It's not (probably). There are multiple articles showing that it costs a few dollars and require a few minutes to dump a general purpose MCU. The solution is more to try to open Secure chips, rather than using broken ones...
-
This Tweet is unavailable.
-
This Tweet is unavailable.
-
ROCA was so obvious once the finger was pointed at the problem area that I had friends who reverse engineered it through key analysis and guessed at what the bad code was doing, before the official research paper was published.
This is an endemic problem in parts of the industry, where half-competent people are the ones doing the audits, while access is denied to those who could actually find problems quicker (but might not work for a big auditing firm).
-
-
Big auditing firms excel at filing a lot of paperwork and certifying a lot of PowerPoint bullet points. They do not excel at finding actual problems. They might find some, but not nearly as many as would be found if the product were auditable at large.
-
I have experienced this problem myself, when I was brought in to do a black-box audit for a vendor, and immediately identified a risk area, requested access to do a white-box audit, and was denied (and there was insufficient time to get that access myself via attacks).
- Show replies
New conversation -
-
-
Ok I got your point and I don't disagree. I just want to insist on the fact that the solution is more to try to open Secure chips, rather than using broken ones... Telling the opposite is a big fallacy, and I hope it's just a troll
-
Oh, I absolutely would *love* to have open secure ICs. But since that doesn't seem to be happening any time soon, you're left with a choice, and I'm starting to wonder if the open alternative might actually be better given that we can't have both.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.