IoT devices can be deployed widely and be expected to last many years. During this time new features, bug fixes and optimizations may be developed which could extend their useful lifetime. It is also possible that vulnerabilities are discovered which affect common libraries and new threat methods are revealed. In these circumstances, a secure remote update mechanism can protect the investment made in the IoT device and avoid costly recalls and in-field servicing.
Security is at the core of the update service. Device Management Update is not reliant on the transport security, so it is suitable for a wide set of connectivity models including broadcast.
The firmware is authenticated through signed metadata known as a Manifest. Devices will only download firmware which has been authenticated through the Manifest.
The Manifest version is checked to block attackers sending old images to devices which may have security vulnerabilities.
The downloaded firmware image is verified to prevent altering the image during transfer.
The Metadata is checked against the model to avoid firmware being accepted by the wrong devices.
Device Management Update facilitates the distribution of the image to devices, the application of the new image and recovery in case of a failure. Users of the service can organize update rollouts into Update Campaigns, setting target devices, conditions for update, monitor progress and examine errors.