Bleeping Computer reported that a new proposal submitted to the Internet Engineering Task Force (IETF) defines a secure framework for delivering firmware updates to Internet of Things (IoT) devices.
Insecure software updates for embedded devices (aka ‘firmware’) have been a frequent source of security lapses on mobile and embedded devices like Internet connected webcams.
Filed on October 30, the “IoT Firmware Update Architecture,” establishes security requirements for device makers to implement when designing firmware update mechanisms for connected devices.
A familiar list of features
The proposed rules include features that have long been recommended by security experts to permit safe handling of software updates. Among them the use of cryptographically signed updates and public key cryptography to provide end-to-end security and verify firmware images, as well as the ability to work with low-power and resource constrained IoT devices.
Firmware has been the source of widespread security issues. For example, low-cost smart phones by BLU were observed transmitting contact and text message information to a firm in China. Also last year, the security firm Anubis Networks said in a blog post that it discovered mystery code in Ragentek Android software including an over-the-air update mechanism that communicates over an unencrypted channel. The Ragentek software is used in a number of low-cost Android smart phones, used across 55 different device models.
Read more on Bleeping Computer: Experts Propose Standard for IoT Firmware Updates