You are responsible for the security architecture of a simple smart home device with a microcontroller, local sensors, Wi‑Fi connectivity, a mobile app for setup, and a cloud service for telemetry and firmware updates. The device stores Wi‑Fi credentials, exposes a short-lived provisioning surface during onboarding, and must continue basic local operation if the network is unavailable. A recent review found that the initial design treated the home network as trusted and did not define how firmware authenticity, device identity, or incident handling would work.
How would you design this embedded system so it is secure by default across manufacturing, provisioning, normal operation, updates, and failure conditions? Be explicit about the threats you are prioritizing, the controls you would implement, and how you would verify and monitor that those controls actually work.