Dear Reader,
My highlight from last month was the live discussion with Jon Oster, the security expert at Toradex, about the EU Cyber Resilience Act (CRA). You find the recording on the Torizon web site.
I think we hit home one point. The most important feature to comply with the EU CRA is a reliable secure OTA update. Even without the EU CRA, reliable OTA updates happen to be the one thing that must work when you first release embedded devices. They enable you to add the real features one by one later. If you break this rule, you might end up like VW: VW had to update roughly 30,000 ID.3 cars - manually!
Toradex offers an end-to-end solution for secure OTA updates. They achieve automotive-grade security with the Uptane framework. Jon showed a slide comparing Uptane’s threat model with that of other OTA update solutions. Unsurprisingly, Uptane is the clear winner, as it addresses threats (potential attacks) that other solutions don’t even have on their radar.
We didn’t even mention another extremely useful feature of Uptane: management of the private keys for signing the U-Boot, Linux kernel, rootfs and container images during the build. Uptane offers a way how to keep the private keys totally offline in a hardware security module (HSM). Yashovardhan Bapat, a Toradex intern working in Jon’s team, has written an excellent article about this topic.
I would have loved to have Yashovardhan’s article at my disposal last year, when I implemented a makeshift solution (basically, an encrypted USB drive containing the private keys) for a customer. Managing private keys is a tricky and often overlooked feature, which takes time to implement properly.
I freely admit that I called Toradex’s use of Uptane “over-engineering” for many embedded devices in one or maybe two meetings with Jon. The more I learn about Uptane and security the more appealing I find Uptane. It becomes even more appealing, as you essentially pay a little bit more per Toradex SoM but get secure OTA updates with Uptane in return. In contrast, you must implement secure OTA updates for the SoMs from other providers on your own or hire experts. From my own experience, I can tell you that such an implementation can easily take 3-6 months - if you roughly know what you do.
We touched briefly on the topic when the support period for a product starts according to the EU CRA. Jon corrected my slightly confused understanding and pointed to the definition of placing a product on the market in The ‘Blue Guide’ on the implementation of EU product rules 2022 (section 2.3). The support period starts, when the ownership of an individual product is transferred from one legal or natural person to another for the first time. The new owner must be based in the EU. Ownership transfer can happen, for example, by buying, renting, subscribing, donating or given as a gift.
Let me clarify the term placing a product on the market with an example. Tomra - a company from Norway, which is not in the EU - sells its reverse vending machines (RVM) to many REWE supermarkets in Germany. Once a supermarket pays for an RVM and becomes the new owner, the support period starts for this individual RVM. If a supermarket buys one RVM on 16 June 2025 and a second RVM on 21 May 2026, the support period for the first RVM starts on 16 June 2025 and the support period for the second RVM starts on 21 May 2026. The support period works similar to the warranty period.
One participant made a comment to this effect: Many service providers try to scare the bejesus out of product companies with the EU CRA to make higher profits. Unfortunately, there are always companies using FUD (fear, uncertainty and doubt) to make a quick buck. However, I am also aware of the many machines and devices on the market with glaring security holes. Even the security-conscious automotive industry makes attacks on cars far too easy, as the two examples below of the Subaru hack and the keyless car theft show. The damages are real, high and likely. You should, indeed, be a bit scared and use this as the motivation to make the life of the bad guys a bit more difficult.
Enjoy reading,
Burkhard 💜