As complexity and functionality of embedded devices increases, the need for firmware updates has risen, whether to fix bugs, close security holes, add capability, or update the look and feel of a GUI. Increasingly these embedded devices are connected to networks, which enables remote embedded system updates from a central location as needed. To accomplish these remote updates reliably, while accounting for security and preventing problems from disabling these remote systems, certain considerations are important, including feature and security updates.
It is important to account for the following when designing a mechanism for remote embedded system updates:
Firmware Image Download and Authentication – The entire image must be downloaded and authenticated prior to installation. On-the-fly installation, without proper authentication, risks an incomplete or erroneous update if the download is interrupted mid-stream. Authentication involves parsing the downloaded image and verifying that the received data conforms to predetermined criteria, including digital signatures, hashes, keys, etc., to verify origin and lack of corruption in the received data, including incomplete download. An image that does not meet all criteria is ignored and the firmware is not updated.
Firmware Image Encryption – To transfer information and receive software updates, embedded systems often connect to a network that utilizes the open internet to communicate with a remote server. Through this network connection, controllers connect to gateways, storage units, and traffic aggregation units, all potential vulnerabilities to hacking. Encryption of embedded system update images is necessary to make reverse engineering of code or incorporation of malicious code difficult to accomplish.
Delta Firmware Images – It is expensive to transmit an entire firmware image, which can be many megabytes or even gigabytes long, to a remote device, especially one connected via a cellular network. Delta images, which are subsets of an entire image that contain only changes from the image currently on the device, often are significantly smaller. A mechanism that defines what part of the overall image the delta image represents must be implemented, having first been fully tested. Improperly handling a delta image risks disabling the embedded system until it can be retrieved and properly reprogrammed.
System Status – Prior to making updates to remote embedded systems, system status must be verified. The system must be in a state such that there is adequate stability, time, memory, and battery life (where applicable) to assure that an update can be fully downloaded, authenticated, decompressed, programmed, and rebooted/reset.
For controlled software upgrades, as well as remote asset tracking using serial number- and GPS-based operation, SECO USA has developed a remote embedded system update package, called UpdateSmart™, which enables secure and reliable transmission and installation of firmware update images, and protects against tampering. Contact SECO USA for an engineering evaluation of how UpdateSmart, in combination with our embedded single board computers, can be used to implement your industrial, medical, or defense application.