#008: Navigating the Changing IoT Security Landscape: A Survival Guide for Product Leaders
05/13/25 • 58 min
In today's Coredump Session, we dive into the evolving landscape of IoT security regulations with Giovanni Alberto Falcione, CTO at Exine. From the impact of the EU's CRA to the complexities of OTA updates, Giovanni, François, and Thomas unpack what these new requirements mean for product engineers and how to navigate the increasingly stringent security landscape.
Speakers:
- François Baldassari: CEO & Founder, Memfault
- Thomas Sarlandie: Field CTO, Memfault
- Giovanni Alberto Falcione: CTO, Exein
Key Takeaways:
- The EU's Cyber Resilience Act (CRA) mandates stringent security measures for all connected devices marketed after December 2027, with a particular focus on runtime security monitoring.
- OTA updates are essential for mitigating vulnerabilities in the field but can also introduce challenges in regulatory compliance.
- Giovanni highlights that less than 1% of IoT device manufacturers actively monitor cybersecurity state awareness, a critical area of compliance under CRA.
- Implementing a Software Bill of Materials (SBOM) and tracking Common Vulnerabilities and Exposures (CVEs) are low-hanging fruit for product teams to start bolstering security.
- eBPF technology offers powerful, low-impact monitoring capabilities that can detect unauthorized activities at the syscall level without kernel-level intervention.
- Companies need to plan for at least five years of security updates under CRA, with potential for longer support based on device lifecycles.
- Even seemingly innocuous devices, like coffee makers, can pose significant cybersecurity risks as entry points for broader attacks.
- Giovanni emphasizes that while regulation can stifle innovation, it also raises the bar for security practices across the board.
Chapters:
00:00 Introduction and Guest Introduction02:30 The Unseen Costs of Cybersecurity Regulation04:40 OTA Updates: Security Savior or Hidden Risk07:21 CRA vs. Other Regulations: What Matters Most10:30 The Rise of Runtime Security Monitoring12:23 Why Manufacturers Are Freaking Out About CRA15:09 The Hidden Cost of Legacy Firmware17:30 Inside the Automotive Cybersecurity Playbook21:22 eBPF: The Next Frontier in IoT Security55:38 Coffee Machines, Coffee Attacks, and Unexpected Entry Points
Follow Memfault
Other ways to listen:
In today's Coredump Session, we dive into the evolving landscape of IoT security regulations with Giovanni Alberto Falcione, CTO at Exine. From the impact of the EU's CRA to the complexities of OTA updates, Giovanni, François, and Thomas unpack what these new requirements mean for product engineers and how to navigate the increasingly stringent security landscape.
Speakers:
- François Baldassari: CEO & Founder, Memfault
- Thomas Sarlandie: Field CTO, Memfault
- Giovanni Alberto Falcione: CTO, Exein
Key Takeaways:
- The EU's Cyber Resilience Act (CRA) mandates stringent security measures for all connected devices marketed after December 2027, with a particular focus on runtime security monitoring.
- OTA updates are essential for mitigating vulnerabilities in the field but can also introduce challenges in regulatory compliance.
- Giovanni highlights that less than 1% of IoT device manufacturers actively monitor cybersecurity state awareness, a critical area of compliance under CRA.
- Implementing a Software Bill of Materials (SBOM) and tracking Common Vulnerabilities and Exposures (CVEs) are low-hanging fruit for product teams to start bolstering security.
- eBPF technology offers powerful, low-impact monitoring capabilities that can detect unauthorized activities at the syscall level without kernel-level intervention.
- Companies need to plan for at least five years of security updates under CRA, with potential for longer support based on device lifecycles.
- Even seemingly innocuous devices, like coffee makers, can pose significant cybersecurity risks as entry points for broader attacks.
- Giovanni emphasizes that while regulation can stifle innovation, it also raises the bar for security practices across the board.
Chapters:
00:00 Introduction and Guest Introduction02:30 The Unseen Costs of Cybersecurity Regulation04:40 OTA Updates: Security Savior or Hidden Risk07:21 CRA vs. Other Regulations: What Matters Most10:30 The Rise of Runtime Security Monitoring12:23 Why Manufacturers Are Freaking Out About CRA15:09 The Hidden Cost of Legacy Firmware17:30 Inside the Automotive Cybersecurity Playbook21:22 eBPF: The Next Frontier in IoT Security55:38 Coffee Machines, Coffee Attacks, and Unexpected Entry Points
Follow Memfault
Other ways to listen:
Previous Episode
#007: AI, Open Source, and the Future of Embedded Development: How Much Code Will We Actually Write?
In today's Coredump Session, we dive into a wide-ranging conversation about the intersection of AI, open source, and embedded systems with the teams from Memfault and Goliath. From the evolution of AI at the edge to the emerging role of large language models (LLMs) in firmware development, the panel explores where innovation is happening today — and where expectations still outpace reality. Listen in as they untangle the practical, the possible, and the hype shaping the future of IoT devices.
Speakers:
- François Baldassari: CEO & Founder, Memfault
- Thomas Sarlandie: Field CTO, Memfault
- Jonathan Beri: CEO & Founder, Golioth
- Dan Mangum: CTO, Golioth
Key Takeaways:
- AI has been quietly powering embedded devices for years, especially in edge applications like voice recognition and computer vision.
- The biggest gains in IoT today often come from cloud-based AI analytics, not necessarily from AI models running directly on devices.
- LLMs are reshaping firmware development workflows but are not yet widely adopted for production-grade embedded codebases.
- Use cases like audio and video processing have seen the fastest real-world adoption of AI at the edge.
- Caution is warranted when integrating AI into safety-critical systems, where determinism is crucial.
- Cloud-to-device AI models are becoming the go-to for fleet operations, anomaly detection, and predictive maintenance.
- Many promising LLM-based consumer products struggle because hardware constraints and cloud dependence create friction.
- The future of embedded AI may lie in hybrid architectures that balance on-device intelligence with cloud support.
Chapters:
00:00 Episode Teasers & Welcome
01:10 Meet the Panel: Memfault x Golioth
02:56 Why AI at the Edge Isn’t Actually New
05:33 The Real Use Cases for AI in Embedded Devices
08:07 How Much Chaos Are You Willing to Introduce?
11:19 Edge AI vs. Cloud AI: Where It’s Working Today
13:50 LLMs in Embedded: Promise vs. Reality
17:16 Why Hardware Can’t Keep Up with AI’s Pace
20:15 Building Unique Models When Public Datasets Fail
36:14 Open Source’s Big Moment (and What Comes Next)
42:49 Will AI Kill Open Source Contributions?
49:30 How AI Could Change Software Supply Chains
52:24 How to Stay Relevant as an Engineer in the AI Era
Follow Memfault
Other ways to listen:
Next Episode
#009: Zephyr’s Meteoric Rise and What It Means for the Future of Embedded
In today’s Coredump Session, we dive into the origins and evolution of Zephyr RTOS with Kate Stewart, VP of Dependable Embedded Systems at the Linux Foundation. From Intel’s early ambitions to a thriving global community, Kate unpacks how Zephyr grew into a leading open-source RTOS and what makes it uniquely resilient and developer-friendly. This conversation also explores the technical shifts shaping embedded development and how governance, safety, and collaboration continue to steer Zephyr’s trajectory.
Speakers:
- Kate Stewart: Vice President of Dependable Embedded Systems, The Linux Foundation
- François Baldassari: CEO & Founder, Memfault
- Thomas Sarlandie: Field CTO, Memfault
Key Takeaways:
- Zephyr was born from Intel’s desire for a scalable, secure, and open RTOS, evolving from Wind River roots.
- Early adoption of Linux-inspired practices, like Kconfig and "signed-off-by" contributions, lowered friction and encouraged community participation.
- The project’s governance model, emphasizing multi-vendor participation and elected leadership, prevents corporate capture and boosts resilience.
- Zephyr’s pragmatic reuse of tools like MCUboot accelerated development and expanded capabilities.
- Long-term support (LTS) releases—now extended to five years—make Zephyr production-friendly and aligned with regulatory demands like the CRA.
- Innovations like the Twister test framework and open testing infrastructure set Zephyr apart for visibility and maintainability.
- Zephyr thrives as complexity in embedded systems increases, filling the gap left by simpler RTOSes ill-suited for modern MCU workloads.
- Not every project is a fit for Zephyr—especially ultra-low-end 8-bit systems—but it excels in growing, connected device classes.
Chapters:
00:00 Introduction and Guest Introduction
04:12 Building Zephyr: Intel’s Open RTOS Bet
06:39 Governance That Guards Against Capture
08:10 Borrowing From Linux, Avoiding Its Baggage
09:41 What Makes Zephyr Different
13:55 Zephyr in Production: LTS and Real-World Adoption
16:15 Scaling with Twister and QEMU
18:15 Taming Complexity Without Losing Performance
35:45 SBOMs and the Future of Compliance
38:20 A Head Start on Security Standards
43:02 Inside Zephyr's Safety Certification Journey
46:44 Real-World Use Cases and Industry Uptake
50:25 What's Next for Zephyr and the RTOS Landscape
53:12 Final Reflections and Closing Thoughts
Follow Memfault
Other ways to listen:
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/coredump-sessions-668730/008-navigating-the-changing-iot-security-landscape-a-survival-guide-fo-91246563"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to #008: navigating the changing iot security landscape: a survival guide for product leaders on goodpods" style="width: 225px" /> </a>
Copy