In this episode of Agile Embedded, Jeff Gable and Luca Ingianni speak with Ryan Torvik, founder and CEO of Tulip Tree Technology, about cybersecurity from a Red Team hacker perspective. Ryan shares his experience as a former defense contractor supporting offensive cyber operations for the U.S. government and how he's now applying those lessons to the commercial space. Ryan provides fascinating insights into the mindset and challenges of offensive cybersecurity work, explaining how vulnerability researchers approach embedded systems to find exploitable weaknesses. The conversation covers practical security considerations for embedded developers, including the importance of secure coding practices, proper handling of user inputs, and designing security into products from the beginning rather than as an afterthought. Ryan also discusses how emulation technology can help developers test their firmware for vulnerabilities without physical hardware. The episode highlights the growing importance of cybersecurity in embedded systems, particularly in regulated industries like medical devices, and offers practical advice for developers looking to improve their security posture without necessarily becoming security experts themselves.
Key Topics
* [03:00] Ryan's background in offensive cybersecurity and defense contracting
* [04:30] The mindset and challenges of vulnerability research and hacking
* [09:15] How security researchers approach attacking embedded devices
* [13:45] Techniques for extracting and analyzing firmware
* [19:30] Security considerations for embedded developers
* [24:00] The importance of designing security from the beginning
* [28:45] Security challenges for small companies without dedicated security staff
* [33:20] Address Space Layout Randomization (ASLR) and other security measures
* [37:00] Emulation technology for testing embedded systems
* [45:30] Tulip Tree's approach to embedded system emulation and security testing
* [50:15] Resources for learning about cybersecurity and hacking
Notable Quotes
> "When you're on the vulnerability research side, you're trying to find a time when the software does something wrong. When it does something unexpected." — Ryan Torvik
> "Don't roll your own cryptography. Use a standard library for cryptography." — Ryan Torvik
> "We're seeing that the maintenance costs are what are getting people now. You're expected to maintain this device, but now you got to be able to actually update the device." — Ryan Torvik
> "It's so much more expensive to put security in after the fact if it's possible in the first place. Why is that even something that needs to be debated?" — Luca Ingianni
Resources Mentioned
[Tulip Tree Technology](tuliptreetech.com) - Ryan's company focused on embedded system security and emulation
* IDA Pro - Interactive disassembler for firmware analysis
* Binary Ninja - Interactive disassembler from Vector35
* Ghidra - NSA's open-source software reverse engineering tool
* Microcorruption - Beginner-friendly CTF challenge for learning embedded system hacking
* National Vulnerability Database - Public database of security vulnerabilities
Things to do
* Join the Agile Embedded Podcast Slack channel to connect with the hosts and other listeners
* Check out Tulip Tree Technology's website for their emulation tools and security services
* Try Microcorruption CTF challenges to learn about embedded system security vulnerabilities
* Consider security implications early in your design process rather than as an afterthought
* Use secure programming languages like Rust that help prevent common security issues