What 40 million daily users taught us about device security

Lessons learnt from 20 years of engineering the world’s largest connected TV platforms.

Connected Devices, IoT, Security

For more than two decades, Consult Red has been building the software behind some of the world’s largest connected TV platforms – products used every single day by tens of millions of people across the US, UK, Europe and beyond.

These are devices that sit quietly in homes and businesses, connected to the internet and often untouched for years, yet expected to remain reliable, safe, and secure despite evolving cyber threats.

Over more than 20 years, we’ve tackled everything from secure boot chains to encrypted in-field updates, from supply‑chain integrity to hardening Linux‑based platforms and from mitigating real‑world vulnerabilities to designing operator‑grade security processes that work at a global scale – all for some of the leading pay-tv operator brands. This experience working with connected TV products gives us a strong understanding of what it takes to secure a huge fleet of edge devices.

In this article, we share the security lessons we learned from connected TV that apply to other connected devices – whether consumer devices (such as broadband gateways), or industrial products and edge devices.

Why connected TV is a security stress test

Connected TV has been a demanding environment for secure, connected-device engineering since the early 2000s. Long before “IoT” became a buzzword, operators like Sky and DirecTV were managing millions of always-on devices in uncontrolled environments, and Consult Red was engineering the platforms that had to stay secure at that scale. These challenges included:

A truly distributed fleet

Devices in homes, bars and hotels operate outside controlled environments. They face heat, dust, power outages, intermittent broadband, and the risk of being unplugged for months.

Long lifecycles

Operators expect devices to run securely for a decade or more. That means security measures designed at launch must remain effective long after the threat landscape has changed.

A fragmented hardware landscape

New hardware variants appeared each year as operators sought lower costs and new features. Different processors, memory footprints and peripheral configurations all had to be supported by a single software stack.

Constrained hardware

To reduce costs, TV devices shipped with tight memory budgets, modest processing capability and limited secure storage. Every security function had to earn its place within strict resource limits.

Scale amplifies everything

A bug affecting just 0.1% of devices across a million-strong fleet still means a thousand support calls. At tens of millions of devices, even rare edge cases become operational problems.

High-value content to protect

Premium video services impose strict content protection requirements on device manufacturers. That creates strong commercial incentives for attackers — and high consequences when security fails.

The threat model

TV operators face a broad spectrum of security threats that now apply equally to modern connected devices, broadband equipment, smart home systems and industrial platforms. While specific risks vary by product, the attack goals are consistent:

Access to the device’s core functionality

For a set-top box, the primary purpose is to deliver premium video content. That makes the device itself an obvious target: attackers attempt to compromise the software stack to gain direct access to decrypted video streams or bypass content protection controls.

The same thing applies across other connected devices. Whether it’s a smart thermostat, a gateway, or industrial equipment, attackers often seek to seize control of the core function, to misuse it, monetise it, or repurpose it as an entry point into a wider system.

Exfiltration of security keys and credentials

Early TV security schemes often relied on secret keys stored on the device or on an associated smart card. If an attacker managed to extract just one set of decryption keys, they could enable large-scale fraud, unlocking protected content for thousands of unauthorised users.

This generalises to any device that uses device-resident secrets, such as access tokens, TLS credentials, Wi-Fi passwords, or cloud service keys. Attackers will try to extract these keys from a device to use them to launch a broader attack.

Denial of Service attacks

If an attacker were able to disrupt TV service during a major live event (such as a Super Bowl, a royal wedding or an Olympics opening ceremony), the reputational damage to the operator could be enormous.

But the consequences of a denial-of-service attack on a TV system could be trivial compared to one on industrial devices. A coordinated denial-of-service attack against energy equipment, water systems, or transport infrastructure could become a full national security incident.

Access to user data

A person’s TV viewing history may seem mundane, but it can reveal a surprising amount about identity, household routines, interests and behavioural patterns. Such data could be covered by privacy regulations such as the General Data Protection Regulations (GDPR) in the EU and equivalents in other jurisdictions.

The same is true of other connected devices, such as electricity meters, revealing when a user is likely to be at home. More than this, a compromised device can also be repurposed as a sensor: a foothold for spying on the user, their network, or their environment.

What developing tens of millions of devices taught us about secure foundations

A chain of trust you can rely on

If you can’t guarantee the integrity of the software running on the device, everything else becomes meaningless. That means you need a trusted secure boot chain that is cryptographically verified from the very first instruction executed on power‑on. Modern TV SoCs support this with an immutable boot ROM that performs the initial verification step and hardware‑protected OTP storage that anchors a device’s root of trust (for example, a public‑key hash or verification policy).

From there, each stage verifies the next: bootloader, kernel and platform components, often using on‑chip cryptographic functions and, where available, a secure trusted execution environment to protect sensitive operations and enforce anti‑rollback rules.

Every device must stand alone

No two devices should ever share the same secrets. When you assume that one device will eventually fall into an attacker’s hands, the design goal becomes clear: compromise of a single unit must remain local, not fleet-wide.

That requires per-device keys, per-device certificates, secure provisioning flows and key rotation and revocation mechanisms that could operate reliably even when devices came online only sporadically.

As important as “keeping the bad guys out” is “containing the blast radius when they get in”, which is one of the most powerful resilience mechanisms in connected systems.

Secure updates are essential

Threats evolve constantly. The only sustainable defence is the ability to update devices securely and reliably, regardless of age, location, or network conditions.

Update systems should assume everything can go wrong: power loss mid-flash, corrupt downloads, intermittent connectivity, user-triggered resets. You need robust, signed, atomic update mechanisms with verified manifests, rollback protection and staged deployments that limit risk.

Telemetry makes the fleet defensible

Security incidents rarely announce themselves. Instead, they appear as patterns: unusual spikes in crashes, repeated failed signature checks, devices taking odd network paths, or unexpected reboots across a cohort.

To spot what’s going on, operators need sufficient visibility to distinguish “normal weirdness” from “malicious weirdness” without collecting sensitive user data, consuming excessive bandwidth, overloading backend systems, or incurring exorbitant cloud-logging costs.

From TV to everything else: how these lessons carry over

The most valuable thing we learned from connected TV is how to secure large fleets of connected devices that must survive for years in unpredictable environments. That experience now maps directly onto two spaces undergoing rapid, high-stakes transformation: broadband and industrial edge systems. These devices haven’t just become connected; they have become critical infrastructure.

Broadband gateways: the new front line

Broadband equipment already faces many of the pressures that shaped TV security: always-on connectivity, unmanaged physical environments, constrained hardware budgets and long operational lifespans. As broadband devices have grown more capable, their risk profile has increased.

A compromised router exposes far more than a TV screen. It can reveal a user’s entire home network, provide a foothold for lateral movement, or be pulled into large botnets. Gateways also support a growing set of features, including mesh networking, cloud-connected services, parental controls, voice assistants, remote diagnostics and multi-radio designs. More capability creates a larger attack surface.

Lessons from connected TV translate directly:

  • Per-device identity, keys and credentials limit the impact of individual compromises.
  • Atomic, signed updates allow secure updates without risking device bricking, which is critical when the device itself provides the user’s connection.
  • Telemetry is key to detecting compromised units and unusual behaviour.
  • Hardware-rooted trust prevents attackers from subverting the boot chain.

Broadband equipment sits at the boundary between the public internet and the private network. That boundary is too important to rely on immature security practices.

Broadband Solutions

Industrial and edge systems: where security meets safety

In factories, utilities, energy systems, logistics operations and remote monitoring deployments, connected devices are not conveniences. They are part of the operational backbone, and failures can have serious consequences.

Industrial devices face additional challenges:

  • Strict uptime requirements. Maintenance windows may be limited or non-existent, and downtime can be costly.
  • Harsh environments. Vibration, dust, heat, moisture and electrical noise all threaten stability, which is essential for security.
  • Long operational lifespans. Devices may need to run securely for 10–20 years, often outliving their original OS or toolchain.
  • High-consequence failure modes. A failure can halt production, corrupt a process, misread a sensor or bring machinery to a stop. In this context, security failures become safety failures.

Here, the lessons from connected TV become even more critical:

  • Updates must be deployable without disrupting operations.
  • Fallback behaviour must be predictable and safe.
  • Identity must resist physical tampering.
  • Telemetry must be lightweight and compliant with industrial constraints.

Industrial devices share many characteristics with early set-top boxes: constrained hardware, distributed installations, difficult physical access and long service lifetimes. The major difference is that the cost of failure is far greater.

manufactoring production

Key takeways - five key principles

Distilling our decades of experience leads us to these top 5 tips for securing any connected device:

Assume compromise, limit the damage

Design to ensure that a single compromised device cannot compromise the fleet. Per-device identity, hardware-anchored trust and minimal shared secrets turn worst-case scenarios into manageable events.

Prioritise the secure update process

Security depends on the ability to update devices reliably for years. Safe, atomic, signed updates and predictable fallback behaviour keep products resilient long after they ship.

Design for the world as it is

Devices will be unplugged, misconfigured, overheated, intermittently connected, and occasionally neglected. Building for messy real-world conditions is the only way security holds up outside controlled environments.

Use telemetry wisely

Lightweight, targeted telemetry provides early warning of developing issues, helps triage incidents, and lets you verify that a fix has worked.

Prioritise lifecycle, not launch day

The longer a device is expected to live, the more important maintainability becomes. Long-term security depends on clean update paths, long-lived trust anchors, and design decisions that won’t collapse in five years.

If you’re building or scaling a connected device programme and want to stress-test your security approach, we’re happy to walk through how these principles apply to your project.

Related Insights

Clawing Back Control of the Home: Why Operators Must Act Before AI Assistants Take Over

Articles

Clawing Back Control of the Home: Why Operators Must Act Before AI Assistants Take Over

Open-Source AI assistants like OpenClaw are revealing what consumers really want: a useful, configurable home AI.
Extending the Golden Window of Your In‑Field Devices

Articles

Extending the Golden Window of Your In‑Field Devices

Why sweating existing CPE is now the smartest move an operator can make.
prplOS Platform Proof of Concept

Case Studies

prplOS Platform Proof of Concept

Exploration and validation of software platform alternatives, supporting Orange Polska’s existing operational requirements.