Security for Your Hardware Project

Joe FitzPatrick
15+ years of hardware fun:
• silicon debug
• security research
• pen testing of CPUs
• security training

• Applied Physical Attacks Training
• HardwareSecurity.Training


You all know a thing or two about hardware
You create, use, or build with Crowdsupply devices
You're as sharp as can be expected sunday morning
P.S.: Happy Mothers Day!


Our Objectives:

"I want to publish a hardware project/tool/etc without putting myself at risk"
"I want to use a device without exposing myself to additional risk"
"I want to use a device without putting it/it's environment at risk"
"I want to respond properly in the event there's a security-related issue"
"I'm from Infosec and I'm here to help!"

yeah right

Infosec people think they're like doctors:

everything is broken

they show up and fix things

everything is all better!


Infosec people are more like lawyers:
They say 'if you called sooner, we could have avoided this'
They have their own secret rules and guidelines
They have a workaround for everything
They have their own vocabulary
They joke with each other about how laypeople "just don't get it"
They don't make it easy for laypeople to get it
They're always critical of other people's work
They always answer "it depends"
There's something they don't understand:

For some people, security seems optional

For some, the alternative to insecurity is failure!


Step 1: Protect yourself
Are you handing out your PII in your hardware?
Are you okay with handing out your IP in your hardware?


Step 2: Protect your Users

Secure software delivery
Secure coding practices
Bonus: Disclosing security practices


Step 3: Protect your Devices

Contain (and document) your connectivity
Authenticate or sanitize your hardware inputs


Step 4: Respond constructively

If they talk to you - they have good intentions
Be Nice!



Protect Yourself:
☐ How are you handling your PII?
☐ How are you handilng your IP?
Protect Your Users:
☐ Secure software delivery
☐ Secure coding practices
☐ Disclose security practices
Protect Your hardware:
☐ Contain your connectivity
☐ Authenticate/Sanitize inputs
Respond Constructively:
☐ Listen
☐ Expect and return courtesy


Good security isn't as hard as it seems

A little bit goes a long way (for now)
It's not just a checklist
Big players make all these mistakes.Repeatedly.
You owe it to yourself, users, customers, or audience

Security for Your Hardware Project

Joe FitzPatrick - @securelyfitz - joefitz@securinghardware.com