Code Signing

The Key to Firmware Security in Connected IoT Devices

IoT devices make up 30% of all network-connected endpoints, introducing novel attacks and supply chain vulnerabilities that make many companies primary targets for cybercriminals. To address this increasing threat surface, every organization deploying IoT devices needs to consider the question of firmware updates for their IoT devices.

Firmware updates are essential to fix software bugs, patch vulnerabilities, or add new security features, but equally important is the practice of ensuring these updates are secure and trusted.

Over the air firmware updates

While device firmware can be updated manually, the vast distribution of IoT-enabled devices like connected cars, pacemakers, even airplanes, makes manual update processes unfeasible and impractical.

That’s where over-the-air (OTA) updates play an increasingly important role. OTA firmware updates involve remotely updating the code on connected, embedded IoT devices. The update is deployed wirelessly – over the air – to the device, without the need to interfere with the underlying hardware. OTA updates are usually delivered through cellular data (4G or 5G) or through internet connections.

The biggest benefit of OTA IoT firmware updates is that manufacturers can continuously add new features, fix security bugs, and improve product behavior, even if the device is deployed in dispersed environments. Additionally, OTA updates are a cost-effective solution, because you can manage seamlessly the firmware across hundreds of connected devices from a centralized interface.

Firmware vulnerabilities

Despite the importance of having updated firmware to ensure the safe and reliable operation of your fleet of IoT connected devices, firmware is a commonly unprotected attack surface that adversaries exploit to intrude networks, compromise data, or even take over control of the devices to cause harm or disruption. Bottom line, unsecure firmware equates to an unsecure IoT device.

Cybercriminals are eager to exploit weaknesses and gaps in IoT security, not to always attack the devices themselves, but to launch other malicious actions, such as DDoS attacks, malware distribution, or data breach and compromise.

OWASP Top 10 IoT highlights that the lack of a secure firmware update mechanism is one of the top vulnerabilities affecting IoT security:

“Lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.”

To mitigate this vulnerability, it is essential that businesses ensure that the IoT firmware can be updated via OTA updates reliably, securely, and regularly. However, there certain key factors impacting the security of IoT firmware updates, including:

Signing compromise: Unauthorized access to code-signing keys or firmware signing mechanisms can enable attackers to impersonate trust and deliver malicious updates to devices that appear trusted. It’s essential to shore up defenses around your code signing keys and ensure that firmware signatures are verified before allowing the code to execute on the device.

Insecure coding: Buffer overflows may happen because of insecure device programming. Adversaries seek out these coding flaws to cause erratic application behavior or crashes that can lead to a security breach. Buffer overflows can allow criminals to remotely access devices and can be weaponized to create DDoS or malware-injection attacks.

Insecure software supply chain: The development of IoT devices relies heavily on software supply chains and extensive use of open-source components. Lack of procedures to secure the supply chain results in employing insecure open-source components, with embedded vulnerabilities, which attackers are eager to exploit. The latest SolarWinds attack is a fine example of what can go wrong with insecure software supply chains.

Forgotten testing services in production devices: During the development and testing of IoT devices, developers with debugging services and credentials should not migrate to the final production device, because they provide potentially easy access to adversaries.

Consequences of insecure firmware updates

Insecure IoT firmware can have dire consequences to the consumers of these connected devices. Even more problematic is the fact that these types of malicious attacks do not require physical access, they can be employed remotely by an attacker without warning.

Here are just a few examples of how insecure updates resulted in an exposed firmware vulnerability or firmware attack:

  • Smart Locks: The scheduled OTA firmware update of a smart lock contained a corrupt version that took the updated smart locks offline. These lock devices were used in the hospitality sector and, as a result, many customers were unable to enter their rental properties. Because the locks were brought offline by the corrupt update, they had to be manually updated by the vendor.
  • Pacemakers: When the United States Food and Drug Administration (FDA) recommended a firmware update to mitigate a remote access vulnerability in certain pacemakers, they also noted in their advisory that there was a minor risk the firmware update could cause device failure. The decision to update the firmware had to be balanced with the possibility of a device failure that would have required surgery to replace the device.
  • Connected Cars: Researchers at Chinese firm Tencent revealed they could hack into a Tesla Model S via Wi-Fi and remotely activate the braking system. Tesla responded by implementing a fundamental security feature – code signing – that required any new firmware written to components on the CAN Bus be digitally signed to address the risk.
  • Networking Gear: developer accidentally leaked private keys used to sign D-Link software in open-source firmware published by the company. It’s unknown whether the keys were used by a malicious third-party, but the incident resulted in third-party investigations and eventual fines.

How to secure IoT firmware updates

There are many good practices you can follow to secure IoT device firmware and to minimize the impact of an update that doesn’t go as planned. Businesses need to plan for both scenarios.

To minimize the impact of a corrupt firmware update, you should eliminate the storage of sensitive information such as credentials and API tokens on the IoT devices. Instead, you should upload this sensitive information to the cloud, where they can be easily managed without the constraints of the low-power IoT devices.

Additionally, the IoT devices should be connected only to one possible attack vector: either through cellular data or through the internet. You should limit the chances that attackers have to attack the device.

As far as the firmware update process is concerned, we must stress that regular updates minimize the number of attack vectors in operating systems, firmware, and applications. It is essential to check each update’s origin and integrity and only use legitimate vendors’ legitimate applications.

Some available update mechanisms lack integrity guarantees, making them vulnerable to MITM attacks and modification attacks. The IoT device can also use machine-to-machine authentication methods to authenticate an upgrade server before downloading a new firmware image, adding a layer of protection. This ensures device updates come from only the device OEM or another trusted source.

Implementing unique identity and secure code signing with OTA updates ensures an unchanged update from the verified source. By using secure boot, the cryptographically secure hash validation ensures integrity by checking the patch before storing it on the device.

Get started with firmware security

Find out how Keyfactor Control enables highly scalable, agile, and cost-effective security from embedding unique identities onto every device at design to securing firmware and identity updates throughout the device lifecycle.

Ryan Sanders

Senior Product Marketing Manager