IoT Devices Are a Growing Security Risk
A few years ago, IoT devices were largely treated as low-risk endpoints. As connectivity has expanded, that assumption no longer holds true, and what might once have been considered a low-value target now represents broader access to widespread, critical systems.
Attackers are no longer focused only on cloud systems or user endpoints. They’re targeting the device itself, where trusted access can provide a path into something much larger. Verizon’s 2025 Data Breach Investigations Report found that exploitation of vulnerabilities accounted for 20% of breaches, ransomware was present in 44%, and edge devices and VPNs represented 22% of vulnerability-exploitation targets. This is an important shift because it shows that the attack surface is moving faster, becoming harder to see, and getting much closer to the edge. [1]
For manufacturers of these products, this changes the role of the endpoint. A smart meter, access control node, lighting controller, gateway, or wireless sensor may look like a simple device, but once compromised, it can become a trusted foothold. Of course, in many cases, the device itself is not the final objective. Its value lies in what it can reach, what it can impersonate, and what operations it can disrupt.
That matters even more in smart home, commercial, and industrial environments. In those systems, a compromised device doesn’t just expose data; it can interrupt operations, degrade safety, undermine service continuity, and erode customer trust. The business impact can easily exceed the cost of the device itself. [2]
IoT Security Regulations are Increasing
Governments and market regulators are no longer treating IoT security as a best practice, but a market requirement.
In the UK, the Product Security and Telecommunications Infrastructure regime came into effect in April 2024, establishing mandatory baseline requirements for consumer connectable products. In Singapore, the Cybersecurity Labelling Scheme continues to expand as a visible trust mechanism for consumer IoT, including cross-recognition arrangements with other national schemes. [3][4]
Europe is moving even further. The message across these efforts is consistent: connected products must be designed to be secure, must be updateable, and must remain supportable over time. Security is no longer just an engineering concern. It is becoming part of product access, product compliance, and product credibility. Enter the EU’s Radio Equipment Directive (RED) and Cyber Resilience Act (CRA).
Regulation as a Product Requirement in IoT Devices
For many OEMs, Europe is leading the way. Under the RED delegated regulation, beginning in August 2025, cybersecurity requirements now apply to defined categories of internet-connected radio equipment. The supporting EN 18031 standards have also been cited to help manufacturers demonstrate conformity for in-scope products. The CRA goes further still, establishing harmonized cybersecurity requirements for products with digital elements made available on the EU market. Unlike earlier frameworks that focused mainly on baseline device behavior, the CRA extends cybersecurity expectations across the product lifecycle, including design, development, maintenance, and vulnerability handling. [5][6][7]
That matters because it changes when security work must happen. Security can no longer be added after the product architecture is mostly fixed. Product teams now need to think about device identity, software integrity, secure updates, support periods, disclosure processes, and long-term vulnerability response much earlier in the design cycle. In practical terms, security is becoming a design input rather than a launch checklist. [7]
Compact Proof: Why This Matters for OEM Design Teams
| Proof Point | What it Shows | Implication for OEMs |
| Threat data [1] | Exploitation and ransomware are rising, and edge devices are increasingly part of the initial access story. | Treat endpoint security as part of overall system security, not as a peripheral feature. |
| RED + EN 18031 [5][6] | Europe now provides a concrete conformity path for in-scope radio equipment cybersecurity requirements. | Plan for secure defaults, controlled interfaces, authenticated software, and evidence that maps to conformity work. |
| CRA [7] | Cybersecurity expectations extend beyond launch into reporting, maintenance, and vulnerability handling. Focus on a "secure by design" philosophy, that encompasses all digital assets. | Build lifecycle security, support planning, and disclosure processes into the product plan early. |
| "Secure Vault + CPMS + PSIRT + PSA" [8][9][10][11][12] | Silicon Labs combines hardware-rooted security, secure provisioning, response processes, and third-party validation. | Reduce implementation burden while giving product, firmware, and compliance teams a stronger starting point. |
Silicon Labs Helps OEMs Future-Proof IoT Designs
Futureproofing against regulation does not mean predicting every clause of every future law, but rather building on the security capabilities that continue to appear globally across standards, certifications, and regulations.
Those capabilities are now familiar: a trustworthy device identity, authenticated software, protected keys and certificates, controlled access to debug and service interfaces, strong randomness, secure update paths, and a practical process for handling vulnerabilities over time. These are no longer premium features for only the highest-end designs. They are increasingly the baseline for connected products that need to stay on the market and remain trusted in the field.
Silicon Labs addresses these requirements through Secure Vault, its hardware-anchored security platform for connected devices. Secure Vault is built around an immutable hardware root of trust and includes capabilities such as secure boot with RTSL, secure attestation, secure key management, secure debug, true random number generation, differential power analysis countermeasures, and anti-tamper features on supported devices. Silicon Labs also supports secure factory provisioning through CPMS, allowing identities, certificates, keys, secure boot settings, and related security assets to be injected at the factory rather than exposed later in less controlled environments. [8][9]
Just as important, Silicon Labs’ security story does not stop at the hardware feature list. The company publicly positions lifecycle security as part of the offering as well, including PSIRT-based vulnerability intake and coordinated disclosure support by a dedicated Secure Application Engineering team. That is increasingly important in a CRA-shaped environment, where long-term support and vulnerability response are part of the conversation, not an afterthought.
Independent validation strengthens that story. In August 2025 Silicon Labs announced that Secure Vault on the Series 3 SiXG301 achieved the world’s first PSA Level 4 certification. This builds on another industry first: Silicon Labs was also the first silicon provider to achieve PSA Certified Level 3 with Secure Vault. Taken together, these milestones reflect a clear trajectory of security leadership. For OEMs, that translates into a stronger built-in foundation for resisting increasingly sophisticated software and physical attacks, including side-channel and fault-injection techniques, without requiring each product team to create that assurance independently. [11][12]
The Result is Peace of Mind for OEMs
The value of this approach is bigger than compliance. First, it reduces security design risk. Product teams do not have to invent their IoT device security foundation one project at a time. Second, it improves market readiness by aligning product architectures more closely with the expectations now forming across RED, CRA, labeling schemes, and baseline security frameworks. Third, it helps reduce long-term business exposure by making it easier to support secure updates, protect device identity, and respond to vulnerabilities after deployment.
That peace of mind lands differently with different stakeholders, but the benefit is the same. For the C-suite, it means lower regulatory and brand risk. For product teams, it means a clearer path to market access and longer product viability. For firmware engineers, it means a more credible root of trust, stronger software integrity, and better protection for secrets and update flows. For design engineers, it means security is built into the platform selection itself, not bolted on later.
Secure End Devices Help Create Secure Ecosystems
Secure ecosystems are built from secure endpoints. That is true in the smart home, where a single compromised device can become an entry point into the broader network. It is true in commercial buildings, where connected devices increasingly support access, lighting, HVAC, metering, and occupant services. And it is true in industrial environments, where the cost of disruption can be immediate and measurable.
The ecosystem is only as trustworthy as the devices allowed to join it, update within it, and operate inside it. That is why secure identity, secure boot, protected keys, secure provisioning, and lifecycle support matter so much. They do not just protect a chip. They help protect the system around it.
Summary: IoT Device Security is Now a Product Requirement
IoT security has moved well beyond a technical nice-to-have. Real-world attack data shows that adversaries are targeting vulnerabilities at the edge more aggressively, while governments around the world are turning security expectations into market requirements. At the same time, OEMs are being asked to support products longer, document security more clearly, and respond to vulnerabilities more systematically than they were a few years ago. [1][5][7]
This is why security is now a product requirement. The question in front of IoT device makers is no longer whether IoT security should be part of the design. It’s whether the product has been built on a foundation strong enough to keep pace with evolving attacks, evolving regulations, and rising expectations for trust. Silicon Labs’ answer is to start at the device, anchor security in hardware, and help OEMs carry that trust across the product lifecycle and into the smart ecosystems their products are meant to serve. [8][9][10][11][12]
Learn more about out IoT security solutions.
Selected References
[1] Verizon, “2025 Data Breach Investigations Report.”
[2] IBM, “2025 Cost of a Data Breach Report: Navigating the AI rush without sidelining security.”
[4] Cyber Security Agency of Singapore, “About Cybersecurity Labelling Scheme for IoT.”
[5] EUR-Lex, “Commission Delegated Regulation (EU) 2022/30,” application from 1 August 2025.
[7] European Commission, “Cyber Resilience Act” and “CRA Reporting Obligations.”
[8] Silicon Labs, “Secure Vault for IoT Security.”
[9] Silicon Labs, “Custom Part Manufacturing Services (CPMS).”
[10] Silicon Labs, “IoT Security” / PSIRT resources.