embed.whisper.online · embedded-systems security

A secret baked into firmware shouldn't be able to speak for every device you ship.

Buy one unit, dump the flash, and whatever it authenticates with, a shared API key, a fleet-wide certificate, a default password, is now a genuine credential for the entire product line. The impostor passes every auth check, rotates egress across Amazon, Google and Azure until all your backend has logged is a meaningless last IP, and when the cloud console that held your fleet's identity retires, the fleet is orphaned in the field. It all works for one reason: your devices have no identity they can prove.

We give them one. The address is the device: a routable, DNSSEC-anchored /128 derived from the key already sealed in its secure element, one no dump can extract, revocable by the owner in a single, publicly verifiable call. Give every device an identity it can prove, and no one can copy.

whisper verify --trustless · anchored at the IANA DNS root. Our own API is not in the trust path.

1 dump a secret in firmware is a secret in every unit of the product line
600k devices in the Mirai botnet at its 2016 peak, recruited with default credentials
Aug 2023 Google Cloud IoT Core retired; fleets whose identity lived in it had to re-home it
~20–60KB flash for an embedded TLS engine; the DoH client on top is tiny (RFC 8484)
2005 CGA (RFC 3972) proved an address can be a function of a key; we made it routable and verifiable
Dec 2027 the EU Cyber Resilience Act's main obligations start applying to products with digital elements

This is how one bought device becomes your whole fleet, in someone else's hands.

No zero-day. No malware on your servers. Just a credential that was designed to be copied, copied.

01 · ACQUIRE

Buy one unit, own the class

A single retail purchase or an eBay lot. Serial numbers and MAC/EUI-64 ranges are printed on labels and FCC filings, so the fleet's public index is already on the table.

02 · EXTRACT

Dump the flash

UART, JTAG/SWD, or just desolder the SPI flash. Whatever the firmware authenticates with, an API key, a fleet-wide cert and private key, a hardcoded password, is now in the attacker's editor. A secret in firmware is a secret in every unit.

03 · PASS AUTH

The backend says yes

The credential is genuine, so the platform authorizes it. One BOLA/IDOR flaw turns one device's session into any device's data and commands. Nothing is broken; the design is being used as designed.

04 · IMPERSONATE AT SCALE

One operator, a whole fleet

With the shared secret, the attacker mints "devices" at will: fake telemetry, poisoned sensor data, command channels for units that don't exist, all indistinguishable from the real line.

05 · ROTATE

Every last IP is disposable

Egress hops Amazon → Google → Azure, or a residential-proxy swarm, every few requests. Your SOC sees a fresh last IP and correlates nothing. Mirai ran 600k devices this way in 2016 on nothing fancier than default passwords.

06 · OUTLIVE YOU

The console dies before the fleet does

Devices live 10–20 years; consoles don't. When Google Cloud IoT Core retired in August 2023, every fleet whose identity was anchored in it had to migrate or go dark. Identity that lives in a vendor console is a single point of failure with a shutdown date.

Invisible at the network layer by design: a real device is one address doing its job; the impostor is one operator pretending to be thousands, and every IP they ever show you is disposable. The root cause is one line long: the credential proves possession of a string, never possession of the device.

Strip the incident down and it isn't a hundred bugs. It's two.

Every step in that chain leans on exactly two structural gaps that every embedded fleet shares. Close both and the attack has nowhere left to stand.

Gap 1 · you can't follow them when the IP rotates

Rate-limit an IP and they spin up a fresh one. The egress is disposable; the last IP was never the attacker. So you block noise while the operator keeps working.

The answer: the graph. A live internet-infrastructure graph, 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms, fingerprints the operator, not the IP. Two levers, kept honestly separate: for cloud rotation the graph clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a residential-proxy swarm, where a subscriber IP gives an infra graph nothing to grab, a JA4/JA3 client fingerprint travels with the tooling regardless of the exit and collapses the swarm to one operator. Every answer returns a reproducible evidence chain your SOC, your auditors and a regulator can replay.

The verbs your analysts run, or your agent runs for them: identify(ip) (who really operates a host, even behind a CDN) · origins(prefix) + walk(node,depth) (cluster rotating IPs into one genealogy) · history / watch (a timeline and a standing sentinel) · arbitrary read-only Cypher (express "one source presenting N distinct device-identities in a window" as a query, not a ticket).

"When they rotate residential proxies and fresh cloud IPs, can you actually attribute them, or just rate-limit an IP and move on?"

Track them. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on.

Gap 2 · a credential that can be copied will be copied

A shared API key, a fleet-wide certificate, a bearer token, a default password: each one authenticates whoever holds the string. Flash memory is not a vault; a firmware image circulates the moment the product ships. Nothing at the perimeter separates the extracted copy from the original, because they are byte-identical.

The answer: identity. Bind the session to the device's own forge-proof /128: an address derived from the IDevID key already sealed in its secure element, one the device can prove by signing and no flash dump can extract. An extracted image without the chip behind it authenticates to nothing, and every access that does happen leaves a per-device trail.

"An extracted credential looks exactly like the real device; how do you tell them apart after auth?"

You bind authority to the silicon, not the string. The identity is the address, the address derives from a key that never leaves the secure element, and the device proves control by signing with that key. A session that presents copied bytes but can't sign never had authority in the first place, and the DANE-EE pin makes every forgery a public, checkable inconsistency.

Gap 1 is detection made durable. Gap 2 is the root cause. Here's the root-cause cure.

Give every device an identity it can prove, and no dump can steal.

Stop treating device impersonation as a detection problem and make it an identity problem: strictly stronger. Whisper has one primitive: the address is the identity.

A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered: re-derivable and verifiable by anyone with dig. whisper verify --trustless checks it against the IANA root; our own API is not in the trust path.

Point it at devices. Almost every serious embedded design already carries the anchor this needs: an IEEE 802.1AR IDevID key in a secure element (a Microchip ATECC608, an NXP EdgeLock SE050, an Infineon OPTIGA Trust M) or in on-chip OTP/PUF key storage. Whisper derives the device's /128 from that key's public half, with the device serial or EUI-64 as the domain separator. The private key never leaves the chip; the address is a one-way function of the public key and the serial; and the device proves control by signing with the key, exactly the ceremony the secure element was put on the board to perform. The same mechanism our automotive vertical runs for vehicles, generalized to anything that can hold a key.

Secure element the 802.1AR IDevID key never leaves the chip no dump extracts it public key + serial /128 2a04:2a01:…::e51d routable identity DNSSEC + DANE-EE A name anyone can verify whisper verify --trustless our API not in the trust path op:revoke → owner-thrown, publicly verifiable
The device proves control by signing with the key that never leaves the chip; the DANE-EE pin makes the proof publicly checkable. One leaf key per device; never a shared root, never a fleet-wide secret.

"One dump → a whole fleet" becomes physically impossible

You cannot present thousands of device-identities whose keys you don't hold. Every forgery is a DNSSEC/DANE inconsistency any verifier catches, keylessly, for free.

IP rotation becomes irrelevant

Identity is not the source IP. The "last IP" was never the credential, so rotating it, across clouds or residential proxies, changes nothing.

Extracted firmware fails

The flash image never contained the key. A byte-perfect copy of everything on the device, minus the secure element, authenticates to nothing.

One revoke, thrown by the owner, verifiable by anyone

At DNS-TTL speed, worldwide: dig -x returns nothing; verify returns false. No CRL you hope every verifier fetched, no OCSP soft-fail. A kill-switch with a paper trail.

Attaches to what you already ship; it does not replace it. Whisper complements the anchors embedded engineering already trusts: the 802.1AR IDevID in the secure element, BRSKI (RFC 8995) onboarding where you run it, secure boot, and the X.509 mTLS your device cloud already speaks. It is the publicly verifiable, DNSSEC/DANE-anchored layer on top: no bespoke CA trust store to push to every unit, and revocation at DNS-TTL speed instead of a CRL distribution problem. The lineage is honest, too: CGA (RFC 3972) showed in 2005 that an address can be a one-way function of a public key with no CA in sight. Whisper is that idea made routable, registered and revocable: real address space, RDAP records, and a DANE pin anyone can check.
The serial is the public index; the /128 is its cryptographic counterpart. Serial numbers and EUI-64s are printed on labels, boxes and FCC filings; that's what an attacker enumerates. But the /128 is bound to the device's key as well as the serial, so a serial alone yields nothing: you cannot go serial → /128 without the key, there is no enumerable directory, and RDAP and reverse-DNS return the registry object, never the device's location or owner details.
Be honest about what can run this. Not every microcontroller can, and we say so. The DoH client itself is tiny (RFC 8484 is a small HTTP exchange); the real cost is the TLS engine, roughly 20–60KB of flash and 25–63KB of peak RAM during the handshake. That's comfortable on an ESP32, a Cortex-M4/M33 running Zephyr or a vendor RTOS SDK, and trivial on embedded Linux, and it is out of reach for an 8-bit AVR. An ATmega328 does not speak DoH, and no page on this site will tell you otherwise: for that class, the gateway holds the identity and speaks for the devices behind it. The full capability map, honestly labelled, is on the platform page.
Lifecycle, end to end: RMA, resale, retirement. Factory key generation → in-life authorization → incident revoke. A returned or resold unit is one revoke and a re-register under the new owner; a board swap re-keys to a new /128 and retires the old one; a compromised device is that device, never the fleet, because there is no shared root to lose. And because the identity is anchored in public DNS and real registered address space rather than a vendor console, it survives the thing fielded fleets actually die of: the platform above them being turned off.

Standing on standards, not beside them: IEEE 802.1AR (the IDevID the key already is), BRSKI / RFC 8995 (bootstrapping that IDevID into ownership), CGA / RFC 3972 (the address-from-key lineage), and the IETF DANCE work (draft-ietf-dance-client-auth), which makes a device's DNS name and DANE-TLSA record its TLS client credential for exactly the MQTT/IoT surfaces embedded fleets run. Whisper's address-is-identity model is that model, deployed: the passwordless-device story →

The same primitive governs what your devices are turning into: agents that call APIs on their own.

An OTA client fetches firmware. A telemetry daemon streams to three clouds. An edge box runs models and calls LLM APIs with a paid key. Every one of them is an agent making network calls, and today the answer to "which device did this" is a shrug at a shared NAT address. Whisper answers it with identity instead of trust.

Which device did this is the source address

Every gateway, edge box and update client egresses from its own routable /128: attribution, not a guess.

Every query and connection is logged per-device

Queryable live via op:logs: a per-identity record, not a shared firehose. The trail an incident review, or a regulator, actually needs.

Policy on every query

A graph-first resolver and bound egress enforce category, geography, ownership and routing: default deny, allow or block by name or subdomain. A camera that should only ever reach its own cloud simply can't reach anything else, and a hijacked one can't call home to its new owner.

Inbound devices are verifiable

FCrDNS, RDAP, whisper verify: "trust the bearer token" becomes a checkable fact. Per-device budgets, a kill-switch, one revoke.

The device-to-cloud, MQTT, OTA and edge-agent surface, governed by the same address-is-identity primitive, from day one.

Don't take our word for it; our API isn't in the trust path.

Two tiers, by design. No key: anyone can verify a device's identity, resolve it, and back-trace a suspicious host, trustless, anchored at the IANA root, from any client with a TLS stack. Your key: register a device, govern its egress, revoke it worldwide.

verify & attribute: no key required
# keyless: re-derive and verify any device's identity, trustless
$ whisper verify --trustless 2a04:2a01:1c0::e51d
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED, and our own API was never trusted

# the address is the device: reverse DNS names it
$ dig -x 2a04:2a01:1c0::e51d +short
  sn-04d0c85f3a1b.fleet.example-maker.whisper.online.

# who really operates a suspicious host: with your key, via the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
provision & govern: with your key
# give a device a name it can prove, and govern its egress
$ export WHISPER_API_KEY=whisper_live_xxx
# --serial/--from-secure-element are on the roadmap; today provisioning is the live control-plane call (see docs)
$ whisper register --serial 04D0C85F3A1B --from-secure-element
  → identity 2a04:2a01:1c0::e51d   DNSSEC + DANE live
$ whisper policy set --default deny --allow ota.example-maker.com,telemetry.example-maker.com
$ whisper revoke 2a04:2a01:1c0::e51d   # owner-thrown, publicly verifiable, at DNS-TTL

Your device cloud authenticates devices to itself. Whisper makes them verifiable to everyone, and revocable by you.

Azure IoT Hub with DPS and AWS IoT with fleet provisioning are good at what they do: X.509 device auth into their own cloud, at scale. Keep them. What no cloud enrollment gives you is an identity a third party can verify without an account in your tenant, a revocation that lands everywhere at DNS-TTL speed rather than riding a CRL that verifiers soft-fail past, or an identity that outlives the console itself; ask any fleet that was anchored to a retired IoT platform. Whisper adds exactly those layers: the /128 is the identity, checkable with stock dig and RDAP by anyone, and the same address is a routable network endpoint with governed, attributable egress.

Cloud DPS (Azure / AWS)Whisper
Enroll devices into that vendor's cloud at scalecomplements it
Identity any third party verifies, keyless (dig / RDAP / DANE)
One-call revoke at DNS-TTL, worldwide (no CRL/OCSP soft-fail)
Identity survives the platform being retired✓ public DNS + registered space

And we're honest about the limits in the same breath: the smallest clients need the gateway pattern, the device needs IPv6 reachability or the egress path, the key must live in a secure element, and Whisper is additive and fails open, never a new single point of failure in your auth path. See the full, honest comparison →

Additive to your stack. Mapped to your standards. Priced so you can say yes.

Identity device /128 · DNSSEC · DANE-EE: who is this, provably secure element · IDevID · serial Attribution graph operator fingerprint across rotating clouds + residential: who's really behind this 7.44B nodes · BGP·DNS·TLS·JA4 Device governance per-device /128 · policy · logs · revoke: what may talk to what default-deny THE ADDRESS IS THE IDENTITY AS219419 · 2a04:2a01::/32 Your SIEM Splunk & Sentinel today Machine-readable CEF / ECS · STIX 2.1 roadmap Your standards EU CRA · 62443 · EN 303 645 · 802.1AR
Three planes on one primitive, and all three exit into the stack you already run, not a new silo.

Feeds your SIEM, not another console

The Splunk, Microsoft Sentinel and OpenCTI connectors ship today. Findings map to CEF and ECS fields, with STIX 2.1 over TAXII export on the roadmap. The evidence chain is signed, replayable JSON you can hand a regulator, or a customer whose fleet you run.

Speaks your compliance language

Maps to the EU Cyber Resilience Act's secure-by-default and vulnerability-handling duties, IEC 62443 component identification, ETSI EN 303 645 / the UK PSTI ban on universal default passwords, and 802.1AR device identity. Evidence you file, not a dashboard you screenshot.

In your auth path, and safe there

It rides on top of the X.509 mTLS your device cloud already runs, anchoring the same identity in public DNSSEC/DANE rather than replacing your vendor's enrollment. The verify plane is built to fail open: a Whisper outage never bricks a device in the field; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.

Flat, predictable pricing

Per-device/year and flat: not per-message, not per-MB, not per-API-call. Against always-on telemetry economics that's a line item you can forecast at BOM time, not a metered cloud bill you can't. See pricing →

On-prem or your own tenant

Data residency and GDPR by construction: the graph and the per-device logs stay where your regulator, and your customers, need them. No fleet telemetry landing in a shared lake nobody contracted for.

Infrastructure that outlives consoles

Real routable address space (AS219419), public DNS, open standards, run by people who ran the internet's regional address registry and operated one of its root DNS servers. Your devices will outlive most platforms; their identity should too. POC → pilot → enterprise, keyless to start.

Give every device an identity it can prove.

The address is the device: routable, DNSSEC-anchored, derived from the key sealed in its secure element, revocable by the owner in one publicly verifiable call. Keyless to try, one call to provision, one more to revoke.

Or run whisper verify --trustless right now.