In today's Coredump Session, Memfault’s François Baldassari and Chris Coleman unpack the sweeping impact of new IoT security regulations like the CRA and the Cyber Trust Mark. From shocking real-world exploits to smart compliance strategies, they explore what these changes mean for hardware teams and the future of connected devices. If you ship firmware or build IoT products, this one’s essential listening.

Key takeaways:

• IoT security is no longer optional—new regulations like the CRA and Cyber Trust Mark make it mandatory.
• Most connected devices today are still dangerously undersecured, with outdated stacks and poor OTA support.
• Open source platforms like Zephyr can make compliance easier by pooling security resources across companies.
• OTA (over-the-air) updates are now a requirement in both US and EU regulations.
• The CRA introduces SBOM (Software Bill of Materials) requirements to track vulnerabilities in dependencies.
• Observability, encryption, and secure boot need to be built in from the start—not as last-minute add-ons.
• Compliance will vary based on device criticality, but self-certification will be the norm for most companies.
• Ignoring security costs more in the long run—both in reputation and risk.

Chapters:

00:00 Episode Teasers & Intro

01:03 Meet the Hosts: François and Chris from Memfault

03:40 Why IoT Security Is Still So Behind

07:15 Vulnerabilities, Legacy Chips, and Who’s to Blame

10:12 Wireless Protocols: Still a Huge Attack Surface

13:28 If You Ship Without OTA, You're Asking for Trouble

20:50 Introducing the CRA and Cyber Trust Mark

23:38 What the CRA Actually Requires

31:45 Reconciling Security Monitoring with GDPR

34:07 Cyber Trust Mark vs CRA: US vs EU Approaches

41:05 What You Can Do Today to Prepare

46:33 How Long Do You Have to Support a Device?

52:19 Attack Surfaces: Even a Projector Isn't Safe

56:06 Lifecycle Support and Product Lifespan Realities

58:51 Observability in Low-Resource Devices

1:00:34 Connected Architectures & Multichip Compliance

1:01:43 IoT Devices with Limited Bandwidth & OTA Constraints

Join the Interrupt Slack

⁠⁠⁠⁠Watch this episode on YouTube

Suggest a Guest

Follow Memfault

• ⁠⁠LinkedIn⁠⁠
• ⁠⁠Bluesky⁠⁠
• ⁠⁠Twitter⁠⁠

Other ways to listen:

⁠⁠Apple Podcasts

iHeartRadio⁠⁠

⁠⁠Amazon Music

GoodPods

Castbox

⁠⁠

⁠⁠.css-j9qmi7{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;font-weight:700;margin-bottom:1rem;margin-top:2.8rem;width:100%;-webkit-box-pack:start;-ms-flex-pack:start;-webkit-justify-content:start;justify-content:start;padding-left:5rem;}@media only screen and (max-width: 599px){.css-j9qmi7{padding-left:0;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;}}.css-j9qmi7 svg{fill:#27292D;}.css-j9qmi7 .eagfbvw0{-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;color:#27292D;}