Publications
Last updated
Academic papers, books, patents and my Circuit Cellar columns. The columns are marked Trade magazine — they aren’t peer reviewed. My Google Scholar page has citation counts and PDFs for the academic work, though it doesn’t know about the columns or the talks.
159 publications & talks · 2002–2026 — filter by kind
2026
2025
A Roboheist Challenge: Teaching the Next Generation of Embedded Engineers
Abstract
Embedded security taught through an undergraduate robotics course themed as a heist: IR beam sensors, RFID access control and magnetic locks.
Exploring the RP2350 Security: Raspberry Pi's Novel "Security through Transparency" Approach
Abstract
The RP2350's security features versus the RP2040: an open-source boot ROM, OTP memory, and a Redundancy Coprocessor defending against control-flow and fault-injection attacks.
Abstract
Volume 3 of the three-volume set covers white-box cryptography, randomness and key generation, and real-world applications and attacks in the wild.
Abstract
Volume 2 of the three-volume set covers masking, cryptographic implementations, and hardware security.
Abstract
Volume 1 of the three-volume set covers software side-channel attacks, hardware side-channel attacks and fault injection attacks.
2024
Academia or Industry: Challenges of Building Open-Source Research Tools
Abstract
A case study of ChipWhisperer's evolution from an academic project into a tool used in both industry and research, and of sustaining open-source work beyond grant funding.
2023
Method and apparatus for analyzing side channel-related security vulnerabilities in digital devices
Abstract
A method and apparatus for analyzing side-channel security vulnerabilities in a digital device. A first time sequence of measurements of side-channel related phenomena of the digital device, such as power draw or electromagnetic emissions, is obtained.
Advanced Hardware Hacking: Power Analysis & Fault Injection with the ChipWhisperer
Abstract
A two-day in-person training on power analysis and fault injection using the ChipWhisperer-Husky and ChipSHOUTER/PicoEMP; run as two sessions across August 2023.
Adventures of My Oven (Pinocchio) with ChipWhisperer
Abstract
Reverse engineering a Samsung oven with ChipWhisperer.
RecordingSlidesResearch repopytoshload (TMP91 loader)TLCS-900 resourcesBlog post →
2022
Breaking the Loop with Fault Injection: A Simple Experiment on an Embedded System's Code
Abstract
How EMFI can skip a bootloader signature check, why compiler optimisation makes "secure" code vulnerable, and entangling data with control flow as a countermeasure.
Hands on with Non-Invasive Hardware Security Tooling
Abstract
Three demos: differential fault analysis on RSA against a Raspberry Pi using PicoEMP for the fault injection; a NEORV32 RISC-V soft-core on an iCE40 FPGA target; and hardware ECC attacks on a ChipWhisperer CW305 against the open-source CrypTech ECC core.
SlidesPicoEMPR-Pi glitching demo sourceECC attack write-up (ePrint)Blog post →
Electromagnetic Fault Injection Made Easy with PicoEMP
Abstract
An introduction to the low-cost open-source PicoEMP EMFI tool — the theory and its real-world use.
2021
Bam the BAM: Electromagnetic Fault Injection & Automotive Systems
Abstract
Using EMFI to bypass the security that prevents ECU modification on a 2019-model-year automotive ECU, and how to validate and harden against it.
The Cheapskate Revolution: Hardware Attacks from Millions to Tens of Dollars
Abstract
How hardware attacks have dropped from needing million-dollar labs to tens of dollars of gear.
2020
BAM BAM!! On Reliability of EMFI for in-situ Automotive ECU Attacks
Abstract
Certain NXP chips and GM ECUs have a hardware bootloader that asks for a password. EMFI bypasses the password check so an incorrect password is accepted. Presented as a way to help automotive system designers understand the real threat to their systems.
Low-Cost Body Biasing Injection (BBI) Attacks on WLCSP Devices
BAM BAM!! On Reliability of EMFI for in-situ Automotive ECU Attacks
2019
MINimum Failure: Stealing Bitcoins with EMFI
Abstract
The Trezor EMFI attack, generalised. Almost every USB stack contains a length check whose bound comes from the host, so fault injection can force that path and read data out of the target device.
A Call for Time Travel Resistant Cryptography (TTRC)
Abstract
A parody of Post Quantum Cryptography, arguing that Time Travel Resistant Cryptography is a hugely important area of research that has been widely ignored: if time travel requires creating a Closed Timelike Curve and is only possible from that point onward, crypto breaks the moment a CTC is created — so we must build TTRC now, since we cannot know when CTCs could be created.
MINimum Failure: Stealing Bitcoins with EMFI
Abstract
The USB-stack EMFI attack. Also given at Black Hat USA 2019 (a separate entry); the peer-reviewed version is the WOOT '19 paper in the publications list.
Abstract
A short workshop on ChipWhisperer using the ChipWhisperer-Nano.
Breaking Security: Power Analysis & Fault Injection Attacks
Abstract
This paper will introduce side-channel power analysis and fault injection attacks and their relevance to embedded systems. Examples of attacks are given, along with a short discussion of countermeasures and effectiveness. The use of open-source tools is highlighted, allowing the reader the chance to better understand these attacks with hands-on examples.
MIN()imum Failure: EMFI Attacks against USB Stacks
On-Device Power Analysis Across Hardware Security Domains.
2018
Power Analysis and Fault Attacks against Secure CAN: How Safe Are Your Keys?
I, For One, Welcome Our New Power Analysis Overlords
2017
Breaking Electronic Door Locks Like You're on CSI: Cyber
Abstract
The front panel of a residential electronic door lock can be removed from the outside, exposing a connector. A brute-force board then emulates the keypad, sends guesses in quick succession, and resets the backend lock to bypass the too-many-wrong-guesses timeout — recovering the 4-digit code in about 85 minutes.
Breaking a Password with Power Analysis Attacks
Abstract
A DPA attack recovering a PIN from an Atmel XMEGA MCU using the open-source ChipWhisperer-Lite, with Python examples.
Method and Apparatus for Detection of Counterfeit, Defective or Damaged Devices
IoT goes nuclear: Creating a ZigBee chain reaction
A framework for embedded hardware security analysis
2016
Insertion of faults into computer systems
Synchronous sampling of internal state for investigation of digital systems
Abstract
Reverse engineering of the Philips Hue. In Colin's own words he did not make a worm — the title was a question someone asked him, and the talk is about the security of the Hue, which he assesses Philips did "a rather good job" of. The one called-out trade-off is the reuse of encryption keys across all firmware updates for all devices, which is what makes a theoretical worm possible.
SlidesWhitepaper (~48pp)Supporting work: getting root on the Hue Bridge 2.0Blog post →
Brute-Forcing Lockdown Harddrive PIN Codes
Abstract
Brute-forcing PIN codes on a PIN-protected hard drive enclosure using the MB86C311A. Builds on Czarny & Rigo's HardWear.io 2015 work, which found the stream-mode cipher used by all manufacturers on the MB86C311A and that secrets are stored on the drive.
Power Analysis Attacks against IEEE 802.15.4 Nodes
Fault Injection using Crowbars on Embedded Systems.
A lightbulb worm?
2015
ChipWhisperer — open-source power analysis and glitching
USSSSSB: Talking USB From Python
Abstract
Talking to USB devices from Python, with a live demo — raw USB reads and writes via pyusb, and a full PySide GUI example.
Synchronous sampling and clock recovery of internal oscillators for side channel analysis and fault injection
Side channel power analysis of an AES-256 bootloader
2014
Think Fast: FPGA Design Using High-Level Synthesis
AtlSecCon 2014 presentation
Channel Equalization for Side Channel Attacks.
Chipwhisperer: An open-source platform for hardware embedded security research
2013
Connecting FPGA Hardware to Virtual Test Benches
Abstract
Hardware co-simulation, for when a critical piece of a design exists only in hardware.
Using Internal Logic Analyzers for FPGAs
Abstract
Integrated logic analyzers to probe signals inside a running design.
Power Analysis Attacks for Cheapskates
Power Analysis Attacks for Cheapskates
2012
Power Analysis for Cheapskates
A Case Study of Side-Channel Analysis using Decoupling Capacitor Power Measurement with the OpenADC
FlexibleIP (FIP): IPv6 Stack for Experimental Work on Low-Power Wireless Networks
Low-Cost Power Trace Acquisition with OpenADC & Decoupling Capacitor Power Measurement
Power analysis for cheapskates
Poster - Side Channel Analysis
2011
Message Denial and Alteration on IEEE 802.15.4 Low-Power Radio Networks
2010
Abstract
Advanced USB features, then working with a USB MCU.
2009
FPGA Implementation of a Novel Compensation Technique for EER Amplifiers
Demo abstract: seamless sensor network IP connectivity
Seamless sensor network ip connectivity: Demo Abstract
2008
Making sensor networks IPv6 ready
2006
Abstract
An introduction to the AVR-GCC toolchain from a Windows environment.
Abstract
The LoonBoard Unified Bootloader (LUB) programs Xilinx FPGAs in 207 words, and self-calibrates its internal RC oscillator.
2005
Digital Video in an Embedded System
Abstract
Using low-cost video encoders/decoders to generate studio-quality video.
2004
Downloading, Installing and Configuring WinAVR
2002
It's a SNAP: A Flexible Communications Protocol
Abstract
Surveys network protocol options and settles on SNAP (Scalable Node Address Protocol).
Maintained by hand in data/publications.yaml and
data/talks.yaml. Recordings, slides and links are shown where they exist.
{{/* Publications and talks are combined into one glyph-tagged list above (chosen 2026-07-17 — docs/design-options.md §1). To switch back to two separate sections, replace the line above with:
{{< publications >}}
## Talks & Presentations
Conference talks and presentations, separate from the papers above. Slides,
recordings and the blog post about each are linked where they exist.
{{< talks >}}
*/}}