Blog / IoT Security
IoT Security IoT securitysecure bootTLS

How to Secure Your Connected Device: From Boot to Cloud

End-to-end IoT security guide covering secure boot, firmware signing, TLS communications, certificate management, cloud security controls, and security testing.

UABit Team
· · 10 min read
How to Secure Your Connected Device: From Boot to Cloud

A connected device is only as secure as its weakest component. Security controls implemented in firmware but absent from the cloud backend leave a gap an attacker can exploit. A strong backend with a device that accepts unsigned firmware updates is equally vulnerable. Security for connected IoT devices requires a chain of trust from the moment the processor starts executing instructions to the moment data arrives in the cloud — and every link in that chain must be strong.

This guide walks through the full security architecture for a production IoT device, tracing the trust chain from silicon to cloud and identifying the specific controls that belong at each layer.

The Trust Chain: From Hardware to Cloud

Secure IoT architecture is built on a chain of trust — each component is verified by the one below it:

Hardware (secure element + eFuses)
  ↓ verifies
Boot ROM (ROM-based signature verification)
  ↓ verifies
Bootloader (signed, anti-rollback)
  ↓ verifies
Application firmware (signed, encrypted)
  ↓ establishes
TLS session (using device certificate)
  ↓ authenticates to
Cloud backend (validates device identity)
  ↓ enforces
Least-privilege API access

A break in any link — an unsigned firmware update accepted by the bootloader, a device certificate accepted without proper validation — compromises the entire chain.

Layer 1: Hardware Root of Trust

The hardware root of trust is the element you absolutely trust because you cannot change it after manufacture. It provides:

Immutable identity: A unique device identifier burned into one-time-programmable (OTP) fuses or a dedicated secure element. This identifier anchors the device’s X.509 certificate.

Key storage: The device’s authentication private key is generated inside the secure element during manufacturing and never exits it. Private key operations (signing, key agreement) are performed by the secure element itself.

Secure key provisioning: During manufacturing, a hardware security module (HSM) on the production line establishes the device’s initial identity and installs certificates, without exposing keys in plaintext. The provisioning process should be audited and access-controlled.

Recommended secure elements: Microchip ATECC608B (ECC key operations, symmetric encryption), Infineon SLB9670 (TPM 2.0 compliant, rich command set), or the integrated secure enclave in STM32L5 and nRF5340.

Layer 2: Secure Boot

Secure boot ensures that only authorized firmware can execute on the device. The mechanism:

  1. The boot ROM (factory-programmed, immutable) contains the public key of the firmware signing key
  2. Before jumping to the bootloader, the boot ROM computes a hash of the bootloader image and verifies the embedded signature against the stored public key
  3. If verification fails, execution halts (or falls into a recovery mode)
  4. The bootloader applies the same verification to the application firmware before jumping to it

This process ensures that even if an attacker gains physical access and attempts to replace the firmware, the device will not execute unauthorized code.

Configuration for STM32L5: STM32L5 implements secure boot through the TrustZone-enabled bootloader and the SECWM (Secure Write-protection Memory) feature. Keys are stored in the device’s OTP memory. The STM32L5 security documentation provides detailed implementation guidance.

Configuration for nRF5340: Nordic’s nRF5340 uses MCUBoot as its bootloader with hardware-based signature verification via the CRYPTOCELL-312 peripheral. The nRF Connect SDK documentation covers the full MCUBoot integration.

Layer 3: Signed and Encrypted Firmware Updates

Even with secure boot, OTA updates create a risk surface. A compromised update server could serve malicious firmware to millions of devices. The countermeasure: asymmetric signature verification before installation.

Signing workflow:

# Generate signing key pair (done once, private key stored in HSM)
openssl ecparam -name prime256v1 -genkey -noout -out signing_key.pem
openssl ec -in signing_key.pem -pubout -out signing_key.pub

# Sign a firmware binary
openssl dgst -sha256 -sign signing_key.pem firmware.bin > firmware.sig

# Combine for distribution
cat firmware.bin firmware.sig > firmware_signed.bin

Verification on device:

// Verify firmware signature before installation
bool verify_firmware(const uint8_t* firmware, size_t fw_len,
                     const uint8_t* signature, size_t sig_len) {
    // Public key is embedded in the bootloader, in a locked flash region
    const uint8_t* pub_key = (const uint8_t*)SIGNING_KEY_ADDRESS;
    
    // Use hardware crypto accelerator or mbedTLS
    return mbedtls_ecdsa_read_signature(&ecdsa_ctx, 
                                        sha256(firmware, fw_len),
                                        SHA256_LEN,
                                        signature, sig_len) == 0;
}

Anti-rollback protection: Store the minimum acceptable firmware version in OTP or secure storage. Reject any firmware image with a version number below this minimum, preventing rollback to a patched-but-known-vulnerable version.

Securing connected devices — trust chain from boot to cloud

Layer 4: Secure Device-to-Cloud Communications

Mutual TLS (mTLS): Standard TLS verifies the server’s identity. Mutual TLS adds client certificate verification — the server also authenticates the device. This is the correct approach for IoT device authentication.

// mbedTLS mutual TLS configuration
mbedtls_ssl_conf_own_cert(&ssl_config, 
                            &device_certificate,  // device's certificate
                            &device_private_key); // key in secure element

mbedtls_ssl_conf_ca_chain(&ssl_config, 
                           &server_ca_cert,  // CA that signed server cert
                           NULL);

mbedtls_ssl_conf_authmode(&ssl_config, MBEDTLS_SSL_VERIFY_REQUIRED);

MQTT over TLS uses port 8883. MQTT topics should follow a namespace convention that enforces device scope:

  • Device publishes to: devices/{device_id}/telemetry
  • Device subscribes to: devices/{device_id}/commands
  • IoT policy enforces that device A cannot publish or subscribe to device B’s topics

Certificate rotation: Implement the ability to rotate device certificates via a secure re-provisioning flow. The process:

  1. Device generates a new key pair in the secure element
  2. Device sends a Certificate Signing Request (CSR) to a cloud endpoint, authenticated with the current certificate
  3. Cloud issues a new certificate for the new key
  4. Device installs the new certificate and transitions to using it
  5. Old certificate is revoked in the cloud

Layer 5: Cloud Security Controls

IoT Policy enforcement: AWS IoT Core and Azure IoT Hub both support fine-grained policy enforcement. Each device should have a policy that allows only the minimum required operations:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-east-1:123456789:client/${iot:Connection.Thing.ThingName}"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:us-east-1:123456789:topic/devices/${iot:Connection.Thing.ThingName}/telemetry"
    }
  ]
}

This policy allows the device to connect and publish only to its own telemetry topic. It cannot read other devices’ data, write to other topics, or access management APIs.

Anomaly detection: Implement AWS IoT Device Defender or Azure Defender for IoT to detect unusual device behavior: connections from unexpected IPs, unusually high message rates, unexpected protocol changes.

Audit logging: All authentication events, certificate operations, and policy changes should be logged to an immutable audit trail. NIST SP 800-213A defines the specific logging requirements for IoT systems.

Security Testing Before Launch

Before a connected device ships, it should be security-tested by someone other than the development team. The minimum testing scope:

  • Firmware analysis: Static analysis of the firmware binary for known vulnerabilities, hardcoded credentials, and unsafe function usage
  • Protocol testing: Fuzzing of all network-facing services; verification of TLS configuration strength
  • Physical interface testing: JTAG/SWD access testing; UART monitoring for sensitive debug output
  • API testing: Authentication bypass attempts, authorization testing, injection attacks on all backend APIs
  • OTA update testing: Signature bypass attempts, version rollback attempts, partial update handling

See the IoT Security Foundation best practice guidelines for a comprehensive pre-launch security checklist.

For an overview of IoT security compliance requirements, see our IoT data privacy guide.

Conclusion

Securing a connected device from boot to cloud is not optional — it is the minimum viable security posture for any device that handles real user data, connects to enterprise networks, or operates in safety-relevant contexts. The architecture described here — hardware root of trust, secure boot, signed OTA updates, mutual TLS, and least-privilege cloud policies — is achievable with production-proven tools and standard embedded hardware.

The cost of implementing this architecture properly during development is far less than the cost of a security incident post-launch: breach notification, reputation damage, regulatory fines, and device recall. UABit’s IoT device development practice builds these security controls into every project from day one.

IoT & AIoT Weekly

Get the best IoT development content delivered weekly. No noise, just signal.

IoT securitysecure bootTLSfirmware signingconnected devices