Cybersecurity: searching for hardware vulnerabilities

14 Oct. 2025

Pascal Cotret is a senior lecturer at ENSTA's Laboratory of Information, Communication, and Knowledge Sciences and Technologies (Lab-STICC*). Through his work, he establishes secure hardware environments for software development on embedded platforms. To do this, he dissects open-source electronic components to better understand them, find flaws, and make any necessary corrections. In doing so, he paves the way for numerous industrial applications, particularly in defense.

Cybersecurity: searching for hardware vulnerabilities

See you on October 21, 2025, for the Cybersecurity and Defense Meetings at the Institut Polytechnique de Paris

You ensure the secure execution of programs that operate connected objects. What does that involve?

I would speak more broadly about embedded platforms to include, in addition to smartphones and other connected watches, hardware such as web servers, etc. My role is not to install a cryptographic key on these objects, but to dissect them to understand how they work, detect potential flaws in the components, and propose fixes. For example, when peaks in power consumption or variations in a processor's electromagnetic field are readable, they can reveal information about the keys that secure it. Our goal is to create a more secure overall environment, as close as possible to the hardware, for greater responsiveness in the event of an attack.

You mainly work on the processors and memory blocks that power small objects with Bluetooth or Wi-Fi connectivity. How do you go about it?

We work on open-source platforms, which gives us access to documentation on the components and their source codes. This means we don't need probes or oscilloscopes. We simply model the components and test them on a simulation table. We then observe their behavior and verify certain hypotheses (the manufacturer does not always provide all the information, even in open source). We derive metrics and actionable measurements that may reveal vulnerabilities and can propose fixes. All without having to intervene directly on the component.

What results have you already achieved?

As I mentioned earlier, consumption peaks or electromagnetic variations in a processor can compromise its security. But other parameters are also sensitive, particularly the access times to this component's memory blocks. Depending on the value recorded, it is possible to know whether the user is accessing secure memory or simple memory that only contains calculation data. By studying these access times—in the order of microseconds—and establishing a very detailed understanding of the available hardware (it is necessary to have a good understanding of the physical nature of the processor-memory block connections), we have succeeded in developing a device that randomizes memory access times. For an attacker, this means that the readings they can take are uninterpretable and will not provide them with any information about the component's cryptographic key. In our work, we represent these access times graphically. Normally, certain pixels stand out from the others and reveal data. With our device, the image is completely uniform, with no irregularities. It acts as a scrambler for the signals emanating from electronic components.

What are the applications for your work?

In recent years, manufacturers of connected objects have been using more and more open source components. This allows them to develop their own circuits without paying licensing fees to the market giants, thereby achieving economies of scale. An ecosystem, to which we contribute, and even a foundation have been created around open source. The latter brings together several academic and industrial players who work together to offer more secure implementations of these components and software.

Through scientific publications, the community reports and corrects flaws in open source components. Economic players thus benefit from increasingly secure equipment that is resistant to certain types of attacks and can be adapted to their activities, while companies find applications for it in various fields (defense industries, connected objects, etc.). Other partners such as the French Defense Procurement Agency (DGA) and the French National Cybersecurity Agency (ANSSI), which sets standards for security algorithms, are also interested in our research.

What project are you currently working on?

We are currently working on developing trusted environments for embedded software development (confidential computing). For example, if I take a smartphone and open an application on it, I want to be sure that the component running that application will not leak a password to another application on my device. Our goal here is to properly compartmentalize the various software components.

Pascal Cotret is a professor and researcher at ENSTA on the Brest campus. He obtained his PhD from the University of South Brittany in 2012 and was a professor and researcher at CentraleSupélec Rennes between 2014 and 2017. He then worked in the private sector for two years before joining ENSTA in 2019. His expertise lies in software/hardware boundary security and embedded systems. He is also interested in the algorithm-architecture adequacy of security mechanisms.

>> Pascal Cotret on Google Scholar

*Lab-STICC : a joint research unit CNRS, IMT Atlantique, ENSTA, Université de Bretagne Occidentale, Université Bretagne Sud, École Nationale d'ingénieur de Brest, Institut Polytechnique de Paris, 91120 Palaiseau, France