• Goa'19
  • Speakers
  • Niek Timmers & Albert Spruyt

Niek Timmers & Albert Spruyt

Niek - Principal Security Analyst, Riscure
Albert - Independent Security Researcher


Talk Title

PEW PEW PEW: Designing Secure Boot Securely


Secure boot is under constant attack and therefore bypassed on embedded devices used across industries. Whether bypassed using software vulnerabilities or using hardware attacks like fault injection as we and others have previously shown. Secure boot is paramount for secure embedded devices as it prevents malicious actors from obtaining persistent runtime control. In this talk, we present our vision on secure boot design for embedded devices by means of clear, concrete, practical and easy-to-follow recommendations. We leverage our decade-long experience analyzing and bypassing secure boot implementations of embedded devices used by different industries. We understand, in order to be realistic, we need to consider secure boot's functional requirements, engineering costs, and other non-security related requirements. Where possible, we use practical examples that are easy to follow and implement. To keep it fun, we will have a fault injection demonstration live on stage where we bypass secure boot on a fast and feature-rich chip. The audience will be able to follow up on the discussed topics with two white papers which will be released after our talk.


Niek Timmers is a Principal Security Analyst at Riscure where he analyzes and tests, among other things, the security of SoCs and embedded systems. His primary interest is analyzing and attacking embedded systems using hardware attacks. However, never a week goes by without disassembling some random binary. At the moment he is focusing mostly on automotive security. But is that really so different from any other embedded system? He shared the results of his research at various conferences across the globe like Black Hat (USA/Europe), escar (USA/Asia/Europe), BlueHat and HITB Amsterdam.

Albert is currently on a sabbatical. In his previous life he has analyzed SoCs, embedded systems and pure software solutions such as payment applications. Where he enjoyed recovering keys. He has previously presented at conferences such as: Black Hat (Europe) and HITB Amsterdam.

Copyright © 2023 | Nullcon India | International Security Conference | All Rights Reserved