Embedded AI Security: How Embedded System Manufacturers Can Strengthen Protection with Secure Boot Key Management

November 13, 2025

Blog

While this increased functionality is groundbreaking for many industries, it also increases the attack surface, making embedded AI devices more susceptible to cyberattacks. Cybercriminals look to target these devices to extract intellectual property or introduce malicious code that alters system operations.

The secure boot of an embedded system provides a foundation on which other layers of firmware and software rely. Inadequate cryptographic key management presents a major threat to the secure boot process. This can occur when cyberattackers circumvent secure boot mechanisms and install unauthorized firmware. Using static, long-term keys creates predictable vulnerabilities, with consequences that extend beyond data breaches and may affect device safety and reliability.

Manufacturers must assess the specific risks associated with inadequate key management and identify effective strategies to prevent these vulnerabilities.

Risks of weak key management on Secure Boot

Boot key management, the process of creating cryptographic keys that ensure the authenticity and integrity of software during a system’s startup process, is critical for ensuring a system isn’t compromised before it has been booted up. This process, when implemented correctly, acts as the first line of defense against a wide range of attacks. Compromised or exposed keys can allow attackers to bypass secure boot, injecting malicious firmware.

Bootkits, a type of malware designed to infect a system's bootloader or boot process, can be a critical threat to a system. By compromising early-state system components, malware can operate at the highest privileges and bypass traditional security methods. Bootkits are often challenging to detect and are part of a current trend identified by the Google Threat Intelligence Group. One recent report revealed that millions of Windows 11 users were at risk due to a vulnerability affecting secure boot which could allow a malicious actor to disable Secure Boot entirely.

If the cryptographic keys that maintain the secure boot process are poorly managed, cybercriminals could take advantage of this and bypass these protections. Static, long-term keys create predictable targets for cybercriminals, increasing the risk of system-wide breaches. Static keys are generated once and are reused throughout a product’s lifecycle. However, this offers cyber criminals a predictable avenue of attack.

In safety-critical environments, tampering with embedded systems could cause failure across critical infrastructure organizations. A report by the Cybersecurity and Infrastructure Security Agency advised that critical infrastructure organisations audit early-stage system configurations that could be loaded at boot time to ensure that no vulnerable code can be loaded at boot time. These audits help identify weaknesses in key provisioning or firmware validation processes that may compromise device integrity.

Best practices for embedded systems manufacturers

The first line of defence is to implement a hardware root of trust. This can be achieved through platform-specific secure elements or Trusted Platform Modules (TPMs), depending on the architecture. TPMs are useful for managing keys and enabling secure boot on x86-based systems while other systems on chip (SoC) such as those from NVIDIA, may have their own integrated secure boot infrastructure.

One key challenge is preventing key leakage. Cryptographic keys could be exposed to unauthorized users, either through software flaws, poor key management or even physical access. Manufacturers can protect against key leakage by using Hardware Security Modules (HSMs). These HSMs are devices that are designed to be tamper-resistant and hardened. They are created to secure the cryptographic process and are used to securely generate, store and manage a cryptographic key throughout its lifecycle.

During the manufacturing process, secure provisioning is another vulnerable point. If keys are tampered with during this process, attackers may gain access to the device before it has been deployed in the field. Manufacturers should implement secure provisioning processes such as encrypted key injection, authenticated supply chain channels and access controls to ensure that no one is able to gain access without authorization. This is particularly important when there are multiple vendors in the supply chain.

To minimize the risk of exposure, manufacturers should adopt secure lifecycle key rotation policies to refresh cryptographic keys. While frequent rotation is not always feasible for secure boot keys due to hardware constraints, keys should be refreshed when logical opportunities arise.

Manufacturers can implement automated systems to rotate keys at set intervals and make use of key derivation functions to create new keys without exposing the base key to external environments. This reduces the risks associated with long-term key usage.

Even with extensive security measures, systems may still be compromised, and in some instances may require key revocation mechanisms. Some SoCs may have secure boots keys that are fused during manufacturing and cannot be replaced without physical access. However, manufacturers can design devices that allow for key revocation lists (KRLs) that act as a blocklist when keys are no longer trusted. Alternatively they can implement secondary verification chains to disable compromised keys without changing the hardware.

Building secure embedded systems

Secure boot processes and strong key management form the foundation of a trustworthy supply chain. Manufacturers that prioritize security measures enhance product reliability, safety, and user trust. Maintaining strong security practices also provides a competitive advantage as cyber criminals become increasingly advanced and look to manipulate or gain access to systems through any means.

Regulatory pressures are likely to increase, making robust key management not only a best practice but also a compliance necessity. Manufacturers that invest in secure boot processes will not only protect devices but will also ensure that they’re compliant with any regulatory mandates.