Firmware over the air, also called FOTA or OTA, is one of the key features IoT manufacturers promote their products with. But what exactly is hidden behind and what are advantages and drawbacks of FOTA? What techniques are common, which fits better with your product and what have to be considered regarding your security concept if over the air update is in place?

FOTA - Firmware over the air

Firmware over the air describes a general concept how to provide a firmware update, update of the main system software responsible for the control of the underlying hardware, using the "air" ínterface - meaning one of the available radio communication interfaces.

Besides the general concept, different specific techniques and implementations exist for different radio interfaces e.g.:

Book Recommendations for IoT

Book 1 Book 2 Book 3
Get it on Amazon Get it on Amazon Get it on Amazon

What the Hell is - FOTA / OTA / OTASP / OTAP

As for every other mechanism also for firmware over the air updates there lot of similar functionalities being used by other domains and mixed sometimes which leads to misunderstanding and wrong expectation, typically on customer side. Following some examples:

Update Techniques

While transferring the firmware over the air is not the only job of a firmware update mechanism, we want to take a short look on the general firmware update techniques. In the field you will typically see two main techniques, binary replacement or binary patching. Both are described below more detailed.

Binary replacement

Binary replacement is the simplest update technique used for firmware updates over the air as well as wired. To perform an update using binary replacement, the firmware binary file has to be downloaded completely first. In between of the downloading and update process some questions appears. The first is where to store the new firmware and the second which mode the firmware is running during download.

Following often used concepts are in place to address these questions:

  1. Firmware update is stored in a specific part of the volatile flash, during the download normal operation mode can be kept. As soon as the firmware download is completed the operation mode is changed to update mode, which is often part of the bootloader. This mode requires the most memory resources on the updated device due to the fact that at least double of the memory space must be provided. If a rollback mechanism is required at least 3 times space is required - 1x running application, 1x new firmware, 1x rollback firmware. The advantage on the other side is that such device is very hard to brick by a faulty firmware update or even by an interruption during the over the air update.
  2. The device is running in a specific update mode (typically in the bootloader) and updates the firmware on the fly. This is the most dangerous concepts due to the fact, that every problem during the update process can lead to a bricked device. The risk for this state can be minimized having a rollback option in place, at least one with minimum functionality but the possibility for an other firmware update chance.
  3. The device is running in a specific update mode and writes the data during the download to a non-volatile memory first. As soon as all data is downloaded it will replace the old firmware. This method is not that sensible to unexpected resets like the previous one but can still lead to a bricked device

Binary patching

While many radio communication links have very limited resources in case of speed, restricted "speech time" and additionally a lot of the devices in the field has to guarantee specific lifetimes or are restricted in the time being online, or just in resources being available on the devices, resource-saving concepts are required.
Binary patching is a technique to reduce the data which has to be transmitted during the over the RF link - therefore "over the air". For this technique, the knowledge of the currently installed firmware version is required. Together with this information a patch is created on the update server and send to the device. A patch contains only the differences between two versions and the position where they are located in the present firmware. During the download of the patch, the device can stay operable and switch to update mode as soon as the download is complete. Due to the fact, that the firmware is manipulated directly there is still a high risk to have a bricked device in case of an unexpected reset, which has to be handled properly.

Firmware over the air vs. security .... FOTA requires Security

Firmware over the air functionalities are boon and bane for every security concept. On the one hand, possibilities to update systems in the field are one of the key requirement in a secure system. On the other hand, the over the air update increase the risk for a compromised system drastically.

To keep the risk, being hacked, as low as possible and having FOTA functionality on side, requires a strong security concept for your product. At least following topics must be considered:

  • Firmware signature
  • Integrity for signature checking Mechanisms
  • Secure communication channel
  • Reliable switching mechanisms in between of the old and new firmware

Additional details about security measures in IoT devices and best practice for a security analysis can be found here:

Next Post Previous Post