About The Training

This course aims to equip participants with a comprehensive understanding of secure firmware development by combining foundational theory with practical, hands-on skills. Upon completion, learners will be able to identify and mitigate common firmware security risks, apply industry-recognized secure coding practices, implement robust firmware update mechanisms, and conduct effective device hardening and incident response. The training prepares participants to design and maintain resilient firmware suitable for a wide range of embedded and IoT platforms, ensuring device integrity, data confidentiality, and operational reliability in real-world environments.

Basic

Securing Firmware: Because Nobody Wants a Hacked Toaster

Subtitle: A hands-on journey into embedded security essentials.
 

Day 1: Firmware Foundations & Reducing the Attack Surface

1. Key Concepts

• Understanding Firmware:
  Overview of firmware’s role and security challenges in embedded/IoT devices.
• Threat Vector Analysis:
  In-depth analysis of critical firmware threat vectors through the Mirai Botnet campaign, which exploited insecure default credentials and vulnerable update processes to compromise millions of devices.
• Attack Surface Minimization Techniques:
  Techniques for mapping and actively minimizing attack surfaces, including:
  - Secure boot enforcement
  - Disabling unused interfaces
  - Adherence to secure default configurations
   

2. Hands-On
Hands-on session for setting up the development environment, flashing firmware on a compatible development board, and probing device interfaces for security gaps.

3. Case Study (Mirai Botnet)
Exploration of Mirai Botnet firmware vulnerabilities, breach impact, and subsequent remediation efforts such as:
- Credential hardening
- Secure boot integration



Day 2: Secure Coding Practices, Vulnerability Discovery & Testing
 1. Key Concepts
Secure Coding Fundamentals:
Implementation of secure coding practices, including:
- Input validation
- Memory safety to prevent overflow flaws
- Principle of least privilege
- Secure credential management
- Avoidance of deprecated or unsafe functions
Common Firmware Weaknesses:
Examination of prevalent firmware weaknesses such as:
- Hardcoded secrets
- Insecure APIs
- Transmission of unencrypted data
Framework Alignment:
Aligning practices with industry standards, including OWASP IoT Top 10 and Microsoft SDL, to reinforce compliance and security best practices.
 

2. Interactive Session (Vulnerability Discovery)
Hands-on exercises for identifying and exploiting common vulnerabilities in firmware.

Day 3: Firmware Update Security, Device Hardening & Incident Response
1. Key Concepts
Secure Firmware Update Mechanisms:
Understanding secure firmware update processes, including:
- Cryptographic signatures
- Integrity checks
- Rollback protection
- Authenticated delivery pipelines
Device Hardening Methodologies:
Strategies for device hardening, such as:
- Disabling unused services
- Enforcing strict access controls
- Regular security audits and updates
Incident Response Planning:
Developing an incident response plan tailored for firmware vulnerabilities, including:
- Detection and analysis
- Containment and eradication
- Recovery and post-incident review

2. Capstone Project: Real-World Application
Participants will work in teams to develop a secure firmware update strategy for a hypothetical IoT device, incorporating lessons learned throughout the workshop.
 

Conclusion & Feedback
Wrap-Up Session:
- Recap of key takeaways from each day.
- Open floor for participant questions and discussions.
- Collect feedback for continuous improvement of the workshop.

Personal Laptop: A functional laptop (Windows, macOS, or Linux) capable of running a modern IDE and debugger tools. Mandatory.

USB Drive (Minimum 16GB): For quickly transferring starter code, completed labs, and any necessary Virtual Machine images (if required for specific tools).

• Basic Programming Knowledge
• Embedded Systems Understanding
• Networking Fundamentals

This training is designed for beginners and early-career professionals who want to build a strong foundation in embedded security, particularly focusing on secure firmware development.

This training offers an interactive and practical learning experience, blending foundational knowledge with hands-on labs and real-world case studies. Participants will engage with modern tools and techniques to understand, develop, and secure firmware for embedded and IoT devices.

• Step-by-step instructions for hands-on exercises, firmware flashing, vulnerability testing, and secure update implementation
• Shared-access to a limited number of development boards

Attendees should not expect to receive individual development boards.