# Whisper for Embedded: give every device an identity it can prove

> A secret baked into firmware shouldn't be able to speak for every device you
> ship. The address **is** the device: a routable, DNSSEC-anchored /128 derived
> from the key already sealed in its secure element, one no dump can extract,
> revocable by the owner in a single, publicly verifiable call. Additive to
> your stack.

Buy one unit, dump the flash, and whatever it authenticates with, a shared API
key, a fleet-wide certificate, a default password, is now a genuine credential
for the entire product line. The impostor passes every auth check, rotates
egress across Amazon, Google and Azure until all your backend has logged is a
meaningless *last IP*, and when the cloud console that held your fleet's
identity retires, the fleet is orphaned in the field. It all works for one
reason: your devices have no identity they can prove. **We give them one.**

`whisper verify --trustless` · anchored at the IANA DNS root. Our own API is not in the trust path.

- **1 dump**: a secret in firmware is a secret in every unit of the product line
- **600k** devices in the Mirai botnet at its 2016 peak, recruited with default credentials
- **Aug 2023**: Google Cloud IoT Core retired; fleets whose identity lived in it had to re-home it
- **~20-60KB** flash for an embedded TLS engine; the DoH client on top is tiny (RFC 8484)
- **2005**: CGA (RFC 3972) proved an address can be a function of a key; we made it routable and verifiable
- **Dec 2027**: the EU Cyber Resilience Act's main obligations start applying to products with digital elements

---

## The attack, step by step

**This is how one bought device becomes your whole fleet, in someone else's hands.**
No zero-day. No malware on your servers. Just a credential that was designed to
be copied, copied.

1. **ACQUIRE**: a single retail purchase or an eBay lot. Serial numbers and MAC/EUI-64 ranges are printed on labels and FCC filings, so the fleet's public index is already on the table.
2. **EXTRACT**: dump the flash over UART, JTAG/SWD, or desolder the SPI part. Whatever the firmware authenticates with, an API key, a fleet-wide cert and private key, a hardcoded password, is now in the attacker's editor. A secret in firmware is a secret in *every unit*.
3. **PASS AUTH**: the credential is genuine, so the platform authorizes it. One BOLA/IDOR flaw turns *one* device's session into *any* device's data and commands.
4. **IMPERSONATE AT SCALE**: with the shared secret, the attacker mints "devices" at will: fake telemetry, poisoned sensor data, command channels for units that don't exist.
5. **ROTATE**: egress hops Amazon → Google → Azure, or a residential-proxy swarm, every few requests. Your SOC sees a fresh last IP and correlates nothing. Mirai ran 600k devices this way in 2016 on nothing fancier than default passwords.
6. **OUTLIVE YOU**: devices live 10-20 years; consoles don't. When Google Cloud IoT Core retired in August 2023, every fleet whose identity was anchored in it had to migrate or go dark.

The root cause is one line long: the credential proves possession of a string,
never possession of *the device*.

---

## Strip the incident down and it isn't a hundred bugs. It's two.

### Gap 1 · you can't follow them when the IP rotates

Rate-limit an IP and they spin up a fresh one. The egress is disposable; the
last IP *was never the attacker*.

**The answer: the graph.** A live internet-infrastructure graph, **7.44B**
nodes and **39.3B** relationships of fused BGP, DNS, WHOIS, TLS, hosting
and threat intelligence, answering in under 300 ms, fingerprints the *operator*, not
the IP. Two levers, kept honestly separate:

- **Cloud rotation**: the graph clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy.
- **Residential-proxy swarm**: where a subscriber IP gives an infra graph nothing to grab, a `JA4/JA3` client fingerprint travels with the *tooling* regardless of the exit and collapses the swarm to one operator.

Every answer returns a reproducible **evidence chain** your SOC, your auditors and a
regulator can replay. The verbs: `identify(ip)`, `origins(prefix)` + `walk(node,depth)`,
`history` / `watch`, and arbitrary read-only Cypher ("one source presenting N distinct
device-identities in a window").

> **"When they rotate residential proxies and fresh cloud IPs, can you actually attribute them?"**
> Track them. Infrastructure genealogy collapses the cloud rotation; a JA4 client
> fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on.

### Gap 2 · a credential that can be copied will be copied

A shared API key, a fleet-wide certificate, a bearer token, a default password:
each one authenticates *whoever holds the string*. Flash memory is not a vault;
a firmware image circulates the moment the product ships.

**The answer: identity.** Bind the session to the device's own forge-proof **/128**:
an address derived from the IDevID key already sealed in its secure element, one the
device can prove by signing and no flash dump can extract. An extracted image without
the chip behind it authenticates to *nothing*.

> **"An extracted credential looks exactly like the real device; how do you tell them apart after auth?"**
> You bind authority to the silicon, not the string. The identity is the address,
> the address derives from a key that never leaves the secure element, and the
> device proves control by signing with that key. A session that presents copied
> bytes but can't sign never had authority in the first place.

---

## The root-cause cure · identity

**Whisper has one primitive: the address is the identity.** A routable IPv6
**/128** out of `2a04:2a01::/32` (announced by **AS219419**), deterministically
derived from a key, DNSSEC-anchored, **DANE-EE** pinned, RDAP/WHOIS-registered:
re-derivable and verifiable by anyone with `dig`. `whisper verify --trustless`
checks it against the IANA root; *our own API is not in the trust path.*

**Point it at devices.** Almost every serious embedded design already carries the
anchor this needs: an **IEEE 802.1AR IDevID key** in a secure element (a Microchip
ATECC608, an NXP EdgeLock SE050, an Infineon OPTIGA Trust M) or in on-chip OTP/PUF
key storage. Whisper derives the device's /128 from that key's public half, with the
**device serial or EUI-64 as the domain separator**. The private key never leaves
the chip; the address is a one-way function of the public key and the serial; and
the device proves control by signing with the key. The same mechanism our automotive
vertical runs for vehicles, generalized to anything that can hold a key.

```
secure element        ──pubkey + serial──▶  /128  ──DNSSEC+DANE-EE──▶  a name anyone can verify
(the 802.1AR IDevID key,                   2a04:2a01:…::e51d           whisper verify --trustless
 never leaves the chip,                    routable identity           our API not in the trust path
 no dump extracts it)                                                  op:revoke → owner-thrown, public
```

What becomes true the moment you do this:

- **"One dump → a whole fleet" becomes physically impossible.** Every forgery is a DNSSEC/DANE inconsistency any verifier catches, keylessly, for free.
- **IP rotation becomes irrelevant.** Identity is not the source IP; the "last IP" was never the credential.
- **Extracted firmware fails.** The flash image never contained the key. A byte-perfect copy of everything on the device, minus the secure element, authenticates to nothing.
- **One `revoke`, thrown by the owner, verifiable by anyone**: `dig -x` returns nothing, verify returns false, worldwide at DNS-TTL speed. No CRL you hope every verifier fetched, no OCSP soft-fail.

**Attaches to what you already ship; it does not replace it.** Whisper complements
the anchors embedded engineering already trusts: the **802.1AR IDevID** in the secure
element, **BRSKI (RFC 8995)** onboarding where you run it, secure boot, and the X.509
mTLS your device cloud already speaks. The lineage is honest, too: CGA (RFC 3972)
showed in 2005 that an address can be a one-way function of a public key with no CA
in sight. Whisper is that idea made *routable, registered and revocable*: real address
space, RDAP records, and a DANE pin anyone can check.

**The serial is the public index; the /128 is its cryptographic counterpart.**
Serials and EUI-64s are printed on labels, boxes and FCC filings; that's what an
attacker enumerates. But the /128 is bound to the device's key as well as the serial,
so a serial alone yields nothing, there is no enumerable directory, and RDAP and
reverse-DNS return the registry object, never the device's location.

**Be honest about what can run this.** The DoH client itself is tiny (RFC 8484); the
real cost is the TLS engine, roughly 20-60KB of flash and 25-63KB of peak RAM during
the handshake. That's comfortable on an ESP32, a Cortex-M4/M33 running Zephyr or a
vendor RTOS SDK, and trivial on embedded Linux, and it is *out of reach for an 8-bit
AVR*. An ATmega328 does not speak DoH, and no page on this site will tell you
otherwise: for that class, the gateway holds the identity and speaks for the devices
behind it. The full capability map is on the [platform page](/platform).

**Lifecycle, end to end: RMA, resale, retirement.** A returned or resold unit is one
`revoke` and a re-register under the new owner; a board swap re-keys to a new /128;
a compromised device is *that device*, never the fleet, because there is no shared
root to lose. And because the identity is anchored in public DNS and real registered
address space rather than a vendor console, it survives the thing fielded fleets
actually die of: the platform above them being turned off.

Standing on standards, not beside them: **IEEE 802.1AR** (the IDevID the key already
is), **BRSKI / RFC 8995** (bootstrapping that IDevID into ownership), **CGA / RFC 3972**
(the address-from-key lineage), and the IETF **DANCE** work
(draft-ietf-dance-client-auth), which makes a device's DNS name and DANE-TLSA record
its TLS *client* credential for exactly the MQTT/IoT surfaces embedded fleets run.
Whisper's address-is-identity model is that model, deployed:
[the passwordless-device story →](/docs/device-secret-cure)

---

## The next surface · fleets are becoming agents

An OTA client fetches firmware. A telemetry daemon streams to three clouds. An edge
box runs models and calls LLM APIs with a paid key. Every one of them is an agent
making network calls, and today "which device did this" is a shrug at a shared NAT
address.

- **Which device did this is the source address**: every gateway, edge box and update client egresses from its own routable /128.
- **Every query and connection is logged per-device**, queryable live via `op:logs`.
- **Policy on every query**: default deny, allow or block by name or subdomain. A camera that should only ever reach its own cloud simply can't reach anything else.
- **Inbound devices are verifiable**: FCrDNS, RDAP, `whisper verify`. Per-device budgets, a kill-switch, one `revoke`.

---

## Prove it in 60 seconds · no account

Two tiers, by design. **No key:** anyone can verify a device's identity, resolve it,
and back-trace a suspicious host, trustless, anchored at the IANA root, from any
client with a TLS stack. **Your key:** register a device, govern its egress, revoke
it worldwide.

```sh
# keyless: re-derive and verify any device's identity, trustless
$ whisper verify --trustless 2a04:2a01:1c0::e51d
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED, and our own API was never trusted

# the address is the device: reverse DNS names it
$ dig -x 2a04:2a01:1c0::e51d +short
  sn-04d0c85f3a1b.fleet.example-maker.whisper.online.

# who really operates a suspicious host: with your key, via the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
```

```sh
# give a device a name it can prove, and govern its egress
$ export WHISPER_API_KEY=whisper_live_xxx
# --serial/--from-secure-element are on the roadmap; today provisioning is the live control-plane call (see docs)
$ whisper register --serial 04D0C85F3A1B --from-secure-element
  → identity 2a04:2a01:1c0::e51d   DNSSEC + DANE live
$ whisper policy set --default deny --allow ota.example-maker.com,telemetry.example-maker.com
$ whisper revoke 2a04:2a01:1c0::e51d   # owner-thrown, publicly verifiable, at DNS-TTL
```

Bring your devices home → <https://console.whisper.security/sign-up> · Read the [docs](/docs).

---

## Where Whisper fits

**Your device cloud authenticates devices *to itself*. Whisper makes them verifiable
to *everyone*, and revocable by *you*.** Azure IoT Hub with DPS and AWS IoT with fleet
provisioning are good at what they do: X.509 device auth into their own cloud, at
scale. Keep them. What no cloud enrollment gives you is an identity a *third party*
can verify without an account in your tenant, a revocation that lands everywhere at
DNS-TTL speed rather than riding a CRL that verifiers soft-fail past, or an identity
that outlives the console itself.

| | Cloud DPS (Azure / AWS) | Whisper |
|---|---|---|
| Enroll devices into that vendor's cloud at scale | ✓ | *complements it* |
| Identity any third party verifies, keyless (dig / RDAP / DANE) | – | ✓ |
| One-call revoke at DNS-TTL, worldwide (no CRL/OCSP soft-fail) | – | ✓ |
| Identity survives the platform being retired | – | ✓ public DNS + registered space |

And we're honest about the limits in the same breath: the smallest clients need the
gateway pattern, the device needs IPv6 reachability or the egress path, the key must
live in a secure element, and Whisper is additive and fails open, never a new single
point of failure in your auth path. [See the full comparison →](/compare)

---

## Built for the people who have to sign off

- **Feeds your SIEM, not another console.** The Splunk, Microsoft Sentinel and OpenCTI connectors ship today. Findings map to CEF and ECS fields, with STIX 2.1 over TAXII export on the roadmap.
- **Speaks your compliance language.** Maps to the EU Cyber Resilience Act's secure-by-default and vulnerability-handling duties, IEC 62443 component identification, ETSI EN 303 645 / the UK PSTI ban on universal default passwords, and 802.1AR device identity.
- **In your auth path, and safe there.** Rides on top of the X.509 mTLS your device cloud already runs; the verify plane fails open, so a Whisper outage never bricks a device in the field. Anycast on AS219419, no single node in the path.
- **Flat, predictable pricing.** Per-device/year and flat: not per-message, not per-MB, not per-API-call. [See pricing →](/pricing)
- **On-prem or your own tenant.** Data residency and GDPR by construction.
- **Infrastructure that outlives consoles.** Real routable address space, public DNS, open standards, run by people who ran the internet's regional address registry and operated one of its root DNS servers.

---

## Give every device an identity it can prove.

The address is the device: routable, DNSSEC-anchored, derived from the key sealed in
its secure element, revocable by the owner in one publicly verifiable call. Keyless
to try, one call to provision, one more to revoke.

Bring your devices home → <https://console.whisper.security/sign-up> · [For device makers →](/for-device-makers)

Or run `whisper verify --trustless` right now.

---

*Whisper for Embedded · Identity on the wire for every device · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
