Quectel’s IoT modules are significantly more secure than the industry average, according to independent third-party cybersecurity firm Finite State.

According to a recent Finite State report, nearly 95% of all Quectel modules shipped to the USA since the beginning of 2022 have industry-leading security scores based on penetration testing and binary analysis by Finite State.

The report highlights a notable enhancement in Quectel’s security position, expanding the number of modules tested and with scores across the tested modules improving from an average of 33 to 18, up from an average of 62 to 24 in previous testing. This represents a large improvement, as both the initial and revised scores significantly surpass the industry average of 98 with the lowest (best) score of 10.

Further, the number of and severity of vulnerabilities Finite State did identify in Quectel products or modules are significantly less than the industry standard and revealed a very limited attack surface. The issues Finite State did discover have been remedied by Quectel.

This testing leverages Finite State’s security technologies and expertise to conduct a third-party evaluation of Quectel’s modules. The testing encompasses an array of security assessments designed to fortify Quectel’s modules against the evolving landscape of cyber threats, including binary analysis of numerous Quectel products and both penetration testing and binary analysis of several Quectel cellular modules.

“Entering this next phase of security testing with Finite State underscores our relentless pursuit of the highest security standards for our products,” said Norbert Muhrer, president of Quectel Wireless. “Our continued collaboration is a reflection of our commitment to exceed industry security expectations, ensuring our customers benefit from the most secure and reliable communication modules available, tested and verified by one of the most trusted US cyber-security firms. We’re thrilled that the latest report from Finite State demonstrates our commitment and progress.”

The continued integration of Finite State into Quectel’s transparency and security programme reaffirms Quectel’s commitment to security practices in the IoT and telecommunications sectors. Quectel has made a measurable improvement in key areas such as the security health of the code, the sophistication of the vulnerability management process, and the transparency of its software supply chain.

The programme is designed with three key goals to address the pressing issues in cyber security today:

• Implementing the Finite State platform into Quectel’s dev-sec-ops procedures, which enhances firmware binary analysis, manages vulnerabilities efficiently and offers specific recommendations for remediation.
• Developing and sharing software bill of materials (SBoM) and vulnerability exploitability exchange (VEX) documents for each of Quectel’s products, which promotes a transparent environment and provides critical insights into the software components of Quectel’s devices along with any vulnerabilities they may contain.
• Conducting manual penetration tests by Finite State’s Red Team, which augments automated testing methods and delivers detailed security evaluations for Quectel’s product line.

“Progressing to this next phase of security testing demonstrates Quectel’s commitment to leading the industry with transparent, rigorous cyber-security practices,” said Matt Wyckhouse, CEO of Finite State (finitestate.io). “Quectel’s willingness to subject their products to such rigorous scrutiny is commendable and sets a new industry standard to further safeguard the IoT ecosystem.”

The outcome of this continued engagement is anticipated to enhance the security framework of Quectel’s modules and inspire a shift towards more rigorous security standards across the telecommunications industry. Quectel says it is dedicated to sharing insights and best practices gleaned from this process, contributing to a safer, more secure digital future.

In addition to the activity with Finite State, Quectel is pursuing collaboration with multiple standards-setting organisations to enhance and commit to a more rigorous set of security requirements. This initiative aims to achieve key security certifications from both industry and governmental bodies.

Quectel (www.quectel.com) has a growing global team of 5900 people with regional offices and support across the globe.