With a multitude of Internet of Things (IoT) devices scattered globally, managing software remotely becomes critical to the success of enterprises who want to transform in the digital economy. IoT devices can extend into the physical world and most often at large scale without being in close proximity and only reachable at relatively high cost. Therefore, it is not practical to replace an existing IoT device that is in the field whenever a new version of the device, software and applications come into the market.
New features, applications, performance improvements and security enhancements may be needed to make IoT devices more secure and functional to the new business and customer requirements. Thus, the most efficient way for developers and device makers to adapt to an evolving product landscape is to update the software over-the-air (OTA).
It is useful to share some best practices for supporting remote updates, since they are an increasingly important part of the IoT value chain.
A few key remote update design considerations for IoT devices
Awful stories in cybersecurity and IoT involve customers being left with bricked devices as a result of outdated software. What these stories have in common is that not only the devices had old software running on them but the new device operating system image was buggy, and that the OTA update mechanism was not implemented in a robust and secure manner, meaning that neither the device manufacturer nor the customer could easily rollback to the previous state.
While an IoT device's ability to receive remote updates has many advantages, it also poses security concerns. Here are some key considerations when designing a remote device update manager:
Updates must have automatic recovery from incomplete or corrupted installations
A failed update should be capable of rolling back to the previous stable version. A dual A/B memory partition layout on the device ensures that the device can recover even if the deployment is incomplete or corrupted during installation for any reason, e.g. due to power loss during the update process. Additionally, the update must be atomic meaning that software updates are installed completely or not at all.
Software integrity checks are must-haves
Cryptographic code signing must be used to confirm that the IoT device only accepts code from trusted sources, and that the code hasn’t been altered when transiting from server to the device.
Use secured communication channels
Deployments must take place over TLS-encrypted communication channels. Updates must be done securely using protocols such as HTTPS polling, so no ports are open on the device.
Code compatibility verification is essential
In supporting multiple heterogeneous hardware, distributing different operating system images is essential for the OTA mechanism to handle. It is imperative to first confirm that the image received by an IoT device is compatible with the device’s hardware architecture before applying the software update. A mismatch of this type could have consequences that are difficult to recover from.
Integration with hardware security modules is advisable
Leveraging hardware support for authentication of devices provides an additional security layer. Hardware Security Modules (TSMs) and Trusted Platform Modules (TPMs) securely store keys inside hardware, making them tamper proof and harder to steal. An OTA update process that only operates on these keys, such as requesting signing and decryption, rather than reading the keys and operating with them directly makes them more secure, leveraging cryptography operations on the device.
Questions when considering OTA updates for your next product
The right approach for an IoT project depends on the environment the product is in, use cases, the hardware under consideration, and the overall system architecture.
Some important questions to ask when considering an OTA update technology for your next IoT product:
- Is security a prime directive of the over-the-air (OTA) mechanism and not something anchored on as an afterthought?
- How does the OTA mechanism support failed update scenarios?
- How secure is an OTA mechanism with client-server architecture?
- Can software be updated at various levels? E.g. Application updates using containers, files, directories and full operating system image updates.
- Can OTA updates be applied in an efficient manner, like minimizing network bandwidth, storage and compute?
- How efficient is the OTA mechanism in mitigating risks for enterprise IoT? E.g. Features that enable enterprises to reduce risk, enhance security and uptime.
Conclusion
A secure and robust software update process should be the foundation of any IoT product development strategy. Updates for IoT must be designed to minimize hackers’ ability to breach the update process and harm devices by modifying and installing malicious software on them. It must also be designed with end-to-end security in mind. Only by planning ahead with the right mindset and design philosophy can you ensure a secure remote software update strategy.
Learn more
- Learn more about how Mender works to provide secure and robust updates
- Read more about security considerations when remotely managing IoT device software
- Contact us to learn how Mender can work with your project
Recent articles
The scope of EU Cyber Resilience Act (CRA) compliance
An overview of EU Cyber Resilience Act (CRA) compliance
Challenges in complying with the EU Cyber Resilience Act (CRA)
Learn why leading companies choose Mender
Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.