MSP430 Security
MSP430 BSL Timing
In mid 2008, I began to investigate methods of recovering locked firmware from the MSP430 microcontroller by observing the timing of the password-protection function.
Details of my results were presented at Black Hat USA 2008. See my slides and my paper, as well as relevant blog posts.
More recent research of mine, to be presented at 25C3 in Berlin, uses voltage gitching in addition to timing attacks in the form of a BSLCracker device, pictured above.
TinyOS MSP430 Stack Overflow
In July of 2007, I authored the first stack overflow exploit for a wireless sensor network, which operates against an intentionally vulnerable TinyOS 2.x application. For details, please see MSP430 Buffer Overflow Exploit for Wireless Sensor Nodes, an article that describes the authorship of such an exploit in detail. Memory-Constrained Code Injection continues with a discussion of injecting executable code larger than the packet size.
I've spoken regarding this research at Toorcon 9 and Texas Instruments DC 2008.