WEBVTT 00:00.000 --> 00:10.000 Before we start, I have two announcements. 00:10.000 --> 00:16.000 First is for the people who are going to the open-ended workshop tomorrow. 00:16.000 --> 00:22.000 Check your email for the new location. It has changed. 00:22.000 --> 00:27.000 The second announcement is related to this talk. 00:27.000 --> 00:33.000 Those are the chocolates. Who has been to two of my previous talks at first 00:33.000 --> 00:39.000 them? What was yesterday? In the other words, this morning. 00:39.000 --> 00:45.000 Not too many. It didn't work. But there are still people. 00:45.000 --> 00:49.000 So I'm going to give those chocolates. 00:49.000 --> 00:53.000 The first person I've seen who attended three talks, 00:53.000 --> 00:59.000 then you organize yourself to the show chocolates. 00:59.000 --> 01:03.000 People who attended two talks qualify also. Who was that? 01:03.000 --> 01:05.000 It was you. 01:05.000 --> 01:09.000 And then you start passing the chocolates to other people. 01:09.000 --> 01:13.000 Thank you. 01:13.000 --> 01:17.000 So, formally you haven't attended the first talk. 01:17.000 --> 01:19.000 But we are going to start, right? 01:19.000 --> 01:21.000 And there are people coming in. 01:21.000 --> 01:31.000 So, this is going to be a personal selection of events that happened during the last year 01:31.000 --> 01:33.000 in the embedded space. 01:33.000 --> 01:37.000 Even with a few categories like regulation, cryptography, and so on. 01:37.000 --> 01:43.000 Maybe I'm not giving exact dates because that's not that important. 01:43.000 --> 01:47.000 But you will have in the slides later on 01:47.000 --> 01:55.000 that you will be able to download links to various talks, events, and the like. 01:55.000 --> 02:01.000 So, I was thinking a long time what I'm going to start with. 02:01.000 --> 02:05.000 If I'm going to start with regulations or I'm going to finish with regulations, 02:05.000 --> 02:15.000 in during my talks, finishing with regulations usually means that then I have an hour talking about regulations in the question and answer section. 02:15.000 --> 02:21.000 So, I'm going to start with regulations that hopefully are going to forget all your questions. 02:21.000 --> 02:23.000 So, but who am I? 02:23.000 --> 02:30.000 I'm Marka, I do embedded security and I don't have a lot during all of those conferences. 02:30.000 --> 02:32.000 So, where do we start? 02:32.000 --> 02:35.000 We are going to start with regulations. 02:35.000 --> 02:37.000 Yeah, regulations. 02:37.000 --> 02:48.000 So, the regulations, the big regulations that we have going on for the embedded space in this is the cyber resources act. 02:48.000 --> 02:51.000 Most of people here are in Europe. 02:51.000 --> 02:55.000 So, I'm going to test it again. 02:55.000 --> 03:05.000 So, who knows the cyber resources act well right your hand? 03:05.000 --> 03:08.000 Okay? 03:08.000 --> 03:12.000 Who has heard about it? 03:12.000 --> 03:14.000 Way better. 03:14.000 --> 03:17.000 Okay. 03:17.000 --> 03:24.000 So, cyber resources act mandatory cyber security requirements for all of them. 03:24.000 --> 03:35.000 But the product, it's already in place, but all of the conditions apply in December 27. 03:35.000 --> 03:40.000 And what happened in 25, about all of that? 03:40.000 --> 03:53.000 There was a work on standards and first set of standards have seen, have been seen by people other than people working. 03:53.000 --> 04:11.000 So, the big reminder is that standards are not mandatory, but in practice, especially in some categories, you will actually need them. 04:11.000 --> 04:22.000 So, there was the first review round for quite many of them and still continuing for the vulnerability management horizontal. 04:22.000 --> 04:42.000 And there is a common problem going on with the serious standards affecting especially embedded in small companies that it is still not clear if they are going to be available for a fee or not. 04:42.000 --> 04:48.000 Especially taking account that you have three horizontals that apply to everything. 04:48.000 --> 04:54.000 And then you have 40 something verticals. 04:54.000 --> 05:03.000 If you want to buy them it's 150 Swiss francs. 05:03.000 --> 05:12.000 So, this budget, so the discussion is going on and some people do not want open source people to talk about this anymore. 05:12.000 --> 05:14.000 But we do. 05:14.000 --> 05:19.000 Then the second subject is the European vulnerability database. 05:19.000 --> 05:38.000 So, this is even more funny because there is an obligation to report exploited vulnerabilities and security issues in all products starting September 26. 05:38.000 --> 05:42.000 That's this year. 05:42.000 --> 05:58.000 And the really funny thing is that the site where you will be doing that is not that part is not even embedded. 05:58.000 --> 06:00.000 So, that's interesting. 06:00.000 --> 06:03.000 The database itself. 06:03.000 --> 06:09.000 That's basically assumes you are going to use to check your products for vulnerabilities. 06:09.000 --> 06:15.000 It is in preview. 06:15.000 --> 06:19.000 Yeah, but that's still the work on it. 06:19.000 --> 06:36.000 And then in December last year, the commission has released a fact answering some of the questions that the community was asking them to clarify for a very, very long time. 06:36.000 --> 06:40.000 And it's long. 06:40.000 --> 06:45.000 Important clarification for embedded people. 06:45.000 --> 06:49.000 It is on the support period. 06:49.000 --> 06:59.000 The support period is the number of years during which you need to release security updates for free for all of your products. 06:59.000 --> 07:10.000 And the clarification is that the start of that support period comes from the moment the manufacturer sells the product. 07:10.000 --> 07:12.000 Not from the end of design. 07:12.000 --> 07:18.000 Not from the moment you fork the object or build root to support that vote. 07:18.000 --> 07:26.000 But it starts from the invoice date of the manufacturer. 07:26.000 --> 07:33.000 So if you have one batch, there's a part of the batch on the shelf. 07:33.000 --> 07:49.000 So later, the support period for that part of the batch runs from the moment they are actually sold and not put in the warehouse. 07:49.000 --> 07:58.000 So that's a pretty important and they confirm that the risk assessment is the only line of defense that you have. 07:58.000 --> 08:05.000 The specificity of CRA is that it's a risk based approach. 08:05.000 --> 08:10.000 So there's no checklist of the features you expected to have. 08:10.000 --> 08:18.000 We expected to have a risk assessment and it's the risk assessment that will be giving you the checklist. 08:19.000 --> 08:22.000 And a lot of responsibility that comes from. 08:22.000 --> 08:27.000 So I did the presentation about risk assessments. 08:27.000 --> 08:30.000 But I do not think it, okay. 08:30.000 --> 08:43.000 But I think I think to the fact so that you can have a look, there will be at least one more on open source, but I don't know why. 08:43.000 --> 08:49.000 So what also happened in 2025 on the embedded markets now. 08:49.000 --> 08:55.000 There's more alone awareness about the series that's really really clear. 08:55.000 --> 09:01.000 And if you work on embedded products. 09:01.000 --> 09:12.000 As I recommend you to do a try and ask your vendors to provide their CRA plans. 09:12.000 --> 09:21.000 Because if in 2027 they are unable to fix the C mark on the product. 09:21.000 --> 09:24.000 The new C mark with the cybersecurity requirements. 09:24.000 --> 09:33.000 You have a pretty supply chain problem because you cannot integrate that product that component anymore into your product. 09:33.000 --> 09:36.000 Better to ask them before if they are preparing. 09:37.000 --> 09:42.000 And so vendors are even starting to provide S-bombs on their websites. 09:42.000 --> 09:45.000 That's the real revolution. 09:45.000 --> 09:57.000 This advantage of the fact that companies are starting to be aware about the CRA is them misinformation. 09:57.000 --> 10:03.000 So I've seen basically all false informations about the CRA online. 10:04.000 --> 10:14.000 Including presentations of certain features as mandatory under the CRA where they are not. 10:14.000 --> 10:19.000 So be really really careful about what your vendors tell you. 10:19.000 --> 10:27.000 And there are some vendors that are claiming CRA compliance already. 10:27.000 --> 10:39.000 I do not claim series compliance for my product yet because at least I do not know how to report those them exploited when I beat this to any site. 10:39.000 --> 10:42.000 I'm missing at least that. 10:42.000 --> 10:51.000 So if someone is claiming that that's orange orange getting into red sign. 10:51.000 --> 10:55.000 I check it for you to check if you are ready. 10:55.000 --> 10:59.000 We are not going to play with hands. 10:59.000 --> 11:02.000 At this stage next year. 11:02.000 --> 11:12.000 The first important thing is if you have an update system for your products because that's one of the basis of the components. 11:12.000 --> 11:23.000 And then if you can receive vulnerabilities of your products easily by users and then you know how to handle them. 11:23.000 --> 11:27.000 That includes updating your products. 11:27.000 --> 11:38.000 And if you have started thinking about risk assessment, I guess that people will start writing those things this year. 11:38.000 --> 11:48.000 I, I, I, I, he is the link to my to my talk last year about the basic of of risk assessment. 11:48.000 --> 11:50.000 Find that. 11:50.000 --> 11:55.000 Okay, now a little bit lighter. 11:55.000 --> 11:58.000 Subject cryptography. 11:58.000 --> 12:06.000 That apparently is a really controversial, even even more controversial than CRA. 12:06.000 --> 12:12.000 It seems when I posted on social media. So the quantum computing. 12:12.000 --> 12:18.000 As a background. 12:18.000 --> 12:22.000 Algoriths for post quantum cryptography has been standard. 12:22.000 --> 12:27.000 What it means that they are normalized. 12:27.000 --> 12:31.000 They could be used and what is what is post quantum. 12:31.000 --> 12:35.000 You've probably heard about quantum cryptography. 12:35.000 --> 12:50.000 If and when cryptography shows up, it will be all the public key algorithms that you have including your SSH keys. 12:50.000 --> 12:53.000 They will be really easy to break. 12:53.000 --> 13:00.000 But with the current knowledge, it doesn't break symmetric algorithms like I, yes. 13:00.000 --> 13:08.000 This is that subtlety that it does break certain things, but not everything that we have. 13:08.000 --> 13:16.000 The current estimations about when it can happen, they vary. 13:16.000 --> 13:20.000 The optimistic people are saying in a few years. 13:20.000 --> 13:26.000 So less optimistic people say in a 10 to 15 years. 13:26.000 --> 13:31.000 And so people are saying that it's never going to happen. 13:31.000 --> 13:46.000 That is a nice risk assessment scenario because when it happens, you are going to have devices in the field. 13:46.000 --> 13:57.000 And many of you are already working on devices that will be in the field in 15 or 20 years. 13:57.000 --> 14:01.000 The question is what do you do? 14:01.000 --> 14:13.000 You may already reserve RAM and flash space for those extra libraries that will have those algorithms to eventually update. 14:13.000 --> 14:23.000 They should further or you already link them cryptographic libraries in assuming that for product that you ship today, 14:23.000 --> 14:27.000 there's no hardware acceleration for those things. 14:27.000 --> 14:31.000 It's going to show up in a few years problem. 14:31.000 --> 14:42.000 From the good site also on the post quantum, open SSH support from the current LTS of basically everything. 14:42.000 --> 14:50.000 And they missed the window for one of the parts for the signature validation that is available only in 36. 14:50.000 --> 14:56.000 So if you want to add post quantum to your products, you can. 14:56.000 --> 15:07.000 They are all the cryptolibrary working on the support of post quantum at different stages. 15:07.000 --> 15:12.000 So post quantum is a risk assessment exercise. 15:12.000 --> 15:20.000 What do you do either you do nothing and you may wake up with devices in the field that have completely broken. 15:20.000 --> 15:30.000 Outerizations for example, or you start adding those libraries in your products. 15:30.000 --> 15:38.000 And here I will play with with hands who has already looked in the post quantum. 15:38.000 --> 15:46.000 Oh really nice nice nice nice. 15:46.000 --> 15:53.000 So on the two side. 15:53.000 --> 15:58.000 First on the typical tools on the compiler side and my security side. 15:58.000 --> 16:03.000 There is now F-houdent option in GCC. 16:03.000 --> 16:08.000 That is combining some of the nice hardening options that you have. 16:08.000 --> 16:13.000 So why not to use it? 16:13.000 --> 16:18.000 There are also hardening improvements on different platforms in LLVM. 16:18.000 --> 16:23.000 LLVM doesn't have F-houdent yet, but they are discussing. 16:23.000 --> 16:31.000 The second big subject of course in the field is the move to memory safe languages. 16:31.000 --> 16:34.000 Also coming to embedded. 16:34.000 --> 16:41.000 So with the notable even being the end of the Linux rest experiment. 16:42.000 --> 16:50.000 And I know some vendors of embedded products that they are rewriting their stacks. 16:50.000 --> 16:54.000 It memory safe languages. 16:54.000 --> 17:01.000 And then we also have AI. 17:01.000 --> 17:04.000 That can be used to accelerate development. 17:04.000 --> 17:10.000 It can be used to find vulnerabilities in the products. 17:10.000 --> 17:17.000 Or submit completely bugger reports. 17:17.000 --> 17:19.000 Depends. 17:19.000 --> 17:24.000 And there are talks about the subject all around the first them. 17:24.000 --> 17:32.000 So I'm not going to get into the details more on that. 17:32.000 --> 17:35.000 All the dependencies and as well. 17:35.000 --> 17:38.000 What do we have here? 17:38.000 --> 17:41.000 Of course, I'm going to ask a question. 17:41.000 --> 17:44.000 Who is already generating an as well? 17:44.000 --> 17:46.000 Okay. 17:46.000 --> 17:48.000 Less than a half. 17:48.000 --> 17:49.000 Okay. 17:49.000 --> 17:52.000 So it is currently working in the Octoproject. 17:52.000 --> 17:53.000 It's working in Zephyr. 17:53.000 --> 17:56.000 It's working for some air tosses. 17:56.000 --> 17:59.000 Even some SDK vendors do provide. 17:59.000 --> 18:02.000 As well, I haven't looked yet. 18:02.000 --> 18:06.000 How accurate they look. 18:06.000 --> 18:09.000 But the end result problem in embedded. 18:09.000 --> 18:12.000 I did a whole talk about the subject this morning. 18:12.000 --> 18:16.000 So if you try to merge as bombs. 18:16.000 --> 18:19.000 For example, for multiple processors. 18:19.000 --> 18:21.000 Into one. 18:21.000 --> 18:23.000 To analyze this on that. 18:23.000 --> 18:25.000 That's becoming those. 18:25.000 --> 18:29.000 They're really complicated still. 18:29.000 --> 18:33.000 And we have a result of problems on in the S bomb land. 18:33.000 --> 18:37.000 One of them is how do we handle patched software. 18:37.000 --> 18:40.000 It's pretty common in a bit. 18:40.000 --> 18:42.000 And how we handle naming or false. 18:42.000 --> 18:45.000 There's no good solution. 18:45.000 --> 18:47.000 In there. 18:47.000 --> 18:50.000 Another tendency that we have a lot in embedded is that. 18:50.000 --> 18:54.000 People copy code like libraries. 18:54.000 --> 18:57.000 Or just files somewhere. 18:57.000 --> 19:02.000 And then other developer needs to deal with that ten years later. 19:02.000 --> 19:07.000 Because of course those files haven't been updated for the last ten years. 19:07.000 --> 19:11.000 And nobody was aware that it was there. 19:11.000 --> 19:14.000 And then. 19:14.000 --> 19:19.000 We have our favorite Wi-Fi bluetooth and all the stacks that are running. 19:19.000 --> 19:24.000 Processos internally with big software stacks on them. 19:24.000 --> 19:29.000 That have a lot of other software libraries on them. 19:29.000 --> 19:33.000 And we would like sometimes to. 19:33.000 --> 19:37.000 Have a nest bomb to have an idea what. 19:37.000 --> 19:39.000 How much of a number they are. 19:39.000 --> 19:42.000 Especially if they are providing connectivity. 19:42.000 --> 19:48.000 And that's that's also a very interesting and unsolved problem. 19:49.000 --> 19:54.000 Um, this year I have also seen a lot of. 19:54.000 --> 19:58.000 Attention on bootloaders. 19:58.000 --> 20:02.000 A bootloader is something that is very close to your hardware. 20:02.000 --> 20:06.000 And it can write to the memory. 20:06.000 --> 20:09.000 Wherever it was right. 20:09.000 --> 20:12.000 And they can. 20:12.000 --> 20:16.000 If you can confirm if an attacker can compromise a bootloader. 20:16.000 --> 20:21.000 Then they can compromise the whole of your embedded system. 20:21.000 --> 20:24.000 So there are two interesting talks. 20:24.000 --> 20:28.000 I recommend you to have a look at this at the slide deck. 20:28.000 --> 20:34.000 One above hardening variables and other about finding vulnerabilities in your boot. 20:34.000 --> 20:42.000 And I think that this is going to count as a tendency over the next year too. 20:42.000 --> 20:45.000 Because there's a lot of work to do. 20:45.000 --> 20:50.000 And also on those lower level. 20:50.000 --> 20:54.000 In parts of the stack. 20:54.000 --> 20:57.000 And then on the vulnerabilities side. 20:57.000 --> 21:02.000 I wanted to show you a tendency. 21:02.000 --> 21:06.000 A choice of three vulnerabilities that affect. 21:06.000 --> 21:10.000 That was discovered last year and effect embedded. 21:10.000 --> 21:15.000 If you have a look at the short descriptions. 21:15.000 --> 21:20.000 All of them are related to the code. 21:20.000 --> 21:28.000 Parts in data that comes either from remote service. 21:28.000 --> 21:31.000 Or is given by the user. 21:31.000 --> 21:35.000 So those are not memory safety issues. 21:35.000 --> 21:43.000 Those are issues of parsing actual messages. 21:43.000 --> 21:46.000 That could be controlled by attacker. 21:46.000 --> 21:54.000 We've known many embedded devices that we're trusting everything that is being sent to it. 21:54.000 --> 21:58.000 Not, not, not a good choice. 21:58.000 --> 22:01.000 So to wrap up. 22:01.000 --> 22:03.000 There's a lot of going on. 22:03.000 --> 22:04.000 We have regulations. 22:04.000 --> 22:06.000 We have changes in cryptography. 22:06.000 --> 22:10.000 And I see more and more interest in security subjects. 22:10.000 --> 22:16.000 For example, at the ERT version, we have a separate track on security. 22:16.000 --> 22:19.000 Something I've never seen before. 22:19.000 --> 22:21.000 So that's pretty interesting. 22:21.000 --> 22:26.000 And a lot of security docs are different embedded conferences. 22:27.000 --> 22:31.000 That's, I find that's good. 22:31.000 --> 22:37.000 I will be doing series of setups to resemble information from different subjects. 22:37.000 --> 22:44.000 If you have something that should show up in a future edition of such a talk, 22:44.000 --> 22:46.000 I'm easy to find online. 22:46.000 --> 22:48.000 Let me know. 22:48.000 --> 22:51.000 So do we have time for questions? 22:51.000 --> 23:01.000 Maybe. 23:01.000 --> 23:03.000 Thanks as ever, Marta. 23:03.000 --> 23:08.000 Just going back to manufacturing and risks and obligations. 23:08.000 --> 23:12.000 If we produce OEM hardware with the software stack, 23:12.000 --> 23:14.000 it might be October's effort on top of that. 23:14.000 --> 23:19.000 We sell that into vertical markets as our product to them. 23:19.000 --> 23:23.000 And then they sell on box it up and sell it as part of their service. 23:23.000 --> 23:25.000 Does that mean we're both manufacturers. 23:25.000 --> 23:28.000 And we both have manufacturing obligations. 23:28.000 --> 23:30.000 Or how does that split out? 23:30.000 --> 23:35.000 And what do we need to be doing as we sell on before something actually hits, 23:35.000 --> 23:39.000 as an end product into the market, if that makes sense? 23:39.000 --> 23:41.000 So first, I'm not a lawyer. 23:41.000 --> 23:46.000 A lawyer is somewhere else in this room. 23:46.000 --> 23:53.000 So the situation correctly, there is new manufacturing devices, 23:53.000 --> 23:58.000 and selling them to your customers, 23:58.000 --> 24:02.000 then they are repackaging, adding stuff and selling that again. 24:02.000 --> 24:04.000 In my opinion, they are both manufacturers, 24:04.000 --> 24:07.000 because you are putting devices on the market, 24:07.000 --> 24:10.000 and they are also putting devices on the market. 24:10.000 --> 24:14.000 So in my opinion, they are both manufacturers. 24:15.000 --> 24:20.000 I didn't manage to stop thinking about Syria. 24:20.000 --> 24:23.000 Maybe another question. 24:26.000 --> 24:28.000 We are out of time. 24:28.000 --> 24:29.000 We are on time. 24:29.000 --> 24:30.000 Thank you. 24:30.000 --> 24:32.000 Thank you all for coming. 24:44.000 --> 24:45.000 Thank you.