Sign up to save your podcasts
Or
Share #000: How New IoT Security Regulations Will Shape the Industry's Future
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
#000: How New IoT Security Regulations Will Shape the Industry's Future
In today's Coredump Session, Memfault’s François Baldassari and Chris Coleman unpack the sweeping impact of new IoT security regulations like the CRA and the Cyber Trust Mark. From shocking real-world exploits to smart compliance strategies, they explore what these changes mean for hardware teams and the future of connected devices. If you ship firmware or build IoT products, this one’s essential listening.
Key takeaways:
- IoT security is no longer optional—new regulations like the CRA and Cyber Trust Mark make it mandatory.
- Most connected devices today are still dangerously undersecured, with outdated stacks and poor OTA support.
- Open source platforms like Zephyr can make compliance easier by pooling security resources across companies.
- OTA (over-the-air) updates are now a requirement in both US and EU regulations.
- The CRA introduces SBOM (Software Bill of Materials) requirements to track vulnerabilities in dependencies.
- Observability, encryption, and secure boot need to be built in from the start—not as last-minute add-ons.
- Compliance will vary based on device criticality, but self-certification will be the norm for most companies.
- Ignoring security costs more in the long run—both in reputation and risk.
Chapters:
00:00 Episode Teasers & Intro
01:03 Meet the Hosts: François and Chris from Memfault
03:40 Why IoT Security Is Still So Behind
07:15 Vulnerabilities, Legacy Chips, and Who’s to Blame
10:12 Wireless Protocols: Still a Huge Attack Surface
13:28 If You Ship Without OTA, You're Asking for Trouble
20:50 Introducing the CRA and Cyber Trust Mark
23:38 What the CRA Actually Requires
31:45 Reconciling Security Monitoring with GDPR
34:07 Cyber Trust Mark vs CRA: US vs EU Approaches
41:05 What You Can Do Today to Prepare
46:33 How Long Do You Have to Support a Device?
52:19 Attack Surfaces: Even a Projector Isn't Safe
56:06 Lifecycle Support and Product Lifespan Realities
58:51 Observability in Low-Resource Devices
1:00:34 Connected Architectures & Multichip Compliance
1:01:43 IoT Devices with Limited Bandwidth & OTA Constraints
Join the Interrupt Slack
Watch this episode on YouTube
Follow Memfault
- LinkedIn
- Bluesky
- Twitter
Other ways to listen:
Apple Podcasts
iHeartRadio
Amazon Music
GoodPods
Castbox
Visit our website
View all episodes
By MemfaultIn today's Coredump Session, Memfault’s François Baldassari and Chris Coleman unpack the sweeping impact of new IoT security regulations like the CRA and the Cyber Trust Mark. From shocking real-world exploits to smart compliance strategies, they explore what these changes mean for hardware teams and the future of connected devices. If you ship firmware or build IoT products, this one’s essential listening.
Key takeaways:
- IoT security is no longer optional—new regulations like the CRA and Cyber Trust Mark make it mandatory.
- Most connected devices today are still dangerously undersecured, with outdated stacks and poor OTA support.
- Open source platforms like Zephyr can make compliance easier by pooling security resources across companies.
- OTA (over-the-air) updates are now a requirement in both US and EU regulations.
- The CRA introduces SBOM (Software Bill of Materials) requirements to track vulnerabilities in dependencies.
- Observability, encryption, and secure boot need to be built in from the start—not as last-minute add-ons.
- Compliance will vary based on device criticality, but self-certification will be the norm for most companies.
- Ignoring security costs more in the long run—both in reputation and risk.
Chapters:
00:00 Episode Teasers & Intro
01:03 Meet the Hosts: François and Chris from Memfault
03:40 Why IoT Security Is Still So Behind
07:15 Vulnerabilities, Legacy Chips, and Who’s to Blame
10:12 Wireless Protocols: Still a Huge Attack Surface
13:28 If You Ship Without OTA, You're Asking for Trouble
20:50 Introducing the CRA and Cyber Trust Mark
23:38 What the CRA Actually Requires
31:45 Reconciling Security Monitoring with GDPR
34:07 Cyber Trust Mark vs CRA: US vs EU Approaches
41:05 What You Can Do Today to Prepare
46:33 How Long Do You Have to Support a Device?
52:19 Attack Surfaces: Even a Projector Isn't Safe
56:06 Lifecycle Support and Product Lifespan Realities
58:51 Observability in Low-Resource Devices
1:00:34 Connected Architectures & Multichip Compliance
1:01:43 IoT Devices with Limited Bandwidth & OTA Constraints
Join the Interrupt Slack
Watch this episode on YouTube
Follow Memfault
- LinkedIn
- Bluesky
- Twitter
Other ways to listen:
Apple Podcasts
iHeartRadio
Amazon Music
GoodPods
Castbox
Visit our website