Patching the Internet of Things: IoT Software Update Workshop 2016

photo: Hannes Tschofenig

The “huge problem” with many IoT devices is that they are un-patchable, and if they cannot be patched, they cannot be made secure. The IoT is on a growth path that is quickly leading to the ubiquitous deployment of unattended devices throughout our homes, offices, factories, and public spaces. All of them, by definition, are connected to the Internet and hackers will eventually discover and exploit the vulnerabilities in these devices. When that happens, there must be a way to detect the intrusion and deploy software updates to fix the security flaws. This is a hard problem to solve and it has the attention of the IoT industry as well as that of the Internet Architecture Board (IAB) and the Science Foundation Ireland-funded CONNECT Centre who sponsored this workshop.

The workshop materials and raw minutes are here. An IAB report will be published in the near future.

The participants at the IoTSU workshop submitted nearly 30 papers on topics covering analysis of past incidents, current practices, and proposals for future standards. The organizers classified the papers and the participants discussed them during four sessions across two days. The following summarizes just a few topics from the workshop that I felt were particularly significant.

Problem Scope and Technical Constraints:
IoT devices are deployed on a range of hardware platforms, many of which are more highly constrained than others. At one end of the spectrum are the “System-On-Chip” devices with full memory management units (MMUs) running embedded Linux and full time access to mains power and a permanent Wi-Fi connection. At the other end of the spectrum are tiny “motes” connected via Low-Power and Lossy networks and required to run for years on battery power or harvest their own energy. The biggest software update challenges are with these highly constrained devices considering that all updates must be done securely and with zero risk of bricking the device. It seemed that most of the participants felt the greatest need was to first address the challenges at the lower end of this spectrum.

Photo: Hannes Tschofenig

IoT as a Service:
When I buy a product, I have a certain set of expectations regarding ownership, control, and life expectancy for that product. An IoT device, however, is not a standalone product; it is highly dependent on the services it receives over the Internet and all of the technical, organizational, and policy infrastructure that underpin those services. Many of the IoT devices on the market are being sold today as products, and consumers are not always aware of the services those devices depend upon for their long term continued operation. Developers and vendors need to keep this perspective in mind when designing and marketing the IoT.

Full Lifecycle Requirements:
To properly address the challenges of the IoT software update problem, it is essential to consider the full lifecycle of the IoT device. This begins during manufacturing when the security credentials must be generated, allocated, and provisioned into the devices in a secure manner. It also incorporates the lifecycle of the device vendor who might be bought out or go bankrupt – we need to consider how to continue patching essential devices when the original manufacturer no longer exists. Finally, it ends with addressing various end-of-life scenarios such as how to decommission and recycle those devices that no longer can or should be supported.

Next Steps:

The workshop concluded with a discussion about next steps. For starters, the organizers will publish an official workshop report. The participants also supported the concept of publishing a document to capture the current best practices in the IoT industry relative to software update. Some also brought up the need to clarify the scope of the workshop activities in terms of whether the focus should be on constrained devices or to also include other platforms or even networks of connected devices such as those found in vehicles. There may also be the opportunity for future standards work such as recommendations for certain minimum hardware requirements to address the need for random number generation, real time clock, and memory to support multiple binary images during an upgrade.

The participants at the IoTSU workshop came together because of their common concern about issues that could potentially threaten the long term success of the IoT. It was a good mix of representatives from both industry and academia who willingly and openly shared their experience and expertise. I believe the workshop was a good first step towards working together to address the common challenges that we are facing as the IoT continues to grow.

Bob Ensink – Embedded Software Engineer, SpinDance; Adjunct Professor, Department of Engineering, Hope College