Security remains one of the most overlooked challenges in IoT development. Many connected products still reach the market with minimal safeguards, exposing them to avoidable risks.
We recently came across this blog post from Bishop Fox about how they were able to hack a Traeger Grill. As we often create IoT designs using the same chip, Espressif’s ESP32, this post immediately caught our attention.
In the post, they explain how they were able to hack into the grill and control it based on flaws in the security of the product. Unfortunately, mistakes like these are prominent in commercial IoT products. However, there are a few best practices we always follow when designing new products - from the GRID485 to custom solutions - that can create a more secure product.
As we read through the breakdown, one thing immediately stood out to us: the flash memory and NVS were left unencrypted. This allowed the hacker to easily extract the cloud certificates stored on the device and dump the firmware, thus gaining access to the device.
A few changes would have created a much more secure product and made this hack far more difficult, if not prevented it completely. These IoT security best practices help ensure your product stays protected in the field and resistant to tampering.
Secure Boot
Secure Boot prevents unknown code from running the module by verifying the digital signature of the bootloader and application before executing any commands. Firmware being sent via UART and OTA is checked and unauthorized binaries are prevented from running.
Flash Encryption With a Random Key
Flash encryption encrypts the contents of the flash memory to protect against unauthorized access. When combined with a random key generated by the module during the first boot, this measure protects against firmware extraction and cloning.
NVS encryption
NVS (non-volatile storage) encryption protects against unauthorized access by encrypting user data such as Wi-Fi credentials, certificates, usernames, passwords, and more.
OTA encryption
OTA (Over-The-Air) encryption refers to the process of encrypting firmware updates that are sent over the network to devices. This ensures that the update file is protected against interception and analysis during transmission and can only be decrypted and installed by the intended device.
The Risks of Ignoring IoT Security
Overlooking basic security measures in IoT products can lead to far more than technical headaches. Weaknesses in firmware, unencrypted data, or unsecured bootloaders expose devices to real-world attacks that can compromise user privacy, damage reputations, and disrupt business operations.
Once a device is deployed, patching security flaws becomes exponentially more difficult especially at scale. For connected devices in industrial, commercial, or consumer environments, these gaps can open doors to data theft, network infiltration, or even full remote control.
Ignoring IoT cybersecurity doesn’t just risk one product. It can undermine entire ecosystems.
Final Thoughts
Securing IoT devices at the design stage is more than just a best practice, it’s a business imperative. Solid protections like secure boot, encrypted storage, and safe OTA updates give your product the resilience it needs in the field.
Our team has worked with countless companies to develop products that are both innovative and protected. If you're looking for support with firmware hardening, securing connected devices, or building in IoT security solutions from the ground up, we're ready to help.
Discuss on X
Discuss on Reddit
Discuss on LinkedIn
