How do you provide IoT updates to devices in the field?
As attractive targets to hackers, IoT device vulnerabilities have shown how critical -- and challenging -- it is to be able to securely provide needed software and firmware updates.
In an ideal world, IoT devices would receive software and firmware updates easily and securely -- whether literally out in a field, in a factory, on a car or in any of the myriad environments where they can be found.
Because there's no one-size-fits-all approach to IoT devices, as well as to more than 300 different middleware IoT platforms currently available to choose from, there's no one-size-fits all approach to IoT updates. This raises the questions of how often software and firmware updates are necessary and how they are delivered.
The frequency of software and firmware updates depends on why updates are needed. The top two primary reasons are fixing bugs and adding new features. To understand how often updates are released, just look no further than your average cellphone.
"You choose when to apply [phone updates], which works for a device with a human at the interface," said Russ Housley, chair of the Internet Engineering Task Force (IETF) Software Updates for IoT (SUIT) working group, which is currently working on developing a standard for IoT updates. "But some IoT devices are what we call 'headless' -- they don't have a display or a keyboard. Those environments need to be more automated and driven by some event that the device can observe."
Many IoT platforms provide their own ways to update IoT devices. IBM's Watson IoT Platform addresses firmware management of IoT devices as part of its device management features, said Nir Naaman, Watson IoT Platform architect and researcher at IBM Research in Haifa, Israel. "It supports both device- and platform-initiated firmware updates," he said. "The user or administrator can programmatically control when updates are performed or configure automatic updates."
Another popular IoT platform, Siemens' MindSphere, "constantly manages vulnerabilities and updates its MindConnect software APIs as soon as a new version is made available," said Matthew Thornton, western regional manager at Siemens.
While MindSphere updates can be fully automated and deployed remotely, because of security, the communications -- including updates of firmware -- between MindSphere and the MindConnect devices [IoT gateways] on the factory floor can only be initiated from the factory floor, Thornton explained.
"MindConnect firmware is signed, and the transport is encrypted via HTTPS to be secure and firewall-friendly. And it can be applied locally or deployed from MindSphere, as long as the admin provides consent," Thornton added.
Main challenges providing IoT updates in the field
Getting updates out to all IoT devices promptly isn't always possible, because not all connected devices are shipped with the ability to receive them.
"This is a big problem, because a bug can lead to a security issue that allows an attacker to use the IoT device to harm other people connected to the internet," Housley said. "The ability to receive update software is an important capability that can improve the all-around security of the internet. The challenge is to get everyone to do it. Cost is an important factor with IoT devices -- they're intended to be inexpensive, fairly low-end devices -- but it's really important to include a way to update the software."
Other challenges include basics, "such as having an up-to-date inventory of your assets and knowing that an update for your IoT device is available, prioritizing the updates, testing the updates prior to implementation in the field and installing the updates without adversely affecting the operation of your process," Thornton said.
Perhaps one of the most daunting challenges is dealing with update failures. A firmware update can fail for many reasons, including incorrect or bad firmware, an unexpected abort or insufficient space, IBM's Naaman said. "In case of a failure, the challenge is to restore the device to a working condition with as little as possible impact on the operation of the device."
The Watson IoT Platform, for example, provides tools to address a failure in the firmware update process, such as a firmware rollback to restore the last good version or factory reset for cases in which the setup is completely corrupt and can't be rolled back.
A surprising aspect many organizations don't realize is that combining firmware updates with device monitoring and management is crucial, Naaman added.
"The ability to quickly detect and react to issues caused by bad software updates can be critical. In many cases, issues with new software are detected only after it's deployed in the field on a large scale -- sometimes after things have been working well for a while," he added.
Role of security and encryption during updates
Maintaining security during IoT updates is all about the digital signature, which protects the integrity and authenticates the source of the firmware, Housley said. "You want to ensure code is coming from where you think you're getting it from -- even if it's staged in some server for delivery -- and the digital signature provides it."
"Security and encryption are, of course, a concern for firmware management operations due to the significant impact these operations have on the behavior of devices," he said.
Ensuring that only authorized users are able to perform such operations, encrypted communication, device authorization, identifying security breaches and isolating the impact of breaching a single device are only a few examples of security-related issues that the IBM IoT platform provides, he added.
Siemens' Thornton also emphasized the integrity and authenticity of the updates are critically important. Updates provided through the Siemens Industry Online Support website are delivered using a secure HTTPS connection, he said.
"The integrity of these updates is maintained by including signatures within the updates or by providing hashes that can be used to confirm the authenticity of the version as posted on the website with what was received during the download," he said.
Encryption is particularly important when the software has intellectual property rights associated with it, but it's part of the puzzle that the IETF hasn't started working heavily on yet, Housley said.
Housley said researchers exploring the human-rights aspects of standardization have reached out to his group. They believe including encryption is important, because many IoT devices are designed to be carried in a pocket or wearable in some form, making them easy to associate with a particular human.
"They [researchers] feel it's important to provide encryption so that this won't become another vehicle for tracking people," he added." The version of firmware you're running versus the version someone else is running might be a way for us to tell you two apart. That was a bit of a surprise to me, so I'm glad they engaged early so we can think about it while we're working."
Standards work underway by IETF
The IETF SUIT working group is developing a standard for a firmware update mechanism suitable for IoT devices. Internal drafts are public, and it welcomes comments, so you can check out its work in progress online.
The firmware update mechanism described in this specification is designed for the following:
- to be agnostic to how firmware images and associated metadata are transported;
- to be friendly to broadcast delivery;
- to use state-of-the-art security mechanisms;
- to ensure rollback attacks must be prevented;
- to provide high reliability;
- to operate with a small boot loader and small parsers;
- to have minimal impact on existing firmware formats;
- to have robust permissions; and
- to have diverse modes of operation.
When is an IoT updates standard expected?
"We'll work on it until we reach consensus," Housley said, though he estimated it's still a year or two away from a full set of specifications.