Cryptotronix Podcast

How to securely handle time on embedded systems? Do you trust your time or not? What should you do if the certificate expires? Where do you sync your time from? These are all questions that routinely come up during the design of an embedded system and they often have very real security impacts. I talk about how to think about these questions and why, to a certain degree, they are the wrong question to ask.

Also, I show a fun demo of receiving the new time format from WWVB using the Everset ES100 receiver to pull the 60kHz BPSK signal from the air.

In this episode, I introduce the DICE (Device Identifier Composition Engine). I mentioned the motivation for the Trusted Computing Group (TCG) to make this standard and why its specifically tailored for embedded devices like MCUs and smaller controllers. 

Then I give a quick overview of the hardware requirements for DICE and its refreshingly simple, although I do have some questions of how this is implemented (remember attack the implementation, not the standard). The DICE core has a nice similarity to the PCR feature of the TPM. 

Then I talk about where this episode series is going and how you can play along!

https://trustedcomputinggroup.org/wp-content/uploads/Hardware-Requirements-for-Device-Identifier-Composition-Engine-r78_For-Publication.pdf

Sometimes hardware hacking doesn't always go according to plan and you end up destroying the target. It happens. In this episode, I get a pair of connected shoes to remove the tracker and things start to go wrong.

In this episode I talk about the ATECC608 that's on the SAMA7G Eval Kit and why, even though the SAMA7 includes TrustZone, you would want an external IC. I think talk about how we included some nice ATECC608 python support in Spearf1sh (the embedded Linux distro) to let you hack on this more easily.

There's a new Linux SoC by Microchip, the SAMA7G5! It's a single-core, low power, ARM Cortex-A7 with some nice security features. Because of the nice Linux4SAM project, I was able to port Spearf1sh, our embedded hacking Linux distro onto it pretty quickly!

https://www.microchip.com/en-us/product/sama7g54

https://github.com/advancedsecio/spearf1sh

Embedded Linux devices are generally lacking in security, but especially file system security. While I'm seeing the ship start to turn with respect to secure boot, there is still a wide lack of file system prevention and monitoring security. 

In this episode, I describe and provide a quick demo on fs-verity, a new-ish addition that allows similar protection from dm-verity, but on a file system level. What's dm-verity you ask? Well, I go into that too.

The demo is using our spearf1sh OS -- a #buildroot based hacking platform that we are getting closer to releasing. This board also has a Microchip ATECC608A on a Pmod, which could be used to sign the fs-verity measurements.

RFC 9116 was recently RFC'd and it describes a simple concept: listing your security contact details in a simple text file. While this concept has been floating around for a while, it is now an official RFC. Companies that adopt this concept will hopefully have a much easier time receiving vulnerability disclosures from researchers since it clearly identifies how companies should contact them.

Security is typically thought of as a cost center -- something you have to do, but are probably not very excited to do. But what if, by actually building a decently secure device, you could enable additional revenue streams for your business? I discuss some proven models on how to do just that in this podcast.

The UK is proposing a  Product Security and Telecommunications Infrastructure Bill that has  _international_ ramifications and impacts not only devices OEMs, but  importers and distributors!

Let's take a look at the proposed  legislation and discuss why what they are proposing are activities you  should be already doing.

Having audited a few custom protocols, as nearly every embedded project  decides to implement them, nearly every one has had a security issue. In  this video I discuss the top three issues I’ve seen.

Using the latest issue of IEEE Security & Privacy as a front to  discuss this topic, I talked about the different focus areas of  information security. Then, I question whether we are doing any good or  making any progress as an industry.

Best watched when you are in the mood to question your life decisions.