The topic of OTA software updates for embedded devices is gaining attention as embedded systems are increasingly being connected. Highly publicized breaches continue to demonstrate the lack of security in the design of embedded systems. The software update process itself is intricate with many security considerations and it plays an urgent role in the security of the Internet of Things.
A good example is the Jeep Cherokee hack in July 2015. A couple components that allowed two security researchers to hack into the vehicle remotely were due to not having a secure over-the-air (OTA) solution. One of the first steps enabling this breach was a software vulnerability that was left unpatched in the multimedia system, which ran a Linux-based operating system. They exploited that vulnerability, which lead the security researchers to the V850 controller. The V850 controller software was built to only listen to the CAN bus and not write commands to it. However, it is still a computer system and all they had to do was reprogram it with a malicious firmware update, which they were able to successfully deploy due to a lack of proper authenticity checks. This allowed them to write commands directly to the CAN bus, which allowed them to control the engine, the steering wheel, braking system, and every other critical system.
A properly functioning OTA update mechanism requires authenticity checks, which would provide another layer of security as a deterrent to malicious hackers. An OTA solution should also have a secure channel (e.g. HTTPS) to deploy patches. Kenna Security states the probability of a vulnerability being exploited is less than 10 percent if it is patched within 5 to 10 days after the discovery. However, there is more than a 90 percent chance once it has been 60 days since the discovery. Unfortunately, there is an average remediation time of 110 days today which explains the increasing velocity of security breaches.
We created Mender as an open source project to address the update process in order to timely patch vulnerabilities, deploy bug fixes, and enable new features for their customers. Our journey started three years ago when we began conducting user tests with the amount of experience already in the market. Many participants have dealt with OTA for years, some for more than a decade when it was better known as cyber-physical systems (CPS) or machine-to-machine (M2M). We found most embedded teams had one to two people dedicated to building and maintaining a homegrown tool to manage the update process. And with time-to-market pressure, it’s not surprising they lacked the bandwidth to ensure all the security features were included to ensure a secure and robust update process. We hope that will no longer be the case.