- Real-time operating systems (RTOS) run billions of devices and are potential targets for hackers because their cyber resilience has been almost impossible to test.
- CEO Jan Wendenburg: “Our new RTOS component analysis and cybersecurity check is a real benefit for every manufacturer in the embedded industry.
DUESSELDORF – Checking firmware images of real-time operating systems (RTOS) for vulnerabilities and malware poses significant problems for conventional security procedures. The Duesseldorf-based cybersecurity company ONEKEY has now developed its Product Cybersecurity & Compliance Platform (OCP) to automate this testing process to a large extent. “From Firmware to Compliance in One Place” is how the company describes its approach to solving a problem that is becoming increasingly urgent in light of stricter cybersecurity legislation, including for embedded systems, and the sharp rise in cyber-attacks.
Real-time operating systems are used in almost every category of device. These include smart home devices such as smart thermostats, smart locks or lighting systems; sensors and actuators, for example in wireless sensor networks to efficiently collect and process data; control units in vehicles for engine, air conditioning or infotainment systems; medical devices such as ECG monitors or infusion pumps; industrial controllers in manufacturing plants or automation systems; networking devices such as routers and switches; and a wide range of consumer electronics, from drone control to electronic toys. The number of devices running RTOS software worldwide is in the billions. “All of these devices are potential targets for hackers. However, their cybersecurity has rarely been tested because it has been difficult to do so. We have now changed that”, said Jan Wendenburg, CEO of ONEKEY, explaining the importance of the new platform feature.
The new security check for real-time operating systems consists of several steps. First, the components of the RTOS firmware are identified. Then the versions and any known and possible unknown vulnerabilities are identified. This works even for monolithic binaries such as FreeRTOS. The next step is to assess the vulnerabilities to identify and eliminate relevant risks in the RTOS. The optional automatic compliance check can identify vulnerabilities in seconds, including for cybersecurity standards such as IEC62443-4-2, EU Cyber Resilience Act and many others. This greatly simplifies audit preparation.
Background
The analysis of real-time operating system (RTOS) firmware images has been severely limited in the past, because they differ significantly from traditional Linux-based firmware. Unlike the latter, which typically consists of separate kernel, library and application logic components, RTOS firmware images are typically single, statically linked binary files. This means that the entire operating system, along with all libraries and application code, is compiled into a single binary file, making it difficult to extract and analyse individual components.
This lack of granularity in RTOS firmware analysis presents several critical challenges:
- Limited analysis capabilities: Previous analysis tools have struggled to identify and extract components due to the monolithic nature of RTOS firmware images. As a result, it has not been possible to gain comprehensive insight into the software stack, open source libraries and potential vulnerabilities of these critical embedded systems.
- Security and compliance risks: Without accurate identification of components and associated vulnerabilities, there is a lack of clarity about potential security risks and compliance issues in the RTOS firmware. This poses a significant risk to the security, reliability and regulatory compliance of embedded systems.
At ONEKEY, the demand for RTOS analysis support has been growing rapidly for some time. This is partly due to the fact that FreeRTOS, one of the most popular open source RTOS variants, is used in a large number of embedded systems. About 40 microcontroller architectures support FreeRTOS, which has been developed over a period of 15 years. According to statistics, it is downloaded every 170 seconds, so it has a very wide global distribution.
“The automated testing of FreeRTOS firmware for vulnerabilities and security holes is a milestone for us and the entire embedded industry,” said Jan Wendenburg. Looking to the future, he said: “We have laid the foundation for future expansion to other RTOS variants. We have achieved our goal of creating a flexible and robust framework that meets the evolving needs of RTOS users in different industries.” In addition to expanding to other RTOS flavours, ONEKEY is also researching advanced analysis techniques to identify zero-day vulnerabilities in real-time operating systems, which the current version cannot yet do.
The new RTOS Component & Cybersecurity Test will be presented for the first time at Embedded World 2025. ONEKEY will be present with its own booth: Hall 5, Booth 5-376.
Find out more about the event on our website: https://www.onekey.com/resource/embeddedworld2025
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.
Weitere Informationen: ONEKEY GmbH,
Sara Fortmann, E-Mail: sara.fortmann@onekey.com,
Kaiserswerther Straße 45, 40477 Düsseldorf, Deutschland,
Web: www.onekey.com
