The increasing availability of low-cost hardware, new low-power radio technologies, and real-time operating systems specially designed for these embedded devices makes the Internet of Things (IoT) accessible to a broader range of developers. IoT devices are now used in many verticals, from logistics to precision farming, introducing new ways to optimize existing business processes and enabling novel use cases. IoT devices are also used in critical infrastructure where safety and security play an even more important role.
However, while IoT devices are expected to have a major impact on our economy, they are also known for their relatively weak security. The Mirai botnet, for example, demonstrated that large-scale DDoS attacks using compromised IoT devices can threaten other infrastructures. It is equally alarming that many of these compromised IoT devices are not equipped with a ﬁrmware update mechanism and, therefore, remain unpatched to this day.
Vulnerabilities in Internet of Things (IoT) devices have raised the need for a reliable and secure firmware update mechanism suitable for devices with resource constraints. Incorporating such an update mechanism is a fundamental requirement for fixing vulnerabilities but it also enables other important capabilities such as updating configuration settings as well as adding new functionality.
The Open Web Application Security Project (OWASP) has identified the lack of a secure update mechanism as one of IoT Top 10 vulnerabilities: “Lack of ability to securely update the device. This includes lack of firmware validation on devices, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.”
A primer on IoT device firmware updates
Firmware updates can help to fix security vulnerabilities and are an important building block in securing IoT devices. Once devices are deployed, firmware updates play a critical part in their life cycle management, especially when these connected devices have a long lifetime. Considering that IoT devices are often deployed in remote or inaccessible areas where manual intervention is almost impossible and cost prohibitive, firmware updates should be rolled out automatically, without any user involvement. Automatic updates are key to a scalable solution for fixing software vulnerabilities.
Firmware updates are not only done to fix bugs, but they can also add new functionality, and re-configure the device to work in new environments. The firmware update process should ensure that:
- The authenticity and integrity of the firmware image is protected to prevent attempts by adversaries to flash a maliciously modified firmware image or an image from an unknown, untrusted source.
- The confidentiality of the firmware image is protected to safeguard against attempts to access the code in plaintext. Attackers seek to obtain the firmware as the first step to launch further attacks since it provides valuable information into the software libraries used, configuration settings and generic functionality.
Over the air (OTA) firmware updates
Firmware updates are not always manual. In certain cases, firmware updates need to be delivered in a way that works for IoT and mobile devices—and that is remotely updating the code on connected, embedded IoT devices. To accomplish this, updates are conducted over-the-air (OTA)—hence the name—and are delivered wirelessly without interfering with the underlying hardware.
Using OTA firmware updates is that IoT manufacturers can continuously add new features, repair security bugs and optimize product performance across dispersed computing environments. While OTA is a cost-effective way to update IoT firmware—seamlessly managing firmware across hundreds of connected devices—it must also be protected against compromise, as it is an extremely efficient mechanism for delivering malware as well as firmware.
Firmware updates are critical for fixing software bugs and addressing security vulnerabilities. However, the update process itself can also introduce security risks if it is not properly secured. If you do not protect the integrity of your firmware updates, then cybercriminals may be able to use them to inject malicious code into your IoT devices.
While the firmware in most devices is not exposed to cybercriminals, it can be reverse-engineered and modified to create malicious versions that can be used to gain control of the device or its data. If it is vulnerable, your firmware updates can be used to perform a variety of malicious actions, such as installing malware, stealing sensitive data, or taking control of the device remotely.
Certain types of vulnerabilities can impact the security of IoT firmware updates:
- Code signing compromise: Unauthorized access to code-signing keys can allow cybercriminals to sign malicious malware and deliver it as a firmware update to devices in a way that it will appear to be trusted.
- Buffer overflows: Cybercriminals may seek out coding flaws such as buffer overflows and use them to cause erratic application behavior or crashes that can lead to a security breach—allowing them to remotely access devices and inject them with malware.
- Open source vulnerabilities. The development of IoT devices relies heavily on open-source components. If your developers employ insecure open source components, your software supply chain could end up with embedded vulnerabilities, which cybercriminals are eager to exploit.
Because firmware vulnerabilities can put your business and your customers’ sensitive data at risk, it is important that you identify these firmware vulnerabilities and take corrective measures regularly.
Considerations for IoT firmware updates
When designing the firmware update process for deployed IoT devices, firmware authors and network operators should keep in mind the following considerations:
- Install firmware updates in a robust fashion so that the update does not break the device functionality. This requires proper testing and establishing recovery strategies when a firmware update is unsuccessful.
- Make firmware updates available in a timely fashion to address emerging vulnerabilities, while considering the complexity of the decision-making process for updating devices and the length of the involved supply chain before the update reaches the end customer.
- Ensure that the update process is energy efficient for battery powered IoT devices. The firmware update, particularly radio communication and writing the firmware image to flash, can become an energy-intensive task for constrained IoT devices.
- Ensure that firmware updates addressing critical flaws can be obtained even after a product is discontinued or a vendor goes out of business.
In addition to the above considerations, device manufacturers and customers should be incentivized to adopt and enforce frequent firmware updates to secure these devices against cyber-attacks. This is the purpose served by the IoT Cybersecurity Improvement Act of 2020, which dictates that federal agencies refrain from “procuring or obtaining, renewing a contract to procure or obtain, or using an IoT device” if the device is not compliant with the guidelines issued by NIST. These guidelines “on the appropriate use and management” of IoT devices include “minimum security requirements for managing cybersecurity risks” inherent with these devices.
How to secure IoT firmware updates
Just as firmware updates are important to fix vulnerabilities in IoT devices, it is equally important to secure the update mechanism. Security gaps in the update process can expose the remote code execution of the update. Failure to secure the firmware update process will help attackers to take control over devices.
There are various security controls that can be leveraged to protect the firmware image and the update process.
- Authentication ensures that the device can cryptographically identify the author(s) creating the firmware images. In addition, the authenticated machine identities can be used as input to the authorization process to determine whether the requested action is allowed to access the device and perform the update.
- Integrity protection ensures that no unauthorized entity can modify the firmware image. To accept an update, a device needs to verify the respective code signature of all software components included in the firmware update. To do so, the device needs to be in possession of the trust anchors to verify those code signatures.
- Confidentiality of the firmware image ensures that only an authorized entity can have access to the unencrypted firmware image. The encrypted firmware image should be compatible with Content Distribution Networks, bulk storage, and broadcast protocols. To ensure the confidentiality of firmware images the author needs to be in possession of the proper machine identity in the form of a certificate/public key or a pre-shared key of the device.
In addition to the above consideration, crypto-agility should also be a core consideration in securing the update process. Since RSA- and ECC-based signature schemes may become vulnerable to quantum-computing in the future, unchangeable bootloader code in ROM is recommended to use post-quantum secure signature schemes such as hash-based signatures.
IoT device vendors and operators can safeguard the firmware update process by deploying highly scalable, agile, and cost-effective solutions that allow to build in high-assurance identity at every step of the IoT device lifecycle. Venafi TLS Protect and CodeSign Protect can help organizations build confidence that the IoT firmware updates are protected against attacks targeting the process.
(This post has been updated. It was originally published on August 24, 2021.)