New cyber security check for real-time systems (RTOS)
.avif)
- Real-time operating systems (RTOS) run billions of devices and are potential targets for hackers because their cyber resilience has been almost impossible to test.
- CEO Jan Wendenburg: "Our new RTOS component analysis and cybersecurity check is a real benefit for every manufacturer in the embedded industry.
Duesseldorf,18 February 2025– Checking firmware images of real-time operating systems (RTOS) forvulnerabilities and malware poses considerable problems for conventionalsecurity procedures. The Düsseldorf-based cybersecurity company ONEKEY has nowdeveloped its Product Cybersecurity & Compliance Platform (OCP) to automatethis testing process to a large extent. “From Firmware to Compliance in OnePlace" is how the company describes its approach to solving a problem thatis becoming increasingly urgent in light of stricter cybersecurity legislation,including for embedded systems, and the sharp rise in cyber-attacks.
Real-timeoperating systems are used in almost every category of device. These includesmart home devices such as smart thermostats, smart locks or lighting systems;sensors and actuators, for example in wireless sensor networks to efficientlycollect and process data; control units in vehicles for engine, airconditioning or infotainment systems; medical devices such as ECG monitors orinfusion pumps; industrial controllers in manufacturing plants or automationsystems; networking devices such as routers and switches; and a wide range ofconsumer electronics, from drone control to electronic toys. The number ofdevices running RTOS software worldwide is in the billions. “All of thesedevices are potential targets for hackers. However, their cybersecurity hasrarely been tested because it has been difficult to do so. We have now changedthat,” said Jan Wendenburg, CEO of ONEKEY, explaining the importance of the newplatform feature.
Thenew security check for real-time operating systems consists of several steps. First, the components of the RTOS firmware are identified. Then the versions and any known and possible unknown vulnerabilities are identified. This work seven for monolithic binaries such as FreeRTOS. The next step is to assess the vulnerabilities to identify and eliminate relevant risks in the RTOS. The optional automatic compliance check can identify vulnerabilities in seconds, also for cyber security standards such as IEC62443-4-2, EU Cyber Resilience Act and many others. This greatly simplifies audit preparation.
Some background
The analysis of real-time operating system (RTOS) firmware images has been severely limited in the past, as they differ significantly from traditional Linux-based firmware. Unlike the latter, which typically consists of separate kernel, library and application logic components, RTOS firmware images are typically single, statically linked binary files. This means that the entire operating system is compiled into a single binary file along with all libraries and application code, making it difficult to extract and analyse individual components.
This lack of granularity in RTOS firmware analysis presents several critical challenges:
1. Limited analysis capabilities: Previous analysis tools have struggled to identify and extract components due to the monolithic nature of RTOS firmware images. As a result, it has not been possible to gain comprehensive insight into the software stack, open source libraries and potential vulnerabilities of these critical embedded systems.
2) Security and compliance risks: Withoutaccurate identification of components and associated vulnerabilities, there isa lack of clarity about potential security risks and compliance issues in theRTOS firmware. This poses a significant risk to the security, reliability andregulatory compliance of embedded systems.
At ONEKEY, the demand for RTOS analysis support has been growing rapidly for some time. This is partly due to the fact that FreeRTOS, one of the most popular open source RTOS variants, is used in a large number of embedded systems. Around 40 microcontroller architectures support FreeRTOS, which has been developed over a period of 15 years. According to statistics, it is downloaded every 170 seconds, so it has a very wide global distribution.
“The automated testing of FreeRTOS firmware for vulnerabilities and security holes is a milestone for us and the entire embedded industry," said Jan Wendenburg. Looking to the future, he said: "We have laid the foundation for future expansion to other RTOS variants. We have achieved our goal of creating a flexible and robust framework that meets the evolving needs of RTOS users in different industries.” In addition to expanding to other RTOS flavours, ONEKEY is also researching advanced analysis techniques to identify zero-day vulnerabilities in real-time operating systems, which the current version cannot yet do.
The new RTOS Component & Cybersecurity Test will be presented for the first time at Embedded World 2025. ONEKEY will be there with its own booth: Hall 5, Booth 5-376
Find out more about the event on our website: https://www.onekey.com/resource/embeddedworld2025
About Onekey
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
CONTACT:
Sara Fortmann
Senior Marketing Manager
sara.fortmann@onekey.com
euromarcom public relations GmbH
team@euromarcom.de
Ready to automate your Product Cybersecurity & Compliance?
Make cybersecurity and compliance efficient and effective with ONEKEY.