XJTAG logo
Shopping cart button Open search box button

Cyber Resilience Act and XJTAG

What is the Cyber Resilience Act?

The Cyber Resilience Act is an EU regulation which was adopted in 2024, scheduled to come into effect in December 2027, with the intention of ensuring that users of software and hardware have suitable levels of protection from network based attacks. These requirements fall into a few categories:

  • Products must support security updates, including having automatic updates enabled by default.
  • Products must not include any known vulnerabilities.
  • Personal user data must be protected.
  • Users must be informed of vulnerabilities when discovered.
    • Information about any vulnerabilities must be retained for 10 years after any support period ends.

This list is not intended to be exhaustive, but to give an impression of the goals of the legislation – to make products resilient to attack from outside so that users can be reassured that their data is safe. The onus is placed on the manufacturers of products to ensure that they are designed securely and that this security is maintained throughout the operating life.

The “risk” in cyber-security is a potential attacker altering the product’s “use, behaviour or performance”, typically in an attempt to gain information or to prevent their victim from being able to operate as normal.

What does this mean for using JTAG?

We believe that JTAG is not an “exploitable vulnerability” in virtually all cases since in normal use, there is no JTAG connection to any of the devices on a board which could be exploited and hence no remote access can be obtained to the system. Use of JTAG during testing does not leave any software running during runtime, and so cannot be a software attack surface.

Physical access does need to be considered – in the case of personal devices, this is likely to not be covered by the Cyber Resilience Act as the act does not cover modification of a person’s own property, however if a device is in a public place and physical access could lead to the attacker gaining access to unauthorised systems then additional security may be required.

In cases where physical protection is insufficient, JTAG access can be further prevented through the use of eFuses, Tcl commands or breakaway PCB areas, giving an actual physical barrier to connecting to the board. These solutions do need to be considered carefully as maintaining legitimate physical access to the JTAG ports could be very useful for applying system updates and so additional non-destructive security features may affect the choice of devices such as CPUs or microcontrollers.

Where does XJTAG stand?

XJTAG is confident that using JTAG and specifically using XJTAG’s tools for test and programming does not present a significant cyber-security risk. If JTAG connections already exist for programming or debug, there is no additional danger in using them for test.

XJTAG recommends that manufacturers make their own decisions regarding what counts as a vulnerability for their particular system and whilst our opinion is that JTAG is not usually a security risk, in some cases customers may wish to be more cautious. We would encourage our customers to familiarise themselves with the relevant law and obtain legal advice if necessary. XJTAG is not a legal firm and cannot give legal counsel.