IoT products will inevitably require updates. Updates of firmware may support new feature sets, or close vulnerabilities found after development of the product has completed. If there is no way for the device itself to restrict unauthorized or modified firmware from being loaded and used, then bad actors can manipulate firmware images and load malicious code directly to the device.

IoT product developers must allow users to load only validated, secure software. This can be done using cryptographic controls to hash and digitally sign the firmware images. A public key associated with the signature certificate is loaded in secure cryptographic storage on the device, and that key is used to validate the signature applied to the firmware.

Take care to consider the entire development life cycle of the firmware, since a compromise of the server that applies the digital signature, or a compromise of the Certificate Authority (CA) that issued the certificates used in the process, can provide an entry point for an attacker to forge a firmware update and have it pass inspection by the device.

The keys on the device used to validate images (roots) must also be guarded in hardware, so that tampering with trust anchors is not allowed. Storing private keys in unprotected flash storage compromises the entire ecosystem.