Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0

Depthcharge v0.2.0 is now available on GitHub and PyPi. This release introduces new “configuration checker” functionality and includes some major updates intended to improve usability. A tl;dr summary can be found in the CHANGELOG file. This blog post dives a bit more into the motivations for the changes, envisioned use-cases, and how this update fits … Continue reading Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0

Tool Release: Sinking U-Boots with Depthcharge

Depthcharge is an extensible Python 3 toolkit designed to aid security researchers when analyzing a customized, product-specific build of the U-Boot bootloader. This blog post details the motivations for Depthcharge’s creation, highlights some key features, and exemplifies its use in a “tethered jailbreak” of a smart speaker that leverages secure boot functionality. The first three … Continue reading Tool Release: Sinking U-Boots with Depthcharge

Research Report – Zephyr and MCUboot Security Assessment

Over the years, NCC Group has audited countless embedded devices for our customers. Through these security assessments, we have observed that IoT devices are typically built using a hodgepodge of chipset vendor board support packages (BSP), bootloaders, SDKs, and an established Real Time Operating System (RTOS) such as Mbed or FreeRTOS. However, we have recently … Continue reading Research Report – Zephyr and MCUboot Security Assessment

Curve9767 and Fast Signature Verification

This post is about elliptic curves as they are used in cryptography, in particular for signatures. There are many ways to define specific elliptic curves that strive to offer a good balance between security and performance; here, I am talking about specific contributions of mine: a new curve definition, and some algorithmic improvements that target … Continue reading Curve9767 and Fast Signature Verification