Securing sensitive information
With limited storage and slim margins, securing sensitive data can be a challenge for IoT devices. Often, sensitive data is stored on a client application or device so an IoT service can function without an internet connection. There are secure principles to be followed when securing sensitive data on a device. First, never hardcode secrets into firmware images such as passwords, usernames, tokens, private keys, or similar variants, into firmware release images. This also includes the storage of sensitive data that is written to a disk. This data will be accessible to attackers upon extracting firmware filesystems as well as when accessing the operating system during runtime. If hardware such as a security element (SE) or Trusted Execution Environment (TEE) is available, it is recommended to use such features for storing sensitive data during runtime. Otherwise, use of strong cryptography should be evaluated to protect the data using server-side computations...
