This presentation was originally delivered during the IoT Integrator Summit on Securing Edge Computing, which took place from July 14-16, 2020.
You can view the full event summary and as well as access additional sessions from the IoT Integrator Summit here.
In this session recording, you will learn about how over-the-air (OTA) firmware updates are a critical part of IoT security. Keeping devices up-to-date in the field protects both consumers and companies against potential vulnerabilities, with new attack opportunities being discovered every day. However, many companies choose not to invest in these critical updates because the associated costs are simply too high.
Justin Schneck, NervesHub co-founder and Software Engineering Fellow at Very, shares how NervesHub solves this problem for companies by using delta updates, which send only the parts of the firmware that have changed to the device, rather than the whole file. This drastically reduces the size of the firmware files being sent over the air, which in turn provides companies with the cost savings they need to prioritize security. Join Justin’s session to learn more.
Watch the video or peruse the notes from the session below.
OTA firmware and IoT security
The development of IoT devices has become more complex over the years. Today, the long term engagement of IoT devices demands that developers consider the update process early and often in the development cycle. Specifically, developers should consider Over the Air (OTA) updates for these reasons:
- Patching vulnerabilities. Software contains bugs that often lead to vulnerabilities. Once a product is shipped, users will inevitably uncover those vulnerabilities. If those vulnerabilities go unpatched they could compromise the device and betray clients' trust.
- Changing infrastructure support. Networks are malleable, so you will need to make changes to your device to support changing infrastructure.
- Easy addition of new features. To compete in the current market, products need to get into the user’s hands quickly. To shorten the development cycle and maximize features, devices should ship with hardware to be enabled later through OTA updates.
Secure IoT firmware updates
In order to securely update devices, you must first establish a “root” of trust. The “root” of trust is comparable to https, SSL infrastructure or Public Key Infrastructure (PKI).
At its core, when a computer sends a request to a web address, the web address then communicates to a server that presents you with a certificate. This certificate verifies that the address is legitimate. When using PKI to secure devices, it follows a similar path but includes an extra step called client-side SSL.
Here, the device also presents the server with its certificate to validate the device. Devices cannot enter passwords the same way humans can, which presents unique challenges. Microchips called hardware security modules (HSM) solves this problem with several features:
- Internally generated private keys
- Private keys are permanent
- Chip delegated Crypto/SSL operations
Because the HSM is a physical chip, plans must account for its use as early as possible in product development. Identifying a need for the HSM early on will make sure that time and money are not wasted on new prototypes.
OTA firmware update application in IoT
There are two options in firmware update provision: hosted/on-site or custom. In the case of a hosted or on-site firmware update provider, you should look for security and firmware validation.
Firmware validation guarantees that incoming firmware has not been altered in any way. Any alteration can lead to vulnerabilities in crucial areas. Custom OTA solutions are available if your device has precise requirements. For instance, if you will need to deliver updates via Bluetooth or physical media. The only difference in custom solutions is the verification process and requirements.
Updating devices is an inherently risky process. During updates, devices may become inoperable if mishandled. Nerves approaches firmware updates using onboard blue/green deployments. This helps to avoid “bricking” the device and allows you to continue pushing firmware updates in the future. This infrastructure choice is another that should be made in the development phase.
Another risk is pausing for too long between update cycles. Pushing updates frequently means you can exercise the pipeline for application deployment on a more regular basis. Frequent updates have the added benefit of incremental changes to your firmware, which sidesteps catastrophic failures that could occur when taking large leaps between updates. The larger the update, or the longer the pause, the more risk.
OTA firmware update risk solutions for IoT
Developers fall into a common trap of using modern IoT “jump start” platforms for their firmware. Doing this has several significant drawbacks:
- Large firmware size
- Include features your application may not need, increasing vulnerabilities
- Not robust in the field
Nerves solves this by:
- Producing small firmware sizes
- Only shipping features that you need
- Fault-tolerant updates
Reducing firmware sizes and providing opt-in updates are two critical steps in lowering the cost of updating. A cellular IoT platform could cost $0.40/mb and your average Ubuntu update is roughly 300mbs.
At that rate, one update, for one single device, would cost $120. However, when you use the right solutions, updating the entire firmware is no longer necessary. New technologies, like Delta Updates, allow you to insert an update into a specific segment of the firmware.
This allows you to send only the update information that you need, instead of the entire package. Delta Updates increase deployment speed, but also dramatically reduce the size and cost of the update. This is why it is imperative that developers consider updates in the first stage of development.
Q & A from listeners
Justin Schneck answers questions directly from our listeners.
Q: What difference does using AB partitions provide in reducing bandwidth usage?
The benefit in AB partitions is not the size but the increased robustness. With this solution, you always have a fallback directly on the disk. The reduction in size happens when it is combined with delta updates.
Here, the specific, smaller update file is transferred directly to the B partition, while the rest of the information needed to make the firmware complete is already available on the A partition. As such, when it is applied, it expands itself by copying the code from the A partition.
Q: Any recommended resources to learn and master Nerves?
Nerves is built on ErlangVM, a language that has been around for quite some time. If you want to learn about Nerves today, you can review books by the Pragmatics Programmer Bookshelf. Specifically, take a look at books about writing Elixir, a language on top of Erlang, and Erlang itself. Keep an eye out for future publications from Nerves.
Q: Do you recommend using, and does Nerves provide, formal change management processes while doing updates on IIoT devices?
With NervesHub, you will receive a mechanism for monitoring device inventory and firmware numbers. This allows you to apply complex updates such as update paths. We also have tools that tie into your continuous integration pipeline.
During the testing process, it is not uncommon to push firmware to NervesHub. From there, Nerves can automatically deploy to devices that perform automated tests and report back. This can be used for the QA testing phase and even through the production firmware itself.
Looking for content from other IoT Integrator Summit Sessions?
I’m in a constant state of wanting to make the world around me bend to my imagination. At one time I wondered how hard it would be to start my motorcycle from my phone. Rewiring a motorcycle and writing an interface was easy, but connecting it all together proved to be a challenge. A challenge that would define my career. That invisible, often impenetrable layer in the air between all the hardware in the world has become my stomping ground. Hardware is hard, so I’ve been working on nerves to make it easy.
Specialties: Embedded Systems Architect and Engineer.
Very is a technology partner that provides expert product development, software engineering, and design services. We find creative approaches to challenging problems in our physical world and build scalable, smart IoT solutions. By focusing on one project at a time, we help clients reach their product goals.