customers
are
also
asking
better
questions
and
there
have
been
more
and
more
demonstrations
over
time
that
these
devices
are
deeply
vulnerable,”
she
says.
About Author
