A Secure Firmware Over-The-Air Update Framework for Constrained IoT Devices

Abstract

"IoT devices have a wide range of applications in several different domains in the modern world mainly as wearables and used in smart cities to name a few. Due to their nature of being deployed in remote places it is crucial that these devices are up to date and this is done through firmware over-the-air updates but this poses a security threat where if the firmware update process is not secured it could lead to attackers using man-in-the-middle attacks or injecting malicious firmware to compromise the devices. The solution to the above problem is to patch these devices with regular firmware updates with a strong emphasis on security due to the critical nature of the situation. The solution uses encryption to transmit the firmware binaries securely between the server and the device. It also restricts unauthorized users from attacking the device or the web application by adding both token-based authentication and mutual authentication. The proposed solution was tested on an ESP32 microcontroller with 4MB storage and 320KB of memory. With a firmware binary of size close to 1MB the device updates in 1 minutes and 39 seconds with 50-60% device load during the update."