Researchers at Rochester Institute of Technology have shown that embedded MIPS processors — a widely licensed processor architecture that quietly powers everything from home routers to automotive controllers — can leak secrets through tiny timing differences.
The thirty-year assumption baked into MIPS datasheets, RTOS threat models, certification security targets, and procurement specs is now technically falsifiable. And no single actor in the MIPS supply chain is positioned to retire it.
Researchers at the Rochester Institute of Technology have published a systematic framework for probing timing leaks in embedded MIPS processors, the family of chip designs that quietly powers most of the connected hardware the public never thinks about: home routers, set-top boxes, automotive engine controllers, industrial automation gear, and a long tail of internet-of-things devices. The work, presented at the ARES 2026 security conference and posted to arXiv by Najeeb, Ahmed, and Brumley, treats three shared on-chip components (the L1 data cache, the L1 instruction cache, and the execution engine) as attack surfaces, and demonstrates that measurable differences in how long the chip takes to respond can be coerced into leaking cryptographic and operational secrets.
This is not a single bug, and it is not active malware. The contribution is reusable tooling. MIPSBLEED, as the authors call it, gives defenders and security researchers a way to systematically audit the timing behavior of embedded designs before adversaries do. The same framework that exposes the leaks also gives vendors a path to harden their products before the technique ends up in less disclosure-restrained hands.
What makes the finding consequential is not the technique itself. Microarchitectural timing side channels, ways for an attacker to infer secret data from how long a chip takes to perform operations even when the data is never directly exposed, have been a known hazard in desktop and server CPUs for years. The news is that the assumption "embedded" means no co-resident attacker, the carve-out that has justified thinner isolation between workloads, lighter threat models in safety certifications, and a whole generation of RTOS security targets, is no longer safe. Cross-core timing channels are now demonstrable on the chips that hold that carve-out up.
Simultaneous Multithreading is the proximate amplifier. SMT, a performance feature that lets a single physical core run two threads of work in parallel, is increasingly common in embedded designs as manufacturers chase more compute per watt. The RIT work shows that the same parallelism that boosts throughput also creates a shared channel between threads. A workload on one logical core can measure timing artifacts caused by another workload sharing the same physical core, and infer data it was never supposed to see. The performance-versus-security tension is not a footnote. It is part of the news.
The institutional consequences are larger than the technical finding. The MIPS ecosystem is layered: an IP holder licenses the core, an OEM integrates it into a system-on-chip, an RTOS vendor provides the software stack, a certifier evaluates the design against a security or safety standard, and an operator deploys it in the field. Each of those roles has historically leaned on the "embedded, not multi-tenant" assumption to reduce isolation overhead and shorten certification timelines. The RIT measurement does not introduce a new risk class so much as retire a definitional carve-out that the entire chain has been quietly underwriting for thirty years.
The pattern is familiar. "Air-gapped" survived as a procurement and assurance category until Stuxnet. "Perimeter" survived as a security architecture until SolarWinds. In each case, the technical finding was downstream of the definitional one. The carve-out was doing real work in contracts, threat models, and certification documents long before anyone was forced to reckon with its limits. MIPSBLEED puts embedded silicon in the same posture: the institutional artifact outlived the technical reality, and the technical reality has now caught up.
The retrofit cost will be distributed and slow. IP holders will need to update reference threat models and isolation guidance. RTOS vendors will need to revisit the security targets they hand to certifiers. Certification bodies will need to decide whether SMT-enabled designs need the same cross-core isolation evidence that multi-tenant server silicon has carried for years. OEMs will need to fund the testing. Operators will need to decide what to do with deployed fleets that were never designed for this threat model. None of those actors is positioned to be the agent of the carve-out's retirement, because none of them owns the full contractual chain.
What the RIT framework does provide is a way to do the audit work. A vendor or security team can run MIPSBLEED-style measurements against an embedded design, see where the timing channel actually opens, and harden the design before the technique is weaponized. That is the constructive close: a research baseline for the next generation of embedded chips, and a concrete path to hardening, even if the institutional retirement of the old assumption is going to be slow, distributed, and contested across every actor in the MIPS chain.