In this article Martin Kuppinger from KuppingerCole Analysts discusses a security leak in a device used for controlling heating systems.
It’s shocking but I am not surprised. IT history is riddled with cases of devices, protocols and standards that required solid security but failed. Mostly they failed because people thought they didn’t need experts to build in security. Probably the most common failure in IT security: thinking you don’t need experts.
Who remembers WEP or even S/MIME, PKCS#7, MOSS, PEM, PGP and even XML?
The last link shows how simple sign & encrypt is not a fail safe solution:
Simple Sign & Encrypt, by itself, is not very secure. Cryptographers know this well, but application programmers and standards authors still tend to put too much trust in simple Sign-and-Encrypt.
The moral of the story is: unless you really are an IT security expert, never ever design security solutions yourself. Stick to well known solutions, preferably in tested and proven libraries or products. Even then, I strongly encourage you to consult an expert, it’s just too easy to naively apply the, otherwise good, solution in the wrong way.