Home Blog Security Trends Understanding Device Security: What We’ve Learned at Riscure

Understanding Device Security: What We’ve Learned at Riscure

Author: Valeria Vatolina

What makes a device truly secure, and what does device security actually mean? To find out, we interviewed our experts at Riscure. As they shared their thoughts, several common themes stood out. In this post, we’ll explore why compliance, product longevity, and efficient vulnerability analysis are the key factors in success of device security.

The hardware dimension

Hardware vulnerabilities open an entirely new dimension of threats. Experience shows that even with the most thorough attention to software security, devices may be breached as a result of sophisticated hardware attacks. Hardware vulnerabilities can allow attackers to bypass software security measures entirely, especially when the device was not designed with security in mind.

At Riscure, we frequently emphasize the importance of considering hardware attacks when testing the security of a device. By doing so, developers can anticipate the methods attackers may use to exploit physical components, whether through side-channel attacks, fault injection, or even tampering. These hardware risks show why viewing device security holistically is essential—it’s not just about the software, but the entire system, as Rafael Boix Carpi said in his blog: “You don’t think about fixing one issue, you think of it as a whole product.”

More than a checklist of compliance

While regulatory compliance is often the starting point for security, it’s important to recognize that compliance alone does not guarantee a secure device. As Nisrine Jafri noted in a previous Riscure blog, “Certification doesn’t mean that the device is 100% secure, as that is also simply not possible. However, it means that it conforms to the scheme requirement for the specified certification level”. Following regulatory guidelines ensures a baseline level of protection, but attackers are adept at finding weaknesses that regulations may not consider. True security requires a more dynamic approach, one that anticipates vulnerabilities and considers the device as a whole system.

Longer product lifecycles

The longevity of devices is another key factor in device security. Some devices are used for a longer time period than the regulations can keep up with. As Chris Berg explained in his blog post, some devices, such as IoT or automobiles, often remain in the field for 5 to 20 years. This long lifespan introduces unique risks, as products developed today might be exposed to more advanced adversaries in the future. “Sure, if the product is there for a few years, there is time to update its security in the following release. But if the product is there for 20 years, especially a world where it is crucial to keep up adversaries, it is vital to make sure the product is very secure”. It’s therefore crucial to adopt a forward-looking perspective, ensuring that security mechanisms can adapt throughout a product’s life cycle.

Learning from other industries

Industries that handle highly sensitive data, like payment systems, have been at the forefront of device security innovation for decades. The lessons learned from securing credit cards and payment terminals, for instance, can often be applied in other sectors. The security practices in these fields are the result of years of refinement, regulation and understanding the real-world risks. Bringing that same level of rigor to other industries—whether mobile, automotive, or IoT—can significantly raise the bar in security.

As compliance in security is still evolving, consumers are more security cautious than ever in selecting their devices. “In some industries, security evaluation is voluntary,” said Hanna Humenyuk. “As consumer perceptions shift, we observe more organizations who are not obliged to comply now conducting their own risk assessments”.

Security is hard, and insecurity is easy

High level of security is not something that can be easily added to a product. On average, human error introduces 15 bugs per 1000 lines of code, and while these vulnerabilities may be unintentional, fixing even a single flaw often requires significantly more time and effort than writing the code itself. It is much easier to create insecure products—whether due to overlooked vulnerabilities or an incomplete understanding of the threat landscape.

Techniques like threat modelling are often used to narrow the scope of analysis to focus on the most crucial parts that need security. As Praveen Vadnala noted, “Device Security, for me, is looking at the important assets in the device and developing ways to protect them. Security considerations need to be translated correctly to development requirements throughout all stages, reflecting on and reviewing assumptions made from the beginning to the end”.

Spotting mistakes early is important

Mistakes are inevitable, and no software is free of bugs or vulnerabilities, but the key is recognizing this reality and developing the knowledge and tools necessary to spot and correct these mistakes before they can be exploited. Device vulnerabilities may be introduced early in the development process and may go unnoticed until it’s too late. This is why it’s crucial to embed security practices throughout the entire development cycle—from design through production. Security should not be an afterthought or a feature that is added on later. Instead, it must be built in from the ground up. As Praveen Vadnala noted, “It is ensuring that the security is implemented properly, starting from the architecture level, continued in the design, and finalized during the implementation of a device”.

By embracing a security mindset, learning from robust industries, and being aware of common mistakes, companies can develop devices that are not only compliant with current security regulations but also secure for the long term.

Ready to test your device security knowledge? Take the Device Security Quiz!
Discover areas where you can improve and deepen your knowledge. 🧠 This quiz addresses essential topics like hardware attack techniques and defense strategies. It won’t take more than 5 minutes!
Take the quiz and see where you stand in embedded systems security! https://sidechannel.riscure.com/quiz

Share This