No amount of proprietary screws or complicated locking mechanisms for your device will reliably keep its internals safe. As with apps, they are deployed into hostile territory, no secrets are safe on the device.
An alarming number of devices on the market today ignore this fact and use default users and/or passwords, which are often shared amongst every device from a product-line. As soon as these credentials are found out, they are available freely on the internet. Using default credentials circumvents an integral security aspect of these systems, which inevitably leads to less secure devices.
Leftover serial connectors or debug headers on the production hardware make accessing any software running on the device simple. Sometimes, these interfaces can even be used to gain full control over the hardware, to the point where it could run entirely different software. This can open even the most fenced-off device to a very thorough examination, underlining once again that security is not where you should cut costs.
A brief checklist:
- Use security protocols that don't rely on permanently stored secrets shared between multiple devices
- If you can, put any stored secrets into a dedicated hardware security module
- Force a change of factory defaults when the initial user takes ownership
- If possible, remove any debug or serial headers from the production hardware
- Utilize timing randomisation techniques to mitigate side channel attacks