Date post: | 21-Apr-2017 |
Category: |
Technology |
Upload: | ramin-firoozye |
View: | 55 times |
Download: | 0 times |
FIRMWARE UPDATE
BLUETOOTH OVER-THE-AIR
SVIOS MEETUP - APRIL 2017 - RAMIN FIROOZYE - [email protected] - @RAMINF
DEVICES ARE GETTING SMARTER
TYPICAL BLUETOOTH DEVICE =
EMBEDDED CPU + WIRELESS + SOFTWARE
FIRMWARE IS…▸ Software that runs on an
embedded device CPU▸ App typically written in ‘C’
and compiled into binary▸ First loaded onto device
using a wired connection or ‘programmer’ device
▸ App runs on power on
TYPICAL CONNECTED DEVICE
HardwareFirmware
PhoneApp
ServerREST API
IF THERE’S A PROBLEM WITH YOUR PHONE APP…▸ You push out an update to the App Store
▸ But what if there’s a problem with the firmware?
IF PROBLEM IS WITH FIRMWARE YOU CAN:▸ Ignore it. Maybe no one will notice▸ Ask user to plug into a USB cable and manually
update▸ Factory recall the device then update and send back▸ Send a new device to every new customer
THERE’S AN EASIER WAY▸ Over the Air Updates
▸ OTA▸ DFU▸ OAD
HOW OTA UPDATES WORK
Firmwarev2.0 binary
UpdateServer
1Version ?
v1.0
App Firmware
2
OK
App Firmware
4
Here’s2.0
I havev1.0?
3
App UpdateServer
DEVICE NEEDS▸ Enough flash storage to keep 2 or more copies of
firmware
Current
NewFactory (optional but recommended)
FIRMWARE NEEDS TO HAVE…‣ Way to get firmware version, HW rev, and
type‣ Unique ID (if user has more than one)‣ Switch to/from normal and update mode‣ Detect incomplete/corrupt downloads‣ Recover from bad update (bricking)
Factory (maybe not so optional)
▸ Manual▸ Always On▸ Software
switch
SWITCHING IN/OUT UPDATE MODE
Normal Mode
Update Mode
EnableUpdate
PowerOn
HOW TO SWITCH INTO UPDATE WITH BLE▸ Scan/connect normally▸ Standard BLE Service has an ‘update mode’
characteristic▸ Write ‘1’ into characteristic (for example)▸ Firmware reboots, this time running Update BLE
Service▸ Scan for Update service▸ Connect and transfer binary
HOW TO SWITCH OUT OF UPDATE WITH BLE▸ Wait for download complete▸ Checksum▸ If OK, overwrite old firmware▸ Restart into normal mode with new firmware▸ If not OK, either request retransmit or go back to
normal
RECOVER FROM BAD FIRMWARE/STATE▸ Make it hard to accidentally
invoke factory reset▸ Overwrite current firmware
from on-board factory version▸ Should not require connection
(may not be there)▸ OK to lose cached data
ALSO, SECURITY…
SECURITY THROUGH OBSCURITY DOESN’T WORK
COMPILED BINARY ISN’T GOOD PROTECTION
IDA Pro Disassembler/Debugger https://www.hex-rays.com/products/ida/
UPDATES CAN ALSO BE DONE BADLY
PRO-TIPS
END-TO-END ENCRYPTION
Firmwarev2.0 binary
UpdateServer
1Version ?
v1.0
App Firmware
2
OK
App Firmware
4
Here’s2.0
I havev1.0?
3
App UpdateServer
ENCRYPTION BEST-PRACTICES▸ Use asymmetric public-key encryption▸ Use digital signatures to verify devices▸ Choose BLE chip with built-in crypto hardware▸ Do full security audit/code review before launch▸ If feasible, use a ‘secure enclave’ chip to hold private
keys
PROBLEM WITH ON-CHIP DECRYPTION▸ Need enough flash to keep 3 or more copies of
firmware
Factory (Optional)
New (encrypted)
CurrentNew (decrypted)
(Plus scratch space during decryption)
ENCRYPTION TRADE-OFF▸ Bill Of Material
Cost▸ Processing Power▸ Added Complexity▸ Development
Time
$$$
PLAN B: DECRYPT ON PHONE
OK
App Firmware
4
Here’s2.0
I havev1.0?
3
App UpdateServer
Requires pairing
DECRYPTING ON IPHONE (HOMEWORK)▸ Don’t decrypt until absolutely necessary▸ Go watch WWDC 2015 Video: “Security and Your Apps”▸ https://developer.apple.com/videos/play/wwdc2015/706/▸ If too lazy check out: SecureEnclaveCrypto library on GitHub▸ https://github.com/trailofbits/SecureEnclaveCrypto▸ Set up bonding/pairing between phone and device▸ https://devzone.nordicsemi.com/question/47091/getting-an-io
s-central-app-to-bond/
BARE MINIMUM FIRMWARE UPDATE SYSTEM▸ Manual deployment checklist ▸ Web download site with SSL (i.e. Amazon S3)▸ Firmware metadata (text file)▸ Simple mobile SDK (REST to server - BLE to device)▸ Firmware with OTA update + software toggle▸ BLE hardware with 2x flash
A PROPER UPDATE SYSTEM▸ Rapid firmware build and
deploy (with encryption)▸ Back-end update server
(with SSL/TLS and REST API)
▸ Release workflow automation
▸ Mobile app SDK (REST to server - BLE to device)
▸ Push notification (or WebSocket support)
▸ Application UX/UI design templates
▸ Firmware with OTA update + software toggle
▸ Hardware support for OTA (4x flash + crypto + factory reset)
▸ Device segmentation and analytics
▸ End-to-end encryption
THINK DIFFERENT▸ Treat Firmware Updates like App
Updates▸ Release an MVP device then iterate
quickly with new features▸ Have different firmware for different
markets (or users)▸ Use serial numbers & encryption to
avoid piracy▸ Do not load final firmware at factory
(!?!)
COUNTERFEITS▸ Hoverboards▸ https://www.wired.com/2015/0
6/the-weird-story-of-the-viral-chinese-scooter-phunkeeduck-io-hawk/
▸ Saleae Logic Analyzers▸ https://www.saleae.com/counte
rfeit
PLAN AHEAD▸ Don’t leave firmware update support to the last minute▸ Don’t host firmware updates on same back-end as app-server▸ Always have a fallback plan / factory reset▸ Design app UX with firmware update in mind ▸ Test, test, test