Cryptotronix Podcast
By Cryptotronix
Cryptotronix PodcastJun 08, 2022
Ep:1.11 How to handle time on embedded systems
How to securely handle time on embedded systems? Do you trust your time or not? What should you do if the certificate expires? Where do you sync your time from? These are all questions that routinely come up during the design of an embedded system and they often have very real security impacts. I talk about how to think about these questions and why, to a certain degree, they are the wrong question to ask.
Also, I show a fun demo of receiving the new time format from WWVB using the Everset ES100 receiver to pull the 60kHz BPSK signal from the air.
Ep:1.10 What is DICE (Device Identifier Composition Engine)?
In this episode, I introduce the DICE (Device Identifier Composition Engine). I mentioned the motivation for the Trusted Computing Group (TCG) to make this standard and why its specifically tailored for embedded devices like MCUs and smaller controllers.
Then I give a quick overview of the hardware requirements for DICE and its refreshingly simple, although I do have some questions of how this is implemented (remember attack the implementation, not the standard). The DICE core has a nice similarity to the PCR feature of the TPM.
Then I talk about where this episode series is going and how you can play along!
https://trustedcomputinggroup.org/wp-content/uploads/Hardware-Requirements-for-Device-Identifier-Composition-Engine-r78_For-Publication.pdf
Ep:1.09 Hardware hacking does not always go according to plan
Sometimes hardware hacking doesn't always go according to plan and you end up destroying the target. It happens. In this episode, I get a pair of connected shoes to remove the tracker and things start to go wrong.
Ep:1.08 ATECC608 on the SAMA7G Eval Kit
In this episode I talk about the ATECC608 that's on the SAMA7G Eval Kit and why, even though the SAMA7 includes TrustZone, you would want an external IC. I think talk about how we included some nice ATECC608 python support in Spearf1sh (the embedded Linux distro) to let you hack on this more easily.
Ep:1.07 Spearf1sh on the Microchip SAMA7G5
There's a new Linux SoC by Microchip, the SAMA7G5! It's a single-core, low power, ARM Cortex-A7 with some nice security features. Because of the nice Linux4SAM project, I was able to port Spearf1sh, our embedded hacking Linux distro onto it pretty quickly!
https://www.microchip.com/en-us/product/sama7g54
https://github.com/advancedsecio/spearf1sh
Ep: 1:06 A quick intro to fs-verity for use in embedded Linux
Embedded Linux devices are generally lacking in security, but especially file system security. While I'm seeing the ship start to turn with respect to secure boot, there is still a wide lack of file system prevention and monitoring security.
In this episode, I describe and provide a quick demo on fs-verity, a new-ish addition that allows similar protection from dm-verity, but on a file system level. What's dm-verity you ask? Well, I go into that too.
The demo is using our spearf1sh OS -- a #buildroot based hacking platform that we are getting closer to releasing. This board also has a Microchip ATECC608A on a Pmod, which could be used to sign the fs-verity measurements.
Ep: 1.05 How a text file will help your security program
RFC 9116 was recently RFC'd and it describes a simple concept: listing your security contact details in a simple text file. While this concept has been floating around for a while, it is now an official RFC. Companies that adopt this concept will hopefully have a much easier time receiving vulnerability disclosures from researchers since it clearly identifies how companies should contact them.
Ep:1.04 How to increase your revenue with more security
Security is typically thought of as a cost center -- something you have to do, but are probably not very excited to do. But what if, by actually building a decently secure device, you could enable additional revenue streams for your business? I discuss some proven models on how to do just that in this podcast.
Ep:1.3 New UK Device Cybersecurity Law
The UK is proposing a Product Security and Telecommunications Infrastructure Bill that has _international_ ramifications and impacts not only devices OEMs, but importers and distributors!
Let's take a look at the proposed legislation and discuss why what they are proposing are activities you should be already doing.
Ep:1.2 Mistakes in Custom Embedded Protocols
Having audited a few custom protocols, as nearly every embedded project decides to implement them, nearly every one has had a security issue. In this video I discuss the top three issues I’ve seen.
Infosec's Midlife Crisis
Using the latest issue of IEEE Security & Privacy as a front to discuss this topic, I talked about the different focus areas of information security. Then, I question whether we are doing any good or making any progress as an industry.
Best watched when you are in the mood to question your life decisions.