#008: Navigating the Changing IoT Security Landscape: A Survival Guide for Product Leaders

https://is1-ssl.mzstatic.com/image/thumb/Podcasts221/v4/01/70/bb/0170bbb0-9264-d141-bf56-c375c8195774/mza_14067636312550255.jpg/600x600bb.jpg

Coredump Sessions

Memfault

18 episodes

6 days ago

Coredump Sessions is a podcast for embedded engineers and product teams building connected devices. Hosted by the team at Memfault, each episode features real-world stories and technical deep dives with experts across the embedded systems space. From Bluetooth pioneers and OTA infrastructure veterans to the engineers who built Pebble, we explore the tools, techniques, and tradeoffs that power reliable, scalable devices. If you're building or debugging hardware, this is your go-to for embedded insights.

Technology

RSS

All content for Coredump Sessions is the property of Memfault and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

https://d3t3ozftmdmh3i.cloudfront.net/staging/podcast_uploaded_nologo/43339182/43339182-1744206360534-53342e1aed2db.jpg

#008: Navigating the Changing IoT Security Landscape: A Survival Guide for Product Leaders

Coredump Sessions

58 minutes 4 seconds

5 months ago

#008: Navigating the Changing IoT Security Landscape: A Survival Guide for Product Leaders

In today's Coredump Session, we dive into the evolving landscape of IoT security regulations with Giovanni Alberto Falcione, CTO at Exine. From the impact of the EU's CRA to the complexities of OTA updates, Giovanni, François, and Thomas unpack what these new requirements mean for product engineers and how to navigate the increasingly stringent security landscape.

Speakers:

François Baldassari: CEO & Founder, Memfault
Thomas Sarlandie: Field CTO, Memfault
Giovanni Alberto Falcione: CTO, Exein

Key Takeaways:

The EU's Cyber Resilience Act (CRA) mandates stringent security measures for all connected devices marketed after December 2027, with a particular focus on runtime security monitoring.
OTA updates are essential for mitigating vulnerabilities in the field but can also introduce challenges in regulatory compliance.
Giovanni highlights that less than 1% of IoT device manufacturers actively monitor cybersecurity state awareness, a critical area of compliance under CRA.
Implementing a Software Bill of Materials (SBOM) and tracking Common Vulnerabilities and Exposures (CVEs) are low-hanging fruit for product teams to start bolstering security.
eBPF technology offers powerful, low-impact monitoring capabilities that can detect unauthorized activities at the syscall level without kernel-level intervention.
Companies need to plan for at least five years of security updates under CRA, with potential for longer support based on device lifecycles.
Even seemingly innocuous devices, like coffee makers, can pose significant cybersecurity risks as entry points for broader attacks.
Giovanni emphasizes that while regulation can stifle innovation, it also raises the bar for security practices across the board.

Chapters:

00:00 Introduction and Guest Introduction02:30 The Unseen Costs of Cybersecurity Regulation04:40 OTA Updates: Security Savior or Hidden Risk07:21 CRA vs. Other Regulations: What Matters Most10:30 The Rise of Runtime Security Monitoring12:23 Why Manufacturers Are Freaking Out About CRA15:09 The Hidden Cost of Legacy Firmware17:30 Inside the Automotive Cybersecurity Playbook21:22 eBPF: The Next Frontier in IoT Security55:38 Coffee Machines, Coffee Attacks, and Unexpected Entry Points

⁠⁠Join the Interrupt Slack

Watch this episode on YouTube ⁠⁠

Follow Memfault

Other ways to listen:

⁠⁠Visit our website