Current devices are complex products: a result of an ecosystem effort, with HW and HW components provided by several manufacturers, across long supply chains.
System-level threats may materialize in the interaction of diverse sub-systems and components, due to assumptions occurring at different stages of the production chain. This encompasses not only the design phase, but also (HW & SW) development, threat modeling and even security testing.
This talk explores some classes of such assumptions, as distilled by presenter’s experience. The audience is guided across the different security angles at different production stages, by means of publicly known attacks and practical examples. Reflections on current systems’ security are made, with a special focus on mobile, embedded and IoT devices. Finally, suggestions and recommendations are provided, which may contribute to reducing the risk of system-level vulnerabilities.