Hi guys,

I am currently trying to find out how secure firmware updates are done on microcontrollers nowadays.
Many authors refer to SUIT (Secure Updates for Internet of Things) in their papers. SUIT is a framework for secure updates on IoT devices and more of a guide, as I understand it.

MCUboot is also a framework that ST Microelectronics uses. I'm a bit confused, when do I use SUIT then? Does each microcontroller manufacturer have their own way of safely updating their devices?

Best regards,
Daniel

 

Microcontrollers manufacturers do just that - they manufacture microcontrollers. Most don't generally supply the boot system. It is up to whoever uses it for a specific application to configure the microcontroller the way that they want. The onus then is on that developer to supply updates for the boot and software if they consider that it is necessary.
ST Microelectronics on one of a few manufacturers who actually manufacture the hardware, program it and sell it as complete system solutions. Whether they would provide updates would depend on the application and the nature of the software change.

 

Microcontrollers manufacturers do just that - they manufacture microcontrollers. Most don't generally supply the boot system. It is up to whoever uses it for a specific application to configure the microcontroller the way that they want. The onus then is on that developer to supply updates for the boot and software if they consider that it is necessary.
ST Microelectronics on one of a few manufacturers who actually manufacture the hardware, program it and sell it as complete system solutions. Whether they would provide updates would depend on the application and the nature of the software change.

Hi Keith,
thank you for your answer.

I now realise that SUIT can serve as a basis for introducing a secure update mechanism on a microcontroller.
But which manufacturers do not provide the boot system or secure boot/ firmware update mechanism?

Every manufacturer integrates some security into their system.

Best regards,
Daniel

 

Hi Keith,
thank you for your answer.

I now realise that SUIT can serve as a basis for introducing a secure update mechanism on a microcontroller.
But which manufacturers do not provide the boot system or secure boot/ firmware update mechanism?

Every manufacturer integrates some security into their system.

Best regards,
Daniel

There are billions of controllers in devices running today without a hint of boot security in the hardware or software. Most in applications that don't need it per the manufacturer and user.

The old joke is that the S in IoT is for security. This is changing but it still rings of truth.

 

IoT refers to a network of devices containing embedded sensors with functional and connectivity software. If the network does not include the internet the software will have very little need for software security.

 

IoT refers to a network of devices containing embedded sensors with functional and connectivity software. If the network does not include the internet the software will have very little need for software security.

I have lots of sensors on VPN or encrypted systems on the Internet. The security is at the network or packet level, not the physical devices (the updates are cryptography signed). I don't trust IoT security one bit. A lot of it is from China, with known firmware backdoors (mandated by the CCP) to bypass controller security on their locally designed and fab'd devices.