00
Security for Your Hardware Project
Joe FitzPatrick
@securelyfitz
15+ years of hardware fun:
• silicon debug
• security research
• pen testing of CPUs
• security training
SecuringHardware.com:
• Applied Physical Attacks Training
• HardwareSecurity.Training
Assumptions
You all know a thing or two about hardware
You create, use, or build with Crowdsupply devices
You're as sharp as can be expected sunday morning
02
Our Objectives:
"I want to publish a hardware project/tool/etc without putting myself at risk"
"I want to use a device without exposing myself to additional risk"
"I want to use a device without putting it/it's environment at risk"
"I want to respond properly in the event there's a security-related issue"
"I'm from Infosec and I'm here to help!"
yeah right
Infosec people think they're like doctors:
everything is broken
they show up and fix things
everything is all better!
07
Infosec people are more like lawyers:
They say 'if you called sooner, we could have avoided this'
They have their own secret rules and guidelines
They have a workaround for everything
They have their own vocabulary
They joke with each other about how laypeople "just don't get it"
They don't make it easy for laypeople to get it
They're always critical of other people's work
They always answer "it depends"
There's something they don't understand:
For some people, security seems optional
For some, the alternative to insecurity is failure!
10
Step 1: Protect yourself
Are you handing out your PII in your hardware?
Are you okay with handing out your IP in your hardware?
14
Step 2: Protect your Users
Bonus: Disclosing security practices
18
Step 3: Protect your Devices
Contain (and document) your connectivity
Authenticate or sanitize your hardware inputs
22
Step 4: Respond constructively
If they talk to you - they have good intentions
26
Checklist
Protect Yourself:
☐ How are you handling your PII?
☐ How are you handilng your IP?
Protect Your Users:
☐ Secure software delivery
☐ Secure coding practices
☐ Disclose security practices
Protect Your hardware:
☐ Contain your connectivity
☐ Authenticate/Sanitize inputs
Respond Constructively:
☐ Listen
☐ Expect and return courtesy
27
Good security isn't as hard as it seems
A little bit goes a long way (for now)
It's not just a checklist
Big players make all these mistakes.Repeatedly.
You owe it to yourself, users, customers, or audience
Security for Your Hardware Project
Joe FitzPatrick - @securelyfitz - joefitz@securinghardware.com