IoT has quickly evolved into the Enterprise of Things (EoT), a massive ecosystem of devices and intelligence gathering fueling every industry. With organizations becoming increasingly dependent on this interconnectivity, vendors need to get software and firmware updates to clients as fast as possible - whether for a tiny remote sensor on a streetlight, an MRI machine, an automobile, or a mobile phone. However, the ability to deliver over-the-air (OTA) updates is both a blessing and a curse.
Backlogged IoT Updates Leave Vulnerabilities Exposed
A well-planned and executed update process can ensure quick, consistent, and reliable delivery of updates. Conversely, an improperly designed update process might allow an attacker to:
- Intercept communications between devices and update servers, allowing for eavesdropping or even modification of updates
- Push fake and malicious updates from a spoofed update server
- Exploit vulnerabilities in communication channels to obtain access to the underlying operating system or other software. This might provide the ability to tamper with features or services that would normally not be accessible.
- Block communications to prevent important security updates, leaving them in a vulnerable state
- Disable the device if it is presently in operation and unable to access the update
Security-related updates generally encompass software updates to embedded applications, services, and firmware (software that provides the low-level control for a device's specific hardware.) Most 3rd-party software is highly visible and subject to the constant discovery of vulnerabilities; therefore, it's important to monitor and integrate security updates for operating systems, libraries like OpenSSL, and hardware drivers.
Mitigating Key Exposure Points with OTA Updates
When an OTA software update is pushed, six key exposure points need to be mitigated:
- Packaging, Signing & Encrypting – To ensure the integrity and privacy of an update, the software should be signed with a digital signature that has a verifiable chain of trust. In addition to digital signatures, encrypting the package helps avoid exposure of and tampering with the contents.
- Deploying & Delivering – This mechanism should deliver the update through the most secure and reliable communication channel available. This includes using transport layer security, such as HTTPS, as well as validation of SSL certificates to verify the authenticity of the source. The resiliency of OTA update delivery should also be considered, e.g., providing updates over multiple channel options (e.g., Internet or 5G), tolerating slow or intermittent connections, and allowing for resumption of partially delivered downloads.
- Receiving & Validating – Once a device has received a package, it should verify the digital signature, ensure that signature has not been revoked, and the chain of trust remains valid. After extracting (and possibly unencrypting ) the package, the device should verify signatures on executable binaries and check that the update applies to the device's specific hardware and software configuration.
- Getting Approval – Before installing an update, it is usually best to notify the user and wait for approval to install the update. If it is not possible to wait for user approval, ensure that the device is not in use and is in a safe state to install updates. For example, a vehicle should not be running when installing an update.
- Preparing & Applying Updates - Before installing updates, the device should ensure that the process will execute without disruption. For example, ensure that there is enough disk space, ample power to complete the update, available memory, and data necessary for firmware rollbacks has been backed up.
- Verifying & Activating - After installation, the device should verify that the process was completed correctly and that no errors occurred. At this point, it is also a good practice to once again verify the integrity of the system files to ensure that all files are valid and have not been tampered with.
Despite the additional threat exposures an OTA creates, remote updates are the only economically viable way of maintaining effective defenses. Hence, architects, developers, and systems personnel need to fully understand threats and attacks of remote updates so they can implement appropriate defensives and avoid putting their users at risk.