Learn IoT security vocabulary: device identity, certificate provisioning, firmware OTA updates, secure boot, TPM, and PSA Certified.
0 / 5 completed
1 / 5
Secure boot in an IoT device ensures:
Secure boot builds a chain of trust from an immutable hardware root (fused keys in ROM or a TPM) through each boot stage. If any component's signature does not match, the device halts or enters recovery mode. This prevents persistent rootkits and ensures only vendor-authorised firmware runs — critical when devices are physically accessible.
2 / 5
Firmware Over-the-Air (OTA) updates present a security challenge because:
OTA update pipelines are high-value attack targets — compromising one allows mass deployment of malicious firmware. Best practices include: signing updates with a private key whose public key is embedded in the device, using A/B partitions for atomic rollback on failure, version checks to prevent downgrade attacks, and delta updates to reduce bandwidth.
3 / 5
A TPM (Trusted Platform Module) in an IoT device is used primarily for:
TPM is a dedicated security chip (or firmware equivalent, fTPM) that provides: key generation and storage (keys cannot be extracted in plaintext), remote attestation (proving device state to a server), sealing (binding data to a specific platform state), and a source of true randomness. Even if the host OS is compromised, keys sealed in the TPM remain protected.
4 / 5
PSA Certified (Platform Security Architecture) is:
PSA Certified has four levels (PSA Certified Level 1-3 and PSA Certified RoT). It provides: a threat model and security analysis methodology, the PSA Certified API for security services, and lab-based evaluation of claims. It gives device buyers assurance about the security baseline of certified products, aligned with UK PSTI Act and EU CRA requirements.
5 / 5
Certificate provisioning in large-scale IoT deployments refers to:
Each IoT device should have a unique cryptographic identity to prevent a single compromised device credential from affecting the entire fleet. Provisioning happens in a secure manufacturing environment: a device generates a key pair, the CSR is signed by a device CA, and the certificate is injected into secure storage. AWS IoT, Azure IoT Hub, and Google Cloud IoT all use X.509 mutual TLS for device authentication.