If the device doesn't have a secure element, how can anyone take it seriously as a strong root of trust? The page lists several recent attacks on secure element, but that's not really enough to convince me that no secure element is needed.
This is an interesting question. I would like to see more discussion like this in the security community. Of course this question should be proceeded by the question of what actually qualifies as a secure element? Who decides it's secure? If it's just an MCU with some basic security features you have to sign an N DA to even test is that a secure element? Is it possible to create an open source secure element without an NDA required?
