“Firmware Over the Air” updating, also known as FOTA or sometimes OTA, is a double-edged sword when it comes to security.
It seems like a no-brainer that your products should have the ability to be remotely updated with the latest software, especially since you can use this for patching your firmware against vulnerabilities as they are discovered. In this role FOTA serves as a security mitigation.
But FOTA also introduces at least 3 security vulnerabilities that are generally low-cost, high-reward (asymmetric attacks are always the best).
Attack #1
Inject malicious code into the upgrade payload. This can add functionality; defeat security mitigations; dump the entire firmware image out via some supported communication medium, etc.
Attack #2
Intercept the upgrade payload and dis-assemble or de-compile the binary back into readable firmware, find other flaws in the source code, and then exploit those flaws. The beauty of this attack is that you usually uncover an exploit that can be used against all of the devices that have been manufactured in that product line, not just the one sitting in front of you, so you have dramatically increased your attack coverage.
Attack #3
Usually called a “downgrade attack”, this is done when there is no security or just basic code signing included with the upgrade payload. If the attacker has captured an earlier upgrade payload, he or she can re-submit this already-signed, totally validated payload for installation into the device, thus restoring a previous version of the code… and restoring along with it any known vulnerabilities in that previous version, which can then be exploited.
All of these have good strong solutions that can be implemented on any embedded platform, you just have to design them in. But that is another blog post.
