Protection from Trojan Horses: Sourcing Secure IoT Devices for Enterprises

Not all routers, printers or other smart devices are secure, many of them can put the entire IT infrastructure at risk

Bad Homburg, July 9, 2021 – Caution should be exercised when procuring IoT devices – so called “smart” devices that are integrated into an IT network. In random samples, more than 50 percent of the devices tested showed obvious vulnerabilities that would allow hackers to attack an entire IT infrastructure. “Companies are incorporating an unpredictable black box into their premises with printers, routers, security cameras or smart lighting solutions. Hackers are well aware of the vulnerabilities and can easily gain access to sensitive information. Therefore, when purchasing these devices, it is important to ensure that security specifications are in place and that they are tested,” says Florian Lukavsky, founder of IoT Inspector. The company operates one of the largest platforms for checking factory-installed device software, known as firmware, for security vulnerabilities. Often, these potential problems are hidden in supplier products: On average, each device contains software components from more than 10 different manufacturers, so-called OEM. The security experts at IoT Inspector provide a guideline through a checklist:

Checklist for the secure procurement of IoT devices.
To achieve adequate basic protection of the IoT infrastructure within the company, we recommend the following measures:

  • First, perform a protection needs assessment and threat analysis to establish clear guidelines for IoT security.
  • Define concrete technical security requirements for procurement. These should be recorded in a set of security specifications and must be demonstrably implemented by the manufacturer. International guidelines such as ISA/IEC 62443 or ETSI 303 645 offer orientation. Procurement platforms focusing on security from which concrete procurement texts can be obtained, can provide guidance as well.
  • Check the manufacturer for trustworthiness and diligence in hardware and software development. For reference, use established maturity models such as OWASP SAMM or BSIMM. The manufacturer must demonstrate that it implements the required maturity level – depending on the protection requirements of the device – for all development activities.
  • Perform automated security testing of device firmware, both at acceptance and at fixed intervals, to detect any new vulnerabilities introduced by firmware updates.
  • Perform also Whitebox audits based on the OWASP IoT Testing Guides.
  • Obtain written assurance from the manufacturer that all defined security requirements are met.
  • Review security documentation created as part of software development (e.g., security architecture documentation, data flow analyses, results of vendor internal security testing).
  • If an IoT device gains access to sensitive information or is deployed in particularly vulnerable areas, consider a full security source code review of the firmware, as well as a physical security review of the IoT device itself with a focus on hidden backdoors in the software and hardware.

For in-depth information on the secure procurement of IoT devices, check out our whitepaper.


ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.



Sara Fortmann

Marketing Manager


euromarcom public relations GmbH

+49 611 973 150