Quectel engaged Finite State, a third-party expert security firm focused on managing software supply chain risk for the enterprise, to rigorously test Quectel’s IoT modules to demonstrate Quectel’s commitment to transparent, verifiable product security.
The first progress report released to Quectel concludes that its modules’ security score, as reflected in Finite State’s risk profiling, started strong when testing began earlier this year and got stronger rapidly as Quectel implemented Finite State’s recommendations. The score improved across the modules tested from an average of 62 to 24 with the highest possible score being 10. The report underlines that this is a significant improvement in Quectel’s security posture with both the initial and current scores far exceeding the industry average score of 98.
“Quectel has embraced security and transparency holistically, in a way that we rarely see from other organizations. Their commitment to make SBOMs and VEX reports available to their customers will make the IoT industry more secure and transparent,” said Matt Wyckhouse, CEO of Finite State. “They have built upon their existing security testing processes by integrating even deeper testing into their first- and third-party code, and they’ve responded to findings in their development process faster than others in their industry, resulting in risk metrics that place them in the top 10% of all connected products we’ve analyzed,” Matt Wyckhouse continued.
Finite State focused its initial penetration testing and analysis on the most critical Quectel cellular modules sold in the U.S. The platforms verified by Finite State represent approximately 70 percent of all North American IoT modules shipped within the last 18 months.
“Quectel plans to continue this third-party penetration testing and security verification for all of its most critical modules and to make it an ongoing and life-cycle process. We also encourage and assist our device original equipment manufacturers (OEMs) customers to do their own third-party testing,” said Norbert Muhrer, president and CSO of Quectel. “These results will guide Quectel as we continue to enhance our cybersecurity implementation on our products. We encourage our competitors to follow us on their own in such approach to make the IoT industry the safe and trusted place our customers expect it to be.”
In addition to penetration testing of its key modules, Quectel announced the release of Software Bill of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX) documents for its IoT modules. As an industry-first among IoT module manufacturers, these resources will be made available through the Quectel website. The SBOM and VEX documents will assist customers in this crucial task by providing machine-readable, comprehensive data. The SBOM documents will detail the software components and dependencies within each IoT module, along with licensing and provenance information. The VEX files will provide updated data on the vulnerabilities identified and their status.
Providing SBOM and VEX documents has a cascading effect on the entire IoT ecosystem. As a Module provider, Quectel is integral to the architecture of numerous IoT devices. The transparency and commitment to security will benefit all IoT products built on Quectel’s platforms.
“Our commitment to being both secure and transparent sets us apart,” Muhrer said. “By making this information readily accessible, we aim to empower our customers to make better-informed decisions about security risk assessment and patching prioritization and provide full transparency around our security posture. We are offering a full tool-box of security related measures and consulting to our customers to implement secure devices. Quectel is also collaborating with standards-setting bodies to help develop and then commit to achieving a stringent set of security requirements, including attainment of several key industry and government security certifications,” Mr. Muhrer added.
Separately, Quectel reiterated that its modules maintain the highest standards of data protection and security. “Quectel customers own and control all of the data collected by its modules. Quectel has no access to any of the device data,” said Peter Fowler, senior vice president, North America, Quectel. “Quectel is committed to delivering high-quality, best-in-class, secure IoT modules and go above and beyond industry standard practices by conducting independent third-party cyber security audits.”
Quectel retained Finite State in May 2023 to audit and penetration-test the security of its modules. Its ongoing work includes rigorous security testing, improved software supply chain visibility, and comprehensive software risk management.
Quectel’s passion for a smarter world drives us to accelerate IoT innovation. A highly customer-centric organization, we are a global IoT solutions provider backed by outstanding support and services. Our growing global team of 5900 professionals sets the pace for innovation in cellular, GNSS, Wi-Fi and Bluetooth modules as well as antennas and services.
With regional offices and support across the globe, our international leadership is devoted to advancing IoT and helping build a smarter world.
View source version on businesswire.com: https://www.businesswire.com/news/home/20230926898165/en/