What is OTA Update?
OTA update management is the process of remotely updating the entire root file system, performing a firmware update, or an application update over the air. This means that the update does not need to be locally managed by an on-site technician with a USB key or other method requiring physical proximity to the device in the field. In automotive where you have CAN-bus-connected devices, performing a manual update locally could be even more complicated and if you need a special dedicated interface then it can be costly and you can only perform the update in a limited number of authorised places.
There are different levels of OTA update management - from ones for mobile phones and other mobile devices, to IoT devices in both consumer and industrial settings.
An OTA update manager for a fleet of IoT devices has many advantages: it gives the device manufacturer and/or IoT product provider central control of the update process, and at scale, ensuring that the devices receive the latest and properly authorised software releases in a predictable fashion; and that patches can be delivered to anticipate and to fix bugs and security vulnerabilities. Typically for the latter use case, the OTA update is code-signed by the original creator to certify that it has not been tampered with during transit, and that it is indeed the correct version of the update to be made to the device. The device manufacturer and/or IoT product provider will always have the accountability in the event of a device security breach or failure, so being able to control the updates put them in "control" of the process so they can limit their risk levels. Learn more about creating a strategy to manage OTA updates .
OTA update management and its benefits
Having a best of breed system in place for remotely updating, whether it’s hosted or on-premise, also means that a whole host of benefits can be made available to IoT-enabled devices.
These benefits include:
Atomic updates delivered to ensure that the target device receives precisely the right update. Partial updates, also known as delta updates, can be delivered to save on bandwidth in large fleets or where cellular connectivity such as LTE 4G or even 3G is used.
An update roll back mechanism can be put in place to prevent a device from failing or “bricking” in the event of a loss of power. Such a bricking would require physical replacement of the device in the field. In this scenario, Mender uses an A/B rootFS and kernel active and passive partition design for OTA update rollback.
Devices that are added to the fleet can be pre-authorised, categorised and filtered based on certain attributes such as device type and geography; and the OTA updates manager can be integrated with public cloud platforms such as Microsoft Azure IoT, Google IoT Core or AWS IoT, and/or an enterprise ERP system via a RESTful API for frictionless enterprise device management.
The personnel that can provision or interact with the IoT device fleet can be strictly controlled based on their respective roles (RBAC). This means that, for example, in a large fleet, a developer may be able to test a software release with a small number of devices, but would not be authorised to deploy that “test” software to production for the whole fleet.
OTA update management across industries
OTA update management is used across industries from electrification to consumer electronics. It allows IoT product management teams to launch new IoT products into the field and extend their value by adding new features at a later date. Vaillant uses OTA updates for gateways on domestic heating systems and Schindler uses OTA updates on smart elevators and escalators . Think of the Tesla model and you will see that many enterprises and industries are now inspired to create new business models and subscription revenue opportunities by adding new and valuable software features to the already deployed hardware. The paradigm has shifted and software is becoming more pervasive in the engineering and design of products that were traditionally analogue. Think of a robotic vacuum cleaner in the home and you will get the picture of what is emerging even in traditional engineering companies.
OTA update management in Automotive
OTA update is synonymous with automotive and with good reason. In automotive, it wouldn’t make sense from a commercial or customer service perspective to have the owner return the vehicle to the dealer to perform software updates manually. So over the air allows the vehicle owner to manage the software updates themselves just as they would with their PC or smartphone. This is performed through the gateway which securely and robustly connects the ECUs on board the vehicle to the external service such as infotainment for the vehicle passengers.
Over the past 20 years, automotive manufacturers have increasingly sought to use on-board electronic components to offer new features to their customers. As more electronic control units (ECUs) are added to a vehicle then it becomes more challenging to keep the software maintained and secure. Research from La Manna et al estimates that there can be over 80 ECUs in just one vehicle and when you consider that across industry, for every one thousand lines of code in a software program, there can be up to 25 bugs, then you realise quickly just how important it is to have a mechanism to keep the software updated. Bugs and vulnerability issues are part and parcel of software development and hence the OTA update is very important to avoid issues and failures.
Frameworks for OTA updates in Automotive
There are several frameworks that guide the OTA update process in automotive: Adaptive Autosar uses service-orientated communication to integrate applications and supplants signal-based communication on the CAN bus which was the system architecture in Classic Autosar. Adaptive Autosar’s development is managed by a consortium of manufacturers including BMW, Bosch, Continental, Daimler, Ford, GM, Toyota and Volkswagen. Uptane is a commonly referred to framework for software and firmware update over the air, created for securing ground vehicles. Uptane also allows for the encryption of software images using symmetric, asymmetric, or digital envelope techniques. ASSURED is another framework for OTA firmware in Automotive. This framework prescribes the following conditions for the OTA update:
- End-to-End authentication and integrity: the update must be signed by the manufacturer and verified by the device
- Update Authorization from Controller: only authorized devices can install the update
- Attestation of update installation: the device must provide proof of the update installation
- Protection of Code and secret key on device: the update must be stored and then installed in secure storage and isolated execution of critical code
- Minimal burden for the device.
Best of breed OTA update system is better than homegrown
In conclusion, a system for OTA update should be robust and secure, and it is better to look for a best of breed OTA update solution, rather than building it home grown as this can be fragile and insecure. An OTA update management system that is based on open source provides tremendous flexibility, avoids vendor lock-in and ensures community support which results in higher standards of security and continuous innovation.