IoT Security is entering its most chaotic phase—and we’re not ready.
My recent conversation with Sanjay Bahl and Joe Grand exposed some hard truths
I recently had the opportunity to sit down with two people on very different ends of the security spectrum:
Sanjay Bahl, Director General at CERT-IN – to discuss how IoT security is evolving through policy, compliance, and government initiatives.
Joe Grand (aka Kingpin) – legendary hardware hacker, to explore the gritty side of reverse engineering wallets and why “unhackable” is a myth.
These conversations weren’t meant to overlap—but they did.
In ways that most security leaders still aren’t acknowledging.
⚖️ From Frameworks to Failures: The Regulatory Wakeup Call
With Sanjay, we touched on something critical:
“Compliance is not security. And if you treat it that way, you're not just checking boxes—you're gambling with your product.”
Key points:
Regulations around IoT devices are no longer optional. They're evolving fast across geographies.
One-time certifications don’t account for firmware updates, threat landscape changes, or third-party integrations.
EXPLIoT was built to automate this mess—because manual security assessments simply don’t scale anymore.
🎯 Takeaway: If you're building or selling IoT products, start embedding compliance into your CI/CD pipeline. Yesterday.
🔓 From Locked Wallets to Open Realities: What Joe Grand Showed Us
Joe’s story started with a random email:
“Hey, I have $2 million stuck in a Trezor wallet. Can you help?”
What followed was a deep rabbit hole into fault injection, chip-level forensics, and human failure.
Key insights from Joe:
Humans are the weakest link when it comes to hardware wallets. Most crypto losses come from phishing, poor OPSEC, or forgotten passphrases.
“Secure Element” ≠ Secure. It just makes attacks harder, not impossible. And every secure design still inherits the flaws of the components it’s built with.
Real-world hacking isn’t glamorous. It’s scientific. Joe spent years refining his fault injection techniques—just to crack older microcontrollers.
🎯 Takeaway: Don't just bet on “new hardware = better security.” Upgrade based on threat models, not marketing.
🔥 A Bridge Between the Two:
The overlap between Joe and Sanjay’s world is exactly where most orgs screw up.
They focus on the obvious:
Certifications.
Shiny hardware.
Press releases with “secure” in the headline.
And they forget the messy middle:
Firmware is never final.
Chip-level vulnerabilities don’t announce themselves.
Attackers don’t care about your compliance checklists—they care about impact.
⚙️ What This Means for You:
Whether you’re building embedded devices or deploying IoT at scale:
Map your supply chain. You can’t secure what you don’t understand.
Audit assumptions. If your team believes something is unhackable, test it until it breaks.
Use automation + expertise. Platforms like EXPLIoT make this repeatable. People like Joe make it real.
💬 Over to You:
Are you prioritising compliance or actual resilience?
Because the regulators are watching.
But so are the hackers.
📺 If you haven’t already—catch both these conversations: