diff --git a/core/embed/prodtest/optiga_prodtest.c b/core/embed/prodtest/optiga_prodtest.c
index 616a0d4465e..bdcdb9f77a3 100644
--- a/core/embed/prodtest/optiga_prodtest.c
+++ b/core/embed/prodtest/optiga_prodtest.c
@@ -143,6 +143,12 @@ void pair_optiga(void) {
   uint8_t secret[SECRET_OPTIGA_KEY_LEN] = {0};
 
   if (secret_optiga_get(secret) != sectrue) {
+    if (secret_optiga_writable() != sectrue) {
+      // optiga pairing secret is unwritable, so fail
+      optiga_pairing_state = OPTIGA_PAIRING_ERR_WRITE_FLASH;
+      return;
+    }
+
     // Generate the pairing secret.
     if (OPTIGA_SUCCESS != optiga_get_random(secret, sizeof(secret))) {
       optiga_pairing_state = OPTIGA_PAIRING_ERR_RNG;