A medical wearable starts streaming patient data to the cloud, and three months later a researcher finds the device accepts unsigned firmware updates. The fix requires a recall. That scenario repeats across industries because security planning often comes too late. This checklist is for engineers, product managers, and technical leads who need a structured way to build secure embedded systems without adding months of delay. We focus on decisions you can make today — from component selection to deployment — and highlight where shortcuts usually backfire.
1. Define Security Requirements Before You Choose a Microcontroller
Every embedded project begins with a requirements document, but security requirements are often reduced to a single line: "device shall be secure." That vagueness leads to gaps. Start by asking three questions: What data does this device handle? What happens if that data is leaked or corrupted? Who has physical access to the device after deployment?
For example, a smart thermostat that only sends temperature readings has different needs than a payment terminal that processes credit card numbers. The thermostat may need encrypted communications and signed firmware updates. The payment terminal additionally requires tamper detection, secure key storage, and certification compliance. Defining these specifics early influences hardware selection, budget, and timeline.
Threat Modeling in One Hour
You don't need a formal STRIDE session for every project. A lightweight approach: draw a data flow diagram of your device — sensors, processor, memory, network interface, cloud backend. Mark each point where data enters or leaves. Then ask: what is the worst thing an attacker could do at each point? List the top three risks and prioritize them. This exercise typically reveals that most teams overlook physical attacks (JTAG, bus sniffing) or supply chain risks (counterfeit chips).
Regulatory and Compliance Constraints
Depending on your industry, you may need to meet standards like IEC 62443 for industrial systems, HIPAA for health data, or GDPR for user privacy. Document which apply. These standards often dictate minimum cryptographic algorithms, logging requirements, and update mechanisms. Ignoring them until certification testing is a common cause of late-stage redesigns.
By the end of this phase, you should have a written list of security requirements ranked by severity. This list becomes the filter for every subsequent decision.
2. Evaluate Hardware Security Features — Not Just Clock Speed and Flash Size
Once you know what you need, evaluate microcontrollers and SoCs against security features. Many teams choose a chip based on cost or familiarity, then discover it lacks hardware cryptographic accelerators, secure boot, or isolated memory regions. Retrofitting these in software is slow and often insecure.
Look for three core capabilities: a hardware root of trust (often a separate secure element or built-in secure enclave), a true random number generator (TRNG), and memory protection units (MPU) that isolate sensitive code and data. For connected devices, also verify that the chip supports secure key storage — keys stored in flash without hardware protection are extractable via debug interfaces.
Comparing Approaches: Integrated vs. Discrete Security
Some chips integrate all security features on a single die (e.g., NXP LPC55xx, STM32L5). Others pair a general-purpose MCU with a discrete secure element (e.g., Microchip ATECC608). Integrated solutions reduce BOM cost and board space, but if a vulnerability is found in the secure enclave, the whole chip must be replaced. Discrete elements can be swapped independently, but they add complexity to the I2C or SPI bus and require careful key provisioning.
A third approach uses a dedicated security co-processor like the NXP EdgeLock SE050. These handle key generation, certificate storage, and TLS handshakes off the main CPU. They are easier to certify but add cost and consume power. For battery-operated devices, measure the sleep current of the co-processor — some draw tens of microamps even in idle mode, which can drain a coin cell in weeks.
When Not to Over-Invest in Hardware
If your device has no persistent secrets (e.g., a simple sensor that sends unauthenticated telemetry), a basic MCU with software AES and a random seed may be sufficient. The risk of over-engineering is wasted cost and complexity. Use your threat model to decide: if the worst-case attack is nuisance spoofing of temperature data, a full hardware security module is overkill.
At this stage, create a shortlist of three to five candidate chips or modules. Score each against your security requirements list. Include cost, availability, and toolchain support. This prevents late surprises where a chip with great security has a buggy SDK.
3. Design Firmware with Secure Boot and Memory Isolation
Secure boot ensures that only signed firmware runs on the device. Without it, an attacker can flash malicious code that pretends to be your application. The implementation matters: the boot ROM must verify the first-stage bootloader using a public key burned into fuses. That key should be generated on a secure, offline machine — not on a developer's laptop that is connected to the internet.
After secure boot, set up memory isolation. Many embedded RTOSes (FreeRTOS, Zephyr) support MPU regions. Assign the network stack to a separate region from cryptographic keys. If an attacker compromises the Wi-Fi driver via a buffer overflow, they should not be able to read the private key used for TLS. This separation also helps with fault isolation: a bug in one module doesn't corrupt another.
Practical Steps for Key Management
Keys are the crown jewels. Never hardcode keys in source code. Use a key provisioning service during manufacturing that injects unique keys into each device. For prototypes, store keys in a secure element or use the chip's OTP memory. If you must store keys in flash, encrypt them with a device-unique key derived from a hardware unique ID.
Also plan for key rotation. Devices that live for years will eventually need new keys. Design your update mechanism to accept a new certificate chain signed by your root CA. The root CA key should be stored offline in a hardware security module (HSM) or a safe — never on a build server.
Common Firmware Pitfalls
One recurring mistake is disabling secure boot during development to speed up flashing. That's fine as long as you re-enable it before production. But teams often forget, and devices ship with secure boot off. Use a build flag that fails compilation if secure boot is disabled in the release configuration.
Another issue is using weak or deprecated cryptographic libraries. Stick to well-maintained libraries like Mbed TLS or WolfSSL. Avoid implementing your own crypto — even simple hash functions are easy to get wrong. Use the chip's hardware accelerators whenever possible; they are faster and less prone to timing side channels.
4. Implement Secure Communication Without Overcomplicating the Stack
Encrypting data in transit is non-negotiable for any device that connects to a network. The simplest path is TLS 1.2 or 1.3 with mutual authentication. Use a lightweight TLS library that fits your MCU's RAM budget — WolfSSL and Mbed TLS both have configurations that run on Cortex-M0 with 32 KB RAM.
Certificate management is where most teams stumble. Each device needs a unique certificate signed by your CA. During manufacturing, you can pre-provision certificates into secure storage. For field devices, consider a protocol like EST (Enrollment over Secure Transport) to request certificates automatically after deployment. This avoids the logistics of pre-loading certificates on every unit.
Choosing Between TLS, DTLS, and Custom Protocols
If your device uses UDP (e.g., CoAP), use DTLS instead of TLS. DTLS adds a small overhead for packet loss handling. For very constrained devices (8-bit MCU, 16 KB RAM), you may be tempted to roll your own encryption. Resist. A minimalist approach is to use pre-shared keys (PSK) with TLS, which reduces code size and RAM usage. The trade-off is that PSKs must be unique per device and rotated regularly; a compromised PSK on one device does not expose others.
MQTT with TLS is common for IoT. Ensure your broker enforces certificate revocation lists (CRLs) or uses Online Certificate Status Protocol (OCSP) stapling. Without revocation, a compromised device's certificate remains valid until expiration.
Testing Your Communication Security
Before deployment, run a network penetration test against a representative device. Use tools like Wireshark to confirm that all traffic is encrypted and that no unencrypted fallback exists. Check for common misconfigurations: weak cipher suites (e.g., RC4, 3DES), expired certificates, or hostname mismatch. Many cloud platforms provide device test suites — use them.
Also verify that the device rejects invalid certificates. A surprising number of products accept any certificate because the validation code returns success. Write unit tests that feed the device a self-signed certificate and confirm it refuses the connection.
5. Plan for Over-the-Air Updates — They Are Your Most Important Security Feature
No device is perfect at launch. Vulnerabilities will be discovered. Over-the-air (OTA) updates let you fix them. Without OTA, you either recall devices or leave them vulnerable forever. OTA itself must be secure: updates must be signed, encrypted, and applied atomically (so a power failure during update does not brick the device).
Design the update process early, because it affects partition layout, bootloader design, and flash wear. Most systems use a dual-bank approach: bank A holds the current firmware, bank B holds the new image. The bootloader verifies the signature of bank B before switching. This adds a flash cost (double the firmware size) but minimizes risk.
For devices with tight flash budgets, a single-bank update with a recovery mode is possible. The device downloads the update to external flash or RAM, verifies it, then writes over the main firmware. If the write fails, the device enters a minimal recovery bootloader that accepts a signed update via serial or USB. Test this recovery path before shipping — it often goes unvalidated.
Update Frequency and User Experience
How often will you push updates? Consumer IoT devices may update every few months; industrial controllers may update once a year. Design your update server to handle peak load — if you have 100,000 devices and push a critical patch, they will all request the file simultaneously. Use a content delivery network (CDN) or staggered rollout to avoid overwhelming the backend.
Also consider user experience. For devices that must be online to function, a forced update may cause downtime. Allow users to schedule updates or defer them by a limited number of days. For safety-critical devices (e.g., medical infusion pumps), updates must be tested and approved by regulatory bodies — plan for a longer cycle.
Rollback Protection
If an update introduces a bug, you may need to roll back to the previous version. But rollback can be a security risk: attackers could force a downgrade to a vulnerable version. Implement a version counter that prevents installing firmware older than the current version. Store the counter in a one-time programmable region or a secure element so it cannot be reset.
6. Secure the Manufacturing and Supply Chain
Security does not start at the factory — it starts with the supply chain. Counterfeit chips, cloned firmware, and unauthorized debug interfaces are real threats. Choose distributors who source directly from manufacturers and verify chip markings. For high-value devices, consider using chips with secure boot that reject unsigned code from the start.
During manufacturing, control who has access to programming tools. The firmware image should be encrypted and signed at your facility, then decrypted only by the chip's boot ROM during programming. Use a provisioning service that generates unique device secrets and injects them after programming. Never share the root signing key with the contract manufacturer.
Locking Debug Interfaces
After programming, disable JTAG and SWD interfaces permanently. Most MCUs have a mechanism to blow fuses that prevent debug access. Do this at the end of the production line. If you need field debugging, leave a one-time programmable option to re-enable debug with a signed authorization token. But be aware: once debug is re-enabled, physical attackers can extract memory contents.
Some teams skip this step to allow field returns debugging. That is a trade-off. If you must keep debug enabled, at least require a password that is unique per device and stored in a secure backend. A default password like "debug" is worse than no lock.
Secure Key Injection
Each device needs unique keys and certificates. The simplest method is to generate keys on the device itself using its TRNG, then have the device sign a certificate request with a provisioning key. The provisioning key is the same across all devices and should be stored in a secure facility. A more robust method uses an HSM at the factory to generate keys and inject them into the secure element before assembly. This requires an expensive HSM and secure transport, but it ensures private keys never leave the HSM.
For low-volume products, you can pre-program devices in-house using a dedicated programming jig. Document the process and audit logs to ensure no unauthorized copies are made.
7. Monitor, Respond, and Repeat — Security Is Never Done
Deploying a secure device is not the end. You need to monitor for vulnerabilities, respond to incidents, and plan for the next update. Set up a security mailing list or use a CVE feed to track vulnerabilities in your software stack — the OS, libraries, and the chip itself. When a vulnerability is disclosed, assess its impact on your device within 48 hours.
Build a mechanism for devices to report their firmware version and security status to a cloud dashboard. This helps you identify devices that have not applied critical updates. For devices behind NAT or firewalls, use a polling model where devices check for updates periodically (e.g., every 24 hours).
Incident Response Plan
Write a simple incident response plan: who gets paged, how to reproduce the issue, how to create and sign a patch, and how to push the update. Test this plan with a simulated incident. Many teams discover that they cannot sign an update quickly because the signing key is locked in a safe and the person with the combination is on vacation. Have a backup signing procedure with a separate key that is valid for emergencies only.
Also plan for the worst case: a vulnerability that requires a physical recall. Track which devices are in the field and have a process to contact customers. This is rare, but knowing the steps ahead of time reduces panic.
Common Mistakes in Post-Deployment
One mistake is assuming that because a device has not been attacked, it is secure. Absence of evidence is not evidence of absence. Another is neglecting to update the threat model as the device ages. New attack techniques emerge — for example, side-channel attacks on cryptographic operations that were considered safe a few years ago. Revisit your threat model annually and adjust your defenses.
Finally, do not forget about end-of-life. When you stop supporting a device, inform users and provide a final security update. For devices that must remain functional (e.g., medical implants), plan for a transition to a new hardware revision. Leaving devices unpatched is a liability.
Security is a process, not a feature. Use this checklist as a starting point, adapt it to your project's specific risks, and revisit it with every new product generation. The goal is not perfection — it is to make attacks expensive enough that attackers move on to easier targets.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!