andrea.bio
Andrea Barisani is an internationally recognized security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.
His experience builds on large-scale infrastructure defense, penetration testing and code auditing with particular focus on safety critical environments, with more than 20 years of professional experience in security consulting.
His main focus lies on the converge between secure hardware and software, an interest consolidated in the authorship of the USB armory hardware project and the TamaGo bare metal framework.
He is a well known international speaker, having presented at BlackHat, CanSecWest, Chaos Communication Congress, DEFCON, Hack In The Box, among many other conferences, speaking about innovative research on automotive hacking, side-channel attacks, payment systems, embedded system security and many other topics.
Datasheet
EXPERTISE
───────────────────────────────────────────────────────────────────────────────
┌──────────┐ ┌───────────┬─────────┐
│ HARDWARE ├───┐ ┌───────────── research → │ RDS-TMC │ TEMPEST │█
└──────────┘ │ │ │ 802.3 PIP │ EMV │█
┌──────────┐ │ ░░░░░░░░ ├── penetration testing └─────────────────────┘█
│ FIRMWARE ├───┼─ SECURITY ─┤ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
└──────────┘ │ ░░░░░░░░ ├──────── code auditing
┌──────────┐ │ │ ┌────────────┬────────┐
│ SOFTWARE ├───┘ └────────── engineering → │ USB ARMORY │ TAMAGO │█
└──────────┘ └─────────────────────┘█
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
OPEN SOURCE
───────────────────────────────────────────────────────────────────────────────
┌────────────┐ ┌─ MK I ──┐ ┌─ crucible ┌─ mxc-scc2 boot-transparency ─┐
│ USB ARMORY ├─┐ ├──┘ ┌─ mxs-dcp ┌──────── go-boot ─┘
└────────────┘ └─ MK II ─┘ └─ interlock ─┴─ caam-keyblob ┌────────── kanzashi
│ │ ┌────────── kotama
Armory Boot ──────┘ ┌────────┐ ┌─ amd64 ──┘ │
Armory Drive ──────┘ ─── arm ────┤ TAMAGO ├────┼─ arm64 │ ┄┄┄┄┄┄┄┄┄┄┄
Armored Witness ───┘ ─┬─ └────────┘ └─ riscv64 ──┘ ┆ tenshi ┆
│ ───┬─── ┆ ftester ┆
└─────── GoTEE ────────────┘ ┄┄┄┄┄┄┄┄┄┄┄
かいしゃ
───────────────────────────────────────────────────────┬───────────────────────
2025/05 → Head of Security Engineering Reversec ┤ foundry.reversec.com
2022/03 → Head of Product Security WithSecure ┤ foundry withsecure.com
2017/02 → Head of Hardware Security F-Secure ┤ foundry f-secure.com
2017/02 → 🮙🮙🮙🮙🮙🮙🮙 Inverse Path is acquired by F-Secure │ 🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘🮘
FOUNDATION
───────────────────────────────────────────────────────┬───────────────────────
2005/11 → Co-Founder Inverse Path ┤ inversepath.com
MISC
───────────────────────────────────────────────────────────────────────────────
Co-Founder • Open Source CSIRT • ocert.org ← 2008/03 - 2017/08
Researcher • University of Trieste, Department of Astronomy ← 2005/06 - 2007/12
UNIX Programming Consultant • London Internet Exchange ← 2004/11 - 2004/12
Infrastructure Developer • Gentoo Linux ← 2003/07 - 2006/02
UNIX Security Engineer • Live Network Security ← 2001/10 - 2005/10
Sysadmin and Security Officer • NE&T, Webtechna ← 2000/11 - 2001/07
Outdoor
Contact
Andrea "lcars" Barisani | andrea@inversepath.com | PGP/GPG key: 0x864C9B9E | Trieste, Italy
Social
Bluesky | Mastodont | 𝕏 | Instagram
Industries
security engineering, {software,firmware,hardware} auditing, penetration testing, reverse engineering, cross-domain isolation on safety critical systems, data diodes, embedded system design, HSMs & TEEs, ...
Co-author of the very first research on vehicle security, vast experience in securing all kind of automotive embedded systems such as telematic control units, infotainment systems and ECUs.
A focal point, with many years of experience, for aircraft and avionics manufacturers in auditing their safety critical systems from hardware or software security issues.
Deep knowledge and experience in the convergence between software and hardware, aimed at securing all layers and protect intellectual property on all kind of consumer electronics.
Vast experience in security auditing for major IT infrastructures of the largest enterprise environments, including large scale penetration testing, application auditing and IDS deployment.
Co-author of leading research in credit card security, discovering novel flaws in Chip & PIN systems. Vast experience in securing entire banking infrastructures from consumer card chips to POSes and up to transaction backends.
Specialized in securing safety critical infrastructure from the ground up, including hardware, firmware and software auditing of proprietary control systems with air, land, sea or space applications.
Advisories
Projects
- TamaGo - bare metal Go | Tiny RV64 TamaGo
- Bare Metal Agent
- USB armory - open source flash-drive-sized computer
- go-boot - bare metal Go UEFI boot manager
- GoTEE - Go Trusted Execution Environment (TEE)
- Armored Witness - Trusted Notary
- GoKey - The bare metal Go smart card
- Armory Drive - USB encrypted drive with mobile unlock over BLE
- armory-boot - USB armory boot loader
- crucible - One-Time-Programmable (OTP) fusing tool
- INTERLOCK - file manager for encrypted storage
- jobun - FPGA board with integrated 802.3u PHY for Ethernet "soft" MAC experimentation
- SerialCanBus - Ruby library for serial CAN bus adapters
- tenshi - log monitoring tool
- FTester - firewall and IDS testing tool
- oCERT - Open Source Computer Security Incident Response Team
Research
- Fully arbitrary 802.3 packet injection: maximizing the Ethernet attack surface
- Chip & PIN is definitely broken - Credit card skimming and PIN harvesting in an EMV world
- Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line Leakage
- Unusual Car Navigation Tricks: Injecting RDS-TMC Traffic Information Signals
- Practical Exploitation of Embedded Systems (features 1st publication of Apple SMC hacking)
Conferences
2026
| GopherCon Europe | 2026-06-15/2026-06-18 | Berlin, Germany | 🖧 |
2025
| Transparency.dev Summit | 2025-10-20/2025-10-22 | Gothenburg, Sweden | 🖧 |
| Open Source Firmware Conference & UEFI Plugfest |
2025-10-07/2025-10-10 | Sunnyvale, California | 🥚 |
2024
| Transparency.dev Summit | 2024-10-09/2024-10-11 | London, United Kingdom | 🖧 |
| Open Source Firmware Conference | 2024-09-03/2024-09-04 | Bochum, Germany | 🥚 |
| Asilomar Microcomputer Workshop | 2024-04-24/2024-04-26 | Pacific Grove, USA | 🥚 |
| CanSecWest | 2024-03-20/2024-03-22 | Vancouver, Canada | 🖧 |
2023
| Airbus CYCON | 2023-10-10 | The Internet | 🥚 |
2020
| GoLab | 2020-10-19/2020-10-25 | The Internet | 🥚 |
2019
| Chaos Communication Congress | 2019-12-27/2019-12-30 | Leipzig, Germany | 🥚 |
| escar europe | 2019-11-19/2019-11-20 | Stuttgart, Germany | 🐞 |
| Pacsec | 2019-11-06/2019-11-07 | Tokyo, Japan | 🐞 |
| t2 | 2019-10-24/2019-10-25 | Helsinki, Finland | 🔒 |
| escar asia | 2019-10-01/2019-10-02 | Tokyo, Japan | 🐞 |
| BSidesVarazdin | 2019-09-18 | Varaždin, Croatia | 🔒 |
| No Hat | 2019-09-14 | Bergamo, Italy | 🔒 |
2018
| Hack In The Box | 2018-11-01/2018-11-02 | Beijing, China | 🔒 |
| Air Power Conference | 2018-10-30/2018-11-01 | Helsinki, Finland | ✈ |
| FSec IoT Hacking Summer School | 2018-07-16/2018-07-22 | Varaždin, Croatia | ✈, TrustZone |
| Aero'Nov Connection | 2018-06-27/2018-06-28 | Marseille, France | ✈ |
2017
| SPIME | 2017-09-20/2017-09-21 | Torino, Italy | IoT Security |
2016
| Airbus's Aircraft Security User Panel | 2016-10-17/2016-10-20 | Marseille, France | 🎵 |
| FSEC | 2016-09-14/2016-09-15 | Varaždin, Croatia | 🔒 |
| The Internet of Broken Things (POLIMI) | 2016-09-07 | Milano, Italy | ✈ |
| RMLL | 2016-07-04/2016-07-06 | Paris, France | 🔒 |
| Area41 | 2016-06-10/2016-06-11 | Zurich, Switzerland | 🔒 |
| International Journalism Festival | 2016-04-06/2016-04-10 | Perugia, Italy | 🛃 |
| CanSecWest | 2016-03-15/2016-03-18 | Vancouver, Canada | 🏫 |
2015
| t2 | 2015-10-29/2015-10-30 | Helsinki, Finland | 🔒 |
| Hack.lu | 2015-10-20/2015-10-22 | Luxembourg City, Luxembourg | 🔒 |
| HackInBo | 2015-10-17 | Bologna, Italy | ☲, ✈ |
| 44CON | 2015-09-14/2015-09-15 | London, United Kingdom | 🔒 |
| Black Hat USA | 2015-08-01/2015-08-06 | Las Vegas, USA | 🔒 |
| Hack In The Box | 2015-05-26/2015-05-29 | Amsterdam, Netherlands | 🔒 |
| Black Hat Asia | 2015-03-26/2015-03-27 | Singapore | 🔒 |
| CanSecWest | 2015-03-18/2015-03-20 | Vancouver, Canada | 🏫 |
| BSidesLjubljana | 2015-03-12 | Ljubljana, Slovenia | 🔒 |
2014
| Chaos Communication Congress | 2014-12-27/2014-12-30 | Hamburg, Germany | 🔒, 💳 |
| NoSuchCon | 2014-11-19/2014-11-21 | Paris, France | 🔒 |
| Pacsec | 2014-11-12/2014-11-13 | Tokyo, Japan | 🔒 |
| Hack In The Box | 2014-10-13/2014-1-16 | Kuala Lumpur, Malaysia | 🔒 |
| PXE | 2014-05-30 | Berlin, Germany | █ |
2013
| t2 | 2013-10-24/2013-10-25 | Helsinki, Finland | ☲ |
| Hack.lu | 2013-10-22/2013-10-24 | Luxembourg City, Luxembourg | ☲ |
| Black Hat USA | 2013-07-27/2013-08-01 | Las Vegas, USA | ☲ |
| HITCON | 2013-07-19/2013-07-20 | Taipei, Taiwan | 💳 |
| NoSuchCon | 2013-05-15/2013-05-17 | Paris, France | 🎵 |
| SOURCE | 2013-04-16/2013-04-18 | Boston, USA | 💻 |
| CFI-CIRT PDD | 2013-03-26 | Toronto, Canada | 💳 |
| IT-Defense | 2013-01-30/2013-01-31 | Berlin, Germany | 💻 |
2012
| Hack In The Box | 2012-10-08/2012-10-08 | Kuala Lumpur, Malaysia | 💻 |
| Airbus's Aircraft Security User Panel | 2012-06-19/2012-06-22 | Montauban, France | ✈ |
| (the last) PH-Neutral | 2012-05-25 | Berlin, Germany | ☲ |
2011
| IT-Defense | 2011-02-08/2011-02-10 | Munich, Germany | 💳 |
| AVTOKYO | 2011-11-12 | Tokyo, Japan | 💳 |
| t2 | 2011-10-27/2011-10-28 | Helsinki, Finland | 💳 |
| Hack In The Box | 2011-10-10/2011-10-13 | Kuala Lumpur, Malaysia | 💳 |
| Hack.lu | 2011-09-19/2011-09-21 | Luxembourg City, Luxembourg | 💳 |
| XCon | 2011-09-01/2011-09-02 | Beijing, China | 💳 |
| DEFCON | 2011-08-04/2011-08-07 | Las Vegas, USA | 💳 |
| Black Hat USA | 2011-08-03/2011-08-04 | Las Vegas, USA | 💳 |
| PH-Neutral | 2011-05-27/2011-05-29 | Berlin, Germany | 💳 |
| CanSecWest | 2011-03-09/2011-03-11 | Vancouver, Canada | 💳 |
| TEDx | 2011-02-25 | Trieste, Italy | Hacking |
2010
| PacSec | 2010-11-10/2010-11-11 | Tokyo, Japan | 👥 |
| IT-SECA, CERT-BW | 2010-06-11 | Stuttgart, Germany | 🚗, 📡 |
| HackCon | 2010-02-16/2010-02-18 | Oslo, Norway | 📡 |
| IT-Defense | 2010-02-03/2010-02-05 | Cologne, Germany | 📡 |
2009
| t2 | 2009-10-29/2009-10-30 | Helsinki, Finland | 📡 |
| Hack In The Box | 2009-10-05/2009-10-08 | Kuala Lumpur, Malaysia | 📡 |
| DEFCON | 2009-07-30/2009-08-02 | Las Vegas, USA | 📡 |
| Black Hat USA | 2009-07-25/2009-07-30 | Las Vegas, USA | 📡 |
| Shakacon | 2009-06-08/2009-06-12 | Honolulu, Hawaii | 📡 |
| PH-Neutral | 2009-05-29/2009-05-31 | Berlin, Germany | 📡 |
| CanSecWest | 2009-03-16/2009-03-20 | Vancouver, Canada | 📡, 🏫 |
2008
| PacSec | 2008-11-10/2008-11-13 | Tokyo, Japan | 🏫 |
| SecVest | 2008-09-23/2008-09-24 | Bergen, Norway | oCERT |
| CanSecWest | 2008-03-24/2008-03-28 | Vancouver, Canada | 🏫 |
| HackCon | 2008-02-06/2008-02-07 | Oslo, Norway | 🚗 |
| IT-Defense | 2008-01-21/2008-01-25 | Hamburg, Germany | 🚗 |
2007
| PacSec | 2007-11-29/2007-11-30 | Tokyo, Japan | 🏫 |
| MEITSEC | 2007-11-12/2007-11-13 | Sharjah, Arab Emirates | 🚗 |
| Hack.lu | 2007-10-18/2007-10-20 | Luxembourg City, Luxembourg | 🚗 |
| Hack In The Box | 2007-09-03/2007-09-06 | Kuala Lumpur, Malaysia | 🚗 |
| DEFCON | 2007-08-03/2007-08-05 | Las Vegas, USA | 🚗 |
| Black Hat USA | 2007-08-01/2007-08-03 | Las Vegas, USA | 🚗 |
| PH-Neutral | 2007-05-25/2007-05-27 | Berlin, Germany | 🚗 |
| AusCERT | 2007-05-21/2007-05-25 | Gold Coast, Australia | ☣, 🛂 |
| CanSecWest | 2007-04-16/2007-04-20 | Vancouver, Canada | 🚗 |
| IT Underground | 2007-03-07/2007-03-09 | Prague, Czech Republic | 🛂 |
2006
| IT Underground | 2006-10-26/2006-10-27 | Warsaw, Poland | 🛂 |
| 0sec | 2006-10-13/2006-10-15 | Bern, Switzerland | 🛂 |
| FOSDEM | 2006-02-26 | Brussels, Belgium | 🛂 |
| EuSecWest | 2006-02-20/2006-02-21 | London, UK | ☣ |
2005
| PacSec | 2005-11-15/2005-11-16 | Tokyo, Japan | 🛂 |
🎵 Keynote
👥 Panel
🥚 TamaGo
☣ Lessons in Open Source security: the tale of a 0-Day incident
🛂 Building a modern LDAP based security framework
🏫 Security Masters Dojo