Embedded Systems Security

I’ve discovered a significant vulnerability in the Arm® TrustZone® CryptoCell 310 AES-128 hardware engine within the Nordic Semiconductor nRF52840 SoC, which has been acknowledged in the Nordic Security Advisory SA-2025-380-v1.0. By inducing precisely timed voltage fault injection, I was able to bypass the AES encryption and recover plaintext in ECB, CBC, and CTR modes. This vulnerability exposes sensitive data, making cryptographic methods like key rotation and CBC initialization vectors ineffective. Additionally, observed error byte diffusion under fault conditions could be potentially exploited for Differential Fault Analysis (DFA), particularly in ECB mode. This is a hardware vulnerability that cannot be patched easily without a redesign of the silicon. However, I proposed several firmware-level countermeasures to mitigate the attack's impact. These techniques, while effective, come with performance trade-offs and should be evaluated based on the specific use case. The attack was performed using my custom low-cost voltage fault injection tool based on the crowbar technique. As physical access is required for such attacks, minor hardware modifications like capacitor removal are not a significant barrier. Still, I achieved successful results without needing to remove any capacitors, demonstrating the practicality and repeatability of this approach. Discovery Reported to Nordic Semiconductor ASA on Nov 13, 2024. Public Disclosure Coordinated with Vendor on Apr 11, 2025. Full Research: https://lnkd.in/dZuMmp2C Nordic Security Advisory: SA-2025-380-v1.0 https://lnkd.in/dNCrabzK Sharing this to inform and support the embedded and hardware security community. #cybersecurity #infosecurity #hardwaresecurity #penetrationtesting #cyberdefense #cyberattack #redteam #redteaming #vulnerabilities #cryptography #hardwaredesign #hardwareengineering #softwareengineering #iotdevices #iotsecurity #hardware #development #communication #embeddedsystems #embeddedsoftware #iot

Analysts across Gartner, Forrester, and Frost all highlight the same frontier: Unmanaged, un-agentable, unpatchable legacy and embedded mission-critical devices. These systems now power hospitals, factories, transportation networks, logistics hubs, energy grids, and smart buildings. And they break every assumption that traditional cybersecurity was built on. You can’t install an agent, can’t run a scanner, can’t take downtime to patch, can’t modify the configuration without operational impact, and you often can’t replace the device, even when it’s vulnerable. This isn’t an edge case anymore. It’s the dominant surface. Traditional IT security assumes: → You own the device → You can instrument it → You can patch it → You can enforce controls → You can model its behavior None of this holds in cyber-physical systems. Industrial controllers run firmware older than some of the engineers maintaining them. ↳ Medical devices can’t be scanned because they may disrupt patient care. ↳ Building automation systems weren’t designed with authentication in mind. ↳ Robotics and sensors can’t tolerate downtime. ↳ IoT devices run proprietary protocols no EDR understands. And yet these devices are connected: to your network, your cloud, your authentication systems, and your business processes. This is where attackers are moving their focus. Modern CPS protection platforms increasingly rely on three capabilities analysts repeatedly emphasize: 1. Passive, protocol-level discovery Visibility without disruption. Understanding devices based on their behavior. 2. Contextual exposure analysis → What is reachable? → What is in the attack path? → What would cause operational impact? This is the only way to prioritize unpatchable devices. 3. Compensating controls instead of patching When patching is impossible, risk reduction happens through: Segmentation, policy enforcement, traffic shaping, identity hardening, control-plane exceptions, behavioral monitoring, and attack-path suppression This is where modern architectures are now moving. Across industries, leaders are accepting a new reality: We won’t regain control of these devices. We must build control around them. That’s why CPS protection platforms now combine: Asset intelligence, network-centric defenses, reachability mapping, risk scoring, MITRE ICS/TTP alignment, operational workflow, integrations with IT security, and AI-based anomaly detection. It’s becoming the backbone of securing the parts of the enterprise you can’t instrument. The new frontier of security is securing environments built from devices you never truly controlled in the first place.

ESP32-based IoT devices are often deployed in physically accessible, network-connected, and long-lived environments. These characteristics make them attractive targets for attackers seeking persistent access, device cloning, or data exfiltration. Unlike traditional IT systems, embedded devices cannot rely on perimeter defenses alone. Security must be built into the firmware, boot process, and hardware configuration from the first instruction executed. This article presents practical, field-tested defense strategies for securing ESP32-based embedded systems using ESP-IDF. The focus is not on abstract security theory, but on concrete mechanisms available in real ESP32 silicon: secure boot, flash encryption, eFuses, TLS, and secure OTA workflows. Each section explains what problem the mechanism solves, why it matters, and how to implement it correctly. #learningbytutorials #esp32 #esp32projects #espidf #embeddedsystems #embeddedprogramming

What protects the protector? In modern embedded systems, software alone is insufficient. True trust begins where secrets are securely stored, managed, and executed — inside the Hardware Security Module (HSM). I recently explored the full ecosystem of HSM Keys, covering topics such as root keys, secure boot, OTA signing, AUTOSAR crypto stacks, device identity, post-quantum readiness, and zero-trust architectures. As vehicles, industrial devices, and IoT systems become increasingly connected, cybersecurity is essential. Every ECU, controller, and smart node now relies on secure key lifecycles, tamper resistance, authenticated updates, and resilient trust chains. For Automotive Engineers: Think beyond CAN/LIN/Ethernet signals. Security now accompanies every packet, firmware image, and diagnostic session. For Industrial & IoT Leaders: The next reliability challenge extends beyond uptime — it is digital trust. Key areas covered in this presentation include: - Root of Trust & Secure Boot - HSM Key Types (AES, ECC, KEK, Session, Identity) - Provisioning & Manufacturing Security - AUTOSAR Crypto Stack (Csm / CryIf / KeyM) - OTA Security & Anti-Rollback - SHE vs HSM vs TPM vs Secure Elements - Future Trends: PQC, AI Anomaly Detection, Remote Attestation In the software-defined era, the strongest systems are built on invisible foundations of trust. #CyberSecurity #EmbeddedSystems #AutomotiveEngineering #HSM #AUTOSAR #SecureBoot #OTA #IoT #ECU #FunctionalSafety #ConnectedVehicles #SoftwareDefinedVehicle #EngineeringLeadership #DigitalTrust

A flaw in Infineon’s security microcontrollers made it possible to extract secret keys using a lab setup that cost just $11,000. 📟🔑👊🏻👨💻 A few months ago, security researcher Thomas Roche presented his fundamental research on secure elements used in the YubiKey 5. The security element is the Infineon SLE78, which contains a proprietary implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA). Using side-channel attacks and a great deal of smart research, the author discovered a vulnerability in Infineon Technologies' cryptographic library and, as a result, was able to extract the ECDSA secret key from the secure element. The cost of the setup was €10,000, including the laptop. Let me quote the author: "...in fact, all Infineon security microcontrollers (including TPMs) that run the Infineon cryptographic library (as far as we know, any existing version) are vulnerable to the attack." Infineon is one of the most popular manufacturers of secure elements across many industries, including: 🔮 Automotive - used for SecOC and V2X key storage 🔮 Medical - used for secure communication, device pairing, and patient data storage 🔮 OT (Operational Technology) - used to ensure secure data transmission and device authentication 🔮 Avionics - used to ensure firmware integrity, protect IFEC systems, and enable secure communication with ground systems ...and more. Please stay safe and share this with your peers responsible for security and safety. It's important for them to be informed. More details: Side-Channel Attack on the YubiKey 5 Series [PDF]: https://lnkd.in/dvPjUV4R #hacking #embedded #Infineon #ECDSA #TPM #security #safety #cyber #tech #technology #YubiKey #privacy #attack #medical #automotive #avionics #SCADA #IoT

Modern rolling stock carries hundreds of sensors, embedded controllers, and connected systems that interact with signaling, passenger Wi-Fi, ticketing, and maintenance networks. This evolution has improved efficiency and passenger comfort, but it has also opened a new cyber battleground. Attacks that were once aimed at back-office IT systems now target train control systems, onboard diagnostics, and even communication protocols like GSM-R and its successor, FRMCS. The railway sector has already seen wake-up calls. In 2022, a ransomware attack on a regional train operator forced service delays and manual traffic control. In 2024, a vulnerability disclosure showed that insecure firmware updates on onboard controllers could allow remote manipulation of braking systems. These incidents illustrate that railway cybersecurity is no longer hypothetical; it is a real operational risk. Resilience starts with architecture. Segmenting train networks is critical, separating passenger Wi-Fi and infotainment systems from safety-critical control domains, and isolating signaling communication from external entry points. The IEC 62443 framework provides a strong foundation, defining zones and conduits that restrict access and limit lateral movement. EN 50159 and TS 50701 add railway-specific guidance, covering secure transmission protocols and lifecycle security management tailored to signaling and rolling stock. Zero Trust principles are increasingly being applied to railway operations, verifying identities and device health before granting access to critical systems. Strong encryption, secure boot, and signed firmware updates are essential to protect embedded devices from tampering. Additionally, the use of intrusion detection tailored to operational technology networks is helping operators detect malicious activity quickly, even in environments where patching cycles are slower due to safety certification constraints. Another critical layer is supply chain assurance. Rolling stock manufacturers depend on a complex network of component suppliers, and a compromised subsystem can introduce vulnerabilities that bypass perimeter defenses. Security audits, SBOMs (Software Bill of Materials), and contractual security requirements are becoming standard to manage this risk. Looking forward, the integration of FRMCS, the next-generation mobile communication system for rail, adds both opportunity and complexity. While FRMCS offers stronger encryption and flexible bandwidth, its IP-based architecture increases exposure to internet-style attacks. Proactive measures, like continuous monitoring, red teaming, and vulnerability disclosure programs, will be key to staying ahead. Railway operators, infrastructure managers, and manufacturers must treat cybersecurity as part of operational safety. The line between digital and physical security has blurred. #RailwaySecurity #CyberResilience #RollingStock #OTSecurity #IEC62443 #EN50159 #TS50701 #CriticalInfrastructure

Monostack vs. Multistack Systems Memory Usage: Monostack: Each task, ISR, and exception handler places its stack in the monostack.  Multistack: In a multistack system, each task has its own stack, when running. Comparison: From the above, it is clear that a monostack system requires less SRAM than a multistack system. Flexibility Because the monostack must unwind in the same order that it wound, it is not possible to run a task if its stack is not the top stack. This prevents promoting the priority of a task, with a buried stack, to avoid missing its deadline. Systems that can adapt to changing conditions are likely to be more dependable and more able to withstand cyber attacks than systems that have fixed regimens. Being able to change task priorities, to meet changing conditions is an example of this. Protected Stacks Security is becoming a mandatory requirement for embedded and IoT devices. In a multistack system each stack can be put into its own MPU region. This takes away two of a hacker’s most used tools: stack overflow and execution of malware from a stack. Since monostacks cannot be protected they cannot be used in secure systems. Conclusion Whereas the monostack approach, coupled with RMA, may be a good solution for low-end embedded and IoT devices, a multistack approach is better for mid-range devices and it is essential for secure systems. SecureSMX uses a multistack approach. To see how one-shot tasks and protected stacks work in a secure environment visit  https://lnkd.in/gv-k33DC. #SecureSMX, #RTOS, #Stacks, #Security, #Tasks

If you're a security architect, you see 4 types of requirements: 1. Manufacturing Security 2. Boot Time Security 3. Runtime Security 4. Maintenance/Diagnostic Security In these 4 stages you have different things to secure for an embedded system. Manufacturing Security - flashing initial firmware, provisioning keys, possible final calibrations and then you lock down your system. Programming interfaces are disabled or locked for your product to operate in the field. Firmware configurations may have options no longer supported because manufacturing is over. Boot Time Security - coordinating secure boot and checking the firmware integrity and authenticity each time you boot. Runtime Security - secure comms with other devices over network interfaces, intrusion detection algorithms, sending telematic data out, etc. Maintenance/Diagnostic Security - your product needs to be interacted with for special events. Secure Firmware/Software Updates. A maintenance tech needs to get diagnostic data. The normal operations of the product are altered and privileged actions needs to take place after authentication. As I work as a security architect the requirements generally fall into these 4 buckets. Anything else you would add?

🔐 I Just Hacked a "Secure" Chip With $200 in Equipment 🔐 Last week, I bypassed the security protections on a Microchip SAM4C32 microcontroller using basic equipment and some patience. Why should you care? This EXACT chip powers millions of smart meters and industrial controls worldwide. The truly alarming part isn't this specific vulnerability—it's what it represents: • Companies invest millions in cloud security while physical devices remain dangerously exposed • Most embedded firmware hasn't been updated since manufacture • Engineers struggle with impossible security vs. performance tradeoffs on resource-constrained devices The "security features" I defeated weren't just weak—they were theatrical. A simple voltage glitch during the boot sequence completely bypassed the chip's protection mechanisms. Even more concerning: the chip's reset pin leaked the exact timing information I needed for the attack! 🤯 Three critical lessons for hardware manufacturers: 1️⃣ Security-by-obscurity is a strategy destined to fail 2️⃣ Hardware vulnerabilities often cannot be patched after deployment 3️⃣ Your threat models must include physical access scenarios This isn't just a technical issue—it's a business risk that crosses industries. When was the last time your company audited the security of the embedded systems in your products? What embedded security assumptions have you questioned lately? #EmbeddedSystems #Cybersecurity #HardwareHacking #ReverseEngineering #Microcontrollers #0day #Vulnerability #FaultInjection #ChipWhisperer #SecurityResearch #IoT #SmartMeter