@mmmries is correct - The typical connection path is WSS with client-side and server-side SSL to establish that connection. On our production devices, we use the ATECCA508A/608A cryptographic chips for storing the device cert and key.
Firmwares are signed and the device has the public key to verify the file to prevent installing unknown firmware.
There is a decent amount to it so I’d recommend digging through the NervesHub documentation a bit for the gist if its of interest.
We’re also working towards root-filesystem encryption on our devices as a further step of protection when using Nerves (but this has a little bit to go)






















