Electromagnetic Side-Channel Basics
A chip radiates information as it computes. Here is how electromagnetic side-channel analysis works and why it can be easier than power analysis.
Detecting Fault Injection at Runtime
Beyond surviving a glitch, a device can notice it is being attacked. Here is how runtime fault detection works and what to do when it triggers.
Clock Glitching to Skip a Security Check
Clock glitching corrupts an instruction by feeding the chip a malformed clock edge. Here is how it differs from voltage glitching and what it breaks.
Bypassing JTAG Lock With Hardware Access
A locked JTAG port is not always a closed one. Here is how physical access is used to re-open disabled debug interfaces, and why locking alone is not the end.
Identifying Chips on an Unfamiliar Board
Before you can attack a board you have to know what is on it. Here is how to identify the chips that matter and skip the ones that do not.
Tapping a Parallel Memory Bus
Older and higher-performance designs use parallel memory buses. Here is what makes them harder to tap than serial flash and how it is done.
Using a Bus Pirate for Quick Hardware Triage
The Bus Pirate is a cheap multi-protocol tool for poking at unknown buses. Here is how it speeds up the messy early phase of hardware reconnaissance.
Blowing Fuses: Locking Down a Production Device
One-time-programmable fuses turn security features on permanently. Here is what they protect and why shipping with them unblown is a common, costly mistake.
Reading a QFP Datasheet Like an Attacker
A datasheet is a map of where a chip’s secrets live. Here is how to read one with an attacker’s eye for debug pins and exposed interfaces.
A Pre-Production Hardware Security Checklist
Before a connected product ships, a security checklist catches the issues that are expensive to fix later. Here is the pre-production checklist I use.