Weekly engineering deep-dives, vulnerability teardowns, and CRA compliance guidance — written by a practicing embedded engineer, not a vendor.
Get the CRA Compliance Checklist →Secure boot is a chain of trust, not a checkbox. Most embedded teams implement the first link (ROM verifies the bootloader) and stop. Under the EU Cyber Resilience Act, a half-implemented secure boot won't just be a security problem — it'll be a compliance problem with a 24-hour reporting clock.
Fuses blown, debug disabled, and a brick on the bench. A walkthrough of the side-channels that still leak useful state — and the ones that don't.
The CRA reporting obligations land before the full essential-requirements regime. Here is the working engineer's read of what changes first and what to have on the bench.
A pip-freeze-style SBOM ignores half of what's in a firmware image: vendor blobs, ROM patches, RTOS forks, board-support packages. What an auditor will actually expect.
A walk through the supply-chain path that put the same payload on a million unrelated Android TV boxes — and what the embedded equivalent looks like in your own factory line.
CAN was designed for trust between cooperating MCUs in a sealed enclosure. Every modern attack against it exploits the same assumption. Notes from a decade on the bench.
One post a week, plus the CRA checklist on signup.
No marketing.