Over the air updates to IoT devices will bring 'huge security challenges'

1 min read

Cars have always been a target for thieves. In the dim and distant past, a wire coat hanger slid between the window glass and its frame could often unlock the door. Then, a small bit of hot wiring allowed the thief to drive off.

More recently, technology has come into play. The use of RF communications between a key fob of some description and the car allowed a code to be transmitted, recognised by the car and doors unlocked. Originally, these systems used a static code, but more recent versions have seen rolling codes deployed in an attempt to foil the would be thief.

Lately, thieves have been deploying jamming techniques. If they can’t get the code to open your car, the thinking goes, then why not stop the doors being locked? Even if they can’t drive the vehicle away, they can steal valuables from the car.

Intercepting RF communications between a car and its driver is one thing, but what if the RF communication being intercepted is updating that car’s software? We have already seen what can happen when cars are hacked.

It’s not only cars that might be affected, so called over the air (OTA) updates are being seen as probably the only sensible way to update IoT devices in the future. Why? Because there is the emergence of ‘update fatigue’ – people are fed up with having to upgrade systems continually and often don’t know why they’re doing it. And they’re even less likely to upgrade if they have to deal with many devices.

Javier Orensanz, general manager of ARM’s development solutions group, discussed this issue in his keynote to the recent Hitek UK ARM Users Conference. “Being able to update software automatically raises huge security concerns – the process has to be secure and controlled. But it will have to be over the air,” he contended.

OTA updates are vulnerable to so called ‘man in the middle’ attacks. The hacker captures the message, changes it, then retransmits to the target. As Orensanz observed: “The opportunity for people to cause havoc is almost limitless.”

So systems that are updated OTA will need to feature such elements as secure boot, encryption/decryption, one way functions, digital signatures and hashing. Niall Cooling from consultancy Feabhas asserted: “None of this is optional; you have to do it all. If you don’t, everything else is irrelevant.”

Have you started thinking about IoT security?