New year, new vulnerabilities

Reading the latest vulnerability report of the ESP32-C3 and C6, quite a popular chip these days, made me think about how to respond to such news. If you are an OEM, it might be “glad I don’t use the ESP32” or if you do it’s “OMG, what happened.” But really, neither of these reactions are appropriate. Because that chip you are using, it will be compromised. When you design your product you should consider not only the threat model, but what happens when the silicon itself is compromised and more importantly, how you will react from a security disclosure perspective.

There is a nice quote: “Hardware eventually fails; software eventually works.” This is especially true with hardware security because even if the best defenses are implemented when you ship the device, the attacks keep improving. And unlike software, it’s very difficult to improve the hardware security after the product has shipped.

So, if you have a product in the market already or are thinking about releasing one this year, what should you do? Well, if you haven’t already done so, the first step is to make a threat model. Which is just information security jargon to say make a document that outlines the threats to your product. Not the defenses or countermeasures, but the _threats_. It’s important to consider the threats to your users’ data and privacy as well as threats to your company.

Then, you should think through how to handle the scenario when the silicon vendor’s product is compromised. It will happen. You will not be saved by vendor X over vendor Y. What is the plan to inform your customers? You may even have to inform certain regulatory bodies now. Does your product’s security rest solely in the silicon or do you have a more robust design? The best time to answer these questions were when you designed the product, the next best time is now.

I’m always happy to help design a new product securely or review existing one so reach out if you have any questions.