Conferences and supporting programme
Designing a Secure and Reliable OTA Update Mechanism for IoT Endpoints
OTA (Over-The-Air) updates are critical for IoT devices, enabling bugs or security flaws to be patched remotely. However, if an OTA update fails and results in a -bricked device- or injects malware that causes security breaches for end users, reputational damage may be significant. In this paper, we examine the embedded software architecture required on an IoT device to implement a secure and reliable OTA update process. This discussion draws from an RTOS-based implementation for an ARM-Cortex M-based wireless microcontroller. We overview the steps in an OTA update and explore each of these steps in more detail. The first step is to securely download the OTA update from a trusted source. We consider alternative implementations such as using an existing telemetry channel or discovering and downloading from a dedicated OTA server, including a discussion of the relevant networking protocols (e.g. MQTT, TLS, mDNS, DNS-SD, OCSP). Next, the IoT device must verify the OTA update matches what was sent from the server to counter man-in-the-middle attacks or to detect corruption from transmission errors. We discuss use of code signing certificates and secure bootloader implementations that enforce use of signed images. The final step is booting the updated image. We describe a fail-safe booting mechanism that enables a -trial boot- that runs a test to verify the new image is working correctly and, if the test fails, reverts to the previous working image to avoid -bricked devices-.
--- Date: 28.02.2019 Time: 10:30 - 11:00 Location: Conference Counter NCC Ost