IoT Device Security Stack
A representative IoT device, bottom (hardware root of trust) to top (cloud). Hover any layer for its security role.
flowchart TB
CLOUD["Cloud Backend / Device Management Plane
Identity registry, OTA orchestration, attestation verifier"]:::cloud subgraph DEV["IoT Device"] direction TB APP["Application Code"]:::blue OS["OS / RTOS
FreeRTOS, Zephyr, embedded Linux
process isolation, if any"]:::blue FW["Firmware
signed, anti-rollback, OTA-updatable"]:::blue BOOT["Secure Boot Loader
signed, verifies next stage signature"]:::blue SI["Silicon
immutable boot ROM, fuses, PUF
hardware root of trust, cannot be re-flashed"]:::slate SI --> BOOT --> FW --> OS --> APP end APP -- "Mutual TLS, device-bound key from secure element" --> CLOUD classDef blue fill:#1565c0,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:14px classDef slate fill:#455a64,stroke:#263238,stroke-width:2px,color:#ffffff,font-size:14px classDef cloud fill:#e8eef5,stroke:#1565c0,stroke-width:2.5px,color:#1a3a5c,font-size:14px linkStyle default stroke:#607d8b,stroke-width:2px,font-size:13px linkStyle 4 stroke:#ffa000,stroke-width:3px,font-size:13px,color:#b26a00
Identity registry, OTA orchestration, attestation verifier"]:::cloud subgraph DEV["IoT Device"] direction TB APP["Application Code"]:::blue OS["OS / RTOS
FreeRTOS, Zephyr, embedded Linux
process isolation, if any"]:::blue FW["Firmware
signed, anti-rollback, OTA-updatable"]:::blue BOOT["Secure Boot Loader
signed, verifies next stage signature"]:::blue SI["Silicon
immutable boot ROM, fuses, PUF
hardware root of trust, cannot be re-flashed"]:::slate SI --> BOOT --> FW --> OS --> APP end APP -- "Mutual TLS, device-bound key from secure element" --> CLOUD classDef blue fill:#1565c0,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:14px classDef slate fill:#455a64,stroke:#263238,stroke-width:2px,color:#ffffff,font-size:14px classDef cloud fill:#e8eef5,stroke:#1565c0,stroke-width:2.5px,color:#1a3a5c,font-size:14px linkStyle default stroke:#607d8b,stroke-width:2px,font-size:13px linkStyle 4 stroke:#ffa000,stroke-width:3px,font-size:13px,color:#b26a00
Blast radius grows upward. A single device's firmware compromise affects one device; a backend compromise can reach the whole fleet at once.
Trust diminishes upward. The immutable silicon is the hardest to subvert; firmware and application code are the most attacked layers because they change and can be reached over the network.