Cybersecurity and Compliance of Embedded Systems with Radio Communication

DAY 1

Introduction to Cybersecurity

• Why Cybersecurity?
• “Internet of Things” (IoT)

Cybersecurity Fundamentals

• The Triforce of Protection Criteria
• New Technologies, New Threats

Understanding the Basics of Hardware Hacking

• Understanding the Historical Context of Attacks on Connected Devices
• Reviewing Vulnerabilities and Offensive & Defensive Aspects
• Basic Electronics Fundamentals
• Hands-on Session: Collecting Information on a Target

How Hackers Access Hardware

• Presenting Tools and Methods Available to Audit a Product
• Extracting Sensitive Data Using Audit Tools
• Hands-on Session: Acquiring Electronic Signals, Tools, and Demonstration

How to Access Software

• Presenting Different Architectures (Microcontrollers, FPGA) and Various Direct Software Access Methods via Input/Output Interfaces (JTAG / SWD, I2C, SPI, UART, ISM Band RF, etc.)
• Hands-on Session: Accessing Firmware via Different Interfaces
• Hands-on Session: Performing Fuzzing on External Interfaces to Detect Basic Embedded Vulnerabilities
• Hands-on Session: Exploiting Vulnerabilities (Buffer Overflow) During a Hardware Security Audit

DAY 2

Introduction to Cryptography

• Presentation of Different Cryptographic Algorithms and Protocols
• Random Number Generation
• Symmetric Algorithms
• Asymmetric Algorithms
• Hash Functions
• Secure Updates
• Hardware Protection Mechanisms (HSM, TPM, Secure Element)

The Cyber Resilience Act

• Regulatory Context and Main Objectives
• Obligations of Manufacturers, Importers, and Distributors
• Cybersecurity Requirements in the CRA
• Legal Consequences of Non-compliance

The RED Directive

• Legal, Regulatory, and Normative Aspects
• Network Protection (3(3)(d))
• Protection of Personal Data and Privacy (3(3)(e))
• Protection Against Fraud (3(3)(f))

EN 18 031 Standards

• Scope of Application
• Requirements of EN 18031-1
• Requirements of EN 18031-2
• Requirements of EN 18031-3
• Evaluation Process

DAY 3

Fundamentals of Radio Hacking

• Introduction to the Radio Spectrum and Basic Principles of Wireless Communications
• Exploration of Frequency Bands and Overview of Communication Protocols
• Presentation of Different SDR Cards for Radio Hacking: HackRF One, LimeSDR, USRP, RTL-SDR

Hacking with SDR Technology

• Introduction to the Radio Penetration Testing Methodology
• Discovery of Tools for Radio Penetration Testing: GQRX, GNU Radio, Universal Radio Hacker
• Reverse Engineering a Wireless Protocol from Radio Emissions Captured in the Air

Hacking with Bluetooth Technology

• Presentation of Different Bluetooth Technologies (BR/EDR, LE, MESH) and Their Vulnerabilities
• Discovery of Tools for Bluetooth Penetration Testing: Bettercap, Gatttool, Bluetoothctl, Mirage, …
• Implementation of Bluetooth Attacks: BlueBorne, SweynTooth, Braktooth, KNOB, …

Hacking with Wi-Fi Technology

• Presentation of Different Wi-Fi Technologies (WEP/WPA2-PSK/WPA2-EAP, EAP-SIM/WPA3) and Their Vulnerabilities
• Discovery of Tools for Wi-Fi Penetration Testing: Wifite2, Aircrack-ng, WEF, Airgeddon, …
• Implementation of Wi-Fi Attacks: OwFuzz, Frag, Krack, …

Hacking with GNSS Technology

• Presentation of Different GNSS Technologies (GPS, Glonass, Galileo, Beidu) and Their Vulnerabilities
• Demonstration of a Spoofing Attack on GPS L1 Band Technology

No prior experience in cybersecurity is required. However, basic knowledge of electronics, embedded software, or radio is recommended. The necessary electronic and computing equipment for the exercises will be provided on-site:

• Full HD screen with HDMI port
• Keyboard, mouse
• Pre-configured Raspberry Pi
• Hardsploit with training board
• Radio analysis tools

This training is aimed at individuals interested in security aspects related to hardware, embedded systems, or radio. It is suitable for electronics enthusiasts, as well as IT security professionals (developers, architects, integrators, hardware designers, project managers).

Embedded Cybersecurity Expert

• PowerPoint Presentation (support in English)
• Interactive Web Platform (Klaxoon)

Evaluation at the beginning and end of the training, quizzes…

5 working days before the start of the training (if financed by OPCO).

A training certificate in accordance with the provisions of Article L. 6353-1 paragraph 2 will be provided to the participant. No formal certification is granted; only participation is recognized. This training aims to provide fundamental knowledge but does not confer professional certification.