What is this embedded thing? Why should I care?

How many computers do you own and use? One? Two? Even more? Chances are that even in a technology averse household, it is more likely some dozens.

All of these small computers do not appear out of thin air. People design, manufacture and test them, software is developed and maintained for them. And still, this whole ecosystem of so-called “embedded systems” is hardly present on the minds of its users and consumers.

Let's understand the concept of an embedded system to get started, then take a rocket ride through the technologies and concepts involved. We will find a lot of open source software along the way!

Once we have finished the trip, you will see: “Open source runs the world, but the world doesn’t know about it.”

The three deadly pins

Ground, TX, RX. Three UART pins and a two-dollar serial adapter are everything that an interested tinkerer, sometimes called a security researcher, will need to take over many devices. But why is that? Serial consoles into bootloaders, and especially into the most beloved U-Boot, are one of the most valuable debugging tools during device development. They come in several forms and shapes. Some are very obvious, others less so. To get started, we will take a quick tour around commonly found characteristics of exposed UARTs. Once we have access, let's take a look at a few things we can do. From memory evaluation and manipulation, to file system access, from sideloading payloads to running arbitrary binaries, there’s something in there for everybody.
Hardly surprising, once your device has shipped, this can also be used for non-development purposes. How can you - and should you? - expose this? Or not? If yes, where and under which circumstances? This seemingly simple question turns into a threat modeling exercise real fast. And that question actually answers which hardening measures we should or even must take, if we want to finally reach a secured boot chain. Spoiler: hardly any keys or cryptography involved here.

Preferred session duration: 30-45 minutes

The Hidden World of Embedded: Why Your Coffee Machine Runs Linux

Here's a fun fact: Linux doesn't just run your Kubernetes clusters – it runs the world. Your car? Very likely Linux. The router for this conference WiFi? Linux. Your office HVAC? Probably Linux. NASA's Mars helicopter? Definitely Linux. And most of these systems are built with the Yocto Project, which just turned 15 years old.
Hi, I'm Josef Holzmayr – the "Yocto Jester" – and I've spent years building Linux systems for everything from industrial controls to coffee machines. In this talk, I'll show you the massive embedded ecosystem that not only mainstream developers, but actually everybody in today's world never sees but absolutely depends on.
We'll explore:
Why car manufacturers like BMW and Mercedes build with Yocto
How internet infrastructure actually works (spoiler: it's Linux all the way down)
What happens when your deployment target has 64MB of RAM and needs to run for 10 years
Why embedded developers are obsessed with reproducible builds (and why you should care)
But here's where it gets interesting: The EU Cyber Resilience Act is about to mandate good security practices for connected devices. Imagine maintaining software for millions of washing machines, deployed for 15+ years, that can't just be "recalled" for updates. The embedded world is preparing for this challenge, and there are lessons here for everyone.
Whether you're curious about why your refrigerator needs firmware updates, considering embedded as a career move (spoiler: we desperately need more developers), or just want to understand what actually makes the physical world tick, this session will change how you think about software.

Preferred duration: 45-60 minutes