-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathdraft-iab-iotsu-workshop-latest.xml
1372 lines (1122 loc) · 64.5 KB
/
draft-iab-iotsu-workshop-latest.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.0.36 -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
]>
<?rfc rfcedstyle="yes"?>
<?rfc toc="yes"?>
<?rfc tocindent="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc text-list-symbols="-o*+"?>
<?rfc docmapping="yes"?>
<rfc ipr="trust200902" docName="draft-iab-iotsu-workshop-01.txt" category="info">
<front>
<title abbrev="IoTSU Report">Report from the Internet of Things (IoT) Software Update (IoTSU) Workshop 2016</title>
<author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
<organization>ARM Limited</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author fullname="Stephen Farrell" initials="S." surname="Farrell">
<organization>Trinity College Dublin</organization>
<address>
<postal>
<street></street>
<city>Dublin</city>
<region></region>
<code>2</code>
<country>Ireland</country>
</postal>
<phone>+353-1-896-2354</phone>
<email>[email protected]</email>
</address>
</author>
<date/>
<keyword>Internet-Draft, Security, Firmware Updates, Software Updates, Internet of Things</keyword>
<abstract>
<t>This document provides a summary of the ‘Workshop on Internet of Things
(IoT) Software Update (IOTSU)’
which took place
at Trinity College Dublin, Ireland on the 13th and 14th of June, 2016. The main
goal of the workshop was to foster a discussion on requirements, challenges and
solutions for bringing software and firmware updates to IoT devices.
This report summarizes the discussions and lists recommendations to the
standards community.</t>
</abstract>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>This document provides a summary of the ‘Workshop on Internet of Things
(IoT) Software Update (IOTSU)’
<xref target="IoTSU"/>,
which took place
at Trinity College Dublin, Ireland on the 13th and 14th of June, 2016. The main
goal of the workshop was to foster a discussion on requirements, challenges and
solutions for bringing software and firmware updates to IoT devices.</t>
<t>The views and positions in this report are those of the
workshop participants and do not necessarily reflect those of their
employers/sponsors, the authors of this memo nor
the Internet Architecture Board (IAB), under whose auspices the workshop
was held.</t>
<t>The IAB holds occasional workshops designed to
consider long-term issues and strategies for the Internet, and to suggest
future directions for the Internet architecture. The topics investigated often
require coordinated efforts of different organizations and industry bodies to
improve an identified problem. One of the goals of such workshops is to
assist with communication between relevant organisations, companies and
universities, specially when the topics are partly out of the scope for the Internet
Engineering Task Force (IETF). This long-term planning function of the IAB is
complementary to the ongoing engineering efforts performed by working groups of
the IETF.</t>
<t>In his essay ‘The Internet of Things Is Wildly Insecure And Often
Unpatchable’ <xref target="BS14"/> Bruce Schneier expressed concerns about the
status of software/firmware updates for Internet of Things (IoT) devices. IoT
devices, which have a reputation for being insecure already at the time when
they are manufactured, are often expected to stay active in the field for 10+
years and operate unattended with Internet connectivity.</t>
<t>Incorporating a software update mechanism to fix vulnerabilities, to update
configuration settings as well as adding new functionality is recommended by
security experts but there are challenges when using software updates, as the
United States Federal Trade Commission (FTC) staff in their "Internet of Things – Privacy & Security in a Connected
World" <xref target="FTC"/> and the Article 29 Working Party Opinion 8/2014 on
the on Recent Developments on the Internet of Things <xref target="WP29"/> reported. </t>
<t>Amongst the challenges in designing a basic software/firmware update function
are:
<list style="symbols">
<t>Implementations of
software update mechanisms may incorporate
vulnerabilities becoming an attractive attack target, see for example <xref target="OS14"/>,
</t>
<t>Operational
challenges such as the case of an expired certificate in a hub device <xref
target="BB14"/>,
</t>
<t>Privacy issues if devices "call home" often to check for updates</t>
<t>A lack of incentives to distribute software updates along the value
chain</t>
<t>Who should be able to update device software after normal support
stops? When should an alternate source of software updates take over?</t>
</list>
</t>
<t>There are various (often proprietary) software update mechanisms in use
today and the functionality of those varies significantly with the envisioned
use of the IoT devices. More powerful IoT devices, such as those running
general purpose operating systems (like Linux), can make use of
sophisticated software update mechanisms known from the desktop and the mobile
world. This workshop focused on more constrained IoT devices that often run
dedicated real-time operating systems or potentially no operating system at
all.</t>
<t>There is a real risk that many IoT devices will continue to be shipped without a solid
software/firmware update mechanism in place. Ideally, IoT software developers
and product designers should be able to integrate standardized mechanisms that
have experienced substantial review and where the documentation is
available to the public.</t>
<t>Hence, the IAB decided to organize a workshop to reach out to relevant
stakeholders to explore the state-of-the-art and to identify requirements and
gaps. In particular, the call for position papers asked for</t>
<t><list style="symbols">
<t>Protocol mechanisms for distributing software updates.</t>
<t>Mechanisms for securing software updates.</t>
<t>Meta-data about software / firmware packages.</t>
<t>Implications of operating system and hardware design on the software update mechanisms.</t>
<t>Installation of software updates (in context of software and hardware security of IoT devices).</t>
<t>Privacy implications of software update mechanisms.</t>
<t>Implications of device ownership and control for software update.</t>
</list></t>
<t>The rest of the document is organized as follows: Basic terminology is provided in <xref
target="terminology"/> followed by a longer section discussing requirements. Subsequent sections explore
selected topics, such as incentives, and measurements, in more detail. Most of the writeup does raise more questions than it answers. Nevertheless, we tried to synthesise possible conclusions and offer a few next steps. </t>
</section>
<section anchor="terminology" title="Terminology">
<t>As is typical with people from different backgrounds,
workshop participants started the workshop with a discussions of terminology. This section is more intended
to reflect those discussions than to present canonical definitions of
terms.</t>
<t><list style="hanging">
<t hangText='Device Classes:'> IoT devices come in various "sizes"
(such as size of RAM, or size of flash memory). With these configurations
devices are limited in what they can support in terms of operating system
features, cryptographic algorithms, and protocol stacks. For this reason, the
group differentiated two types of classes, namely ARM Cortex A-class / Intel
Atom and Cortex M-class / Intel Quark types of devices. A-class devices are
equipped with powerful processors typically found in set-top boxes and home
routers. The Raspberry Pi is an example of a A-class device, which is capable of
running a regular desktop operating system, such as Linux. There are differences
between the Intel and the ARM-based CPUs in terms of architecture, micro-code and who is allowed to
update a BIOS (if available) and the micro-code. A detailed discussion of these
hardware architectural differences were, however, outside the scope of the
workshop. The implication is that lower-end microcontrollers have
constraints that put restrictions on the amount of software that can be put on them.
While it is easy require support of a wide range of features those may not necessarily fit on these devices.</t>
<t hangText='Software Update and Firmware Update:'> Based on the device
classes it was observed that regular operating systems come with
sophisticated software update mechanisms (such as RPM <xref target="rpm"/> or
Pacman <xref target="pacman"/>) that make use
of the operating system to install and run each application in a
compartmentalized fashion. Firmware updates typically do not provide such a
fine-grained granularity for software updates and instead distribute the entire
binary image, which consists of the (often minimalistic) operating system and
all applications. While the distinction between the mechanisms A-class and M-class
devices will typically use may get more fuzzy over time, most M-class devices use
firmware updates and A-class devices use a combination of firmware and software
updates (with firmware updates being less frequent operations).</t>
<t hangText='Hitless Update:'>
A hitless update implies that the user experience is not “hit”, i.e., it is not impacted.
It is possible to impact the user experience when applying an update even when the
device does not reboot (to obtain or apply said update). If the update is applied when
a user is not using a product and their service is not impacted, the update is “hitless".</t>
<!--
<t hangText="Device Reboot:">
After a new software or firmware image has been distributed, the question arises
whether the device has to be restarted or not. For many desktop, smart phones and tablets new software
updates do not require a restart when new applications are installed while
changes to the underlying operating system often require a restart. For
embedded devices a firmware update often requires a device reboot since it is
also the easiest way to get the device into a clean state. </t>
-->
</list></t>
</section>
<section anchor="requirements" title="Requirements and Questions Arising">
<t>Workshop participants discussed requirements and several of these raised further questions.
As with the previous section we aim to present the discussion as it was.</t>
<t><list style="symbols">
<t>There may be a need to be support partial (differential) updates, that
do not require the entire firmware image to be sent. This may mean that techniques like bsdiff
<xref target="bsdiff"/> and courgette <xref target="courgette"/> are used but might
also mean devices supporting download of applications and libraries alone. The
latter feature may require dynamic linking and position independent code.
It was unclear whether position independent code should be recommended for low-end IoT
devices.</t>
<t>The relative importance of dynamic linkers for low-end IoT devices is unclear. Some operating
systems used with M-class devices, such as Contiki, provide support for a
dynamic linker according to <xref target="OS-Support"/>. This could help to
minimize the amount of data transmitted during updates since only the
modified application or library needs to be transmitted.</t>
<t>How should dependencies among various software updates be handled?
These dependencies may include information about the hardware platform
and configuration as well as other software components
running on a system. For firmware updates the problem of dependencies are often solved by the manufacturer or OEM
rather than on the device itself.</t>
<t>Support for devices with multiple micro-controllers may required an architecture where one
micro-controller is responsible for interacting with the update service and then
dispatching software images to the attached micro-controllers within its local
realm. The alternative of letting each microcontroller interact with an update service
appeared less practical.</t>
<t>Support may be required for devices with multiple owners/stakeholders where the question
arises about who is authorized to push a firmware/software update.</t>
<t>Data origin authentication (DAO) was agreed to be required for software
updates. Without DAO, updates simply become a perfect vulnerability.
It is however non-trivial to ensure the actual trust relationships that exist
are modelled by the DAO mechanism. For some devices and deployment
scenarios, any DAO mechanism is onerous, possibly to the point where
it may be hard to convince a device-maker to include the functionality.</t>
<t>Should digital signatures and encryption for software updates be
recommended as a best current practice? This question particualrly raises the question
about the use of symmetric key cryptography since not all low end IoT devices
are currently using asymmetric crypto.</t>
<t>
DAO
is most commonly provided via digital signature mechanisms, but
symmetric schemes could also be developed, though IETF discussion of
such mechanisms (for purposes less sensitive than software update) has
proved significantly controversial. The main problem seems to be
that simple symmetric schemes only ensure that the sender is a
member of a group and do not fully authenticate a specific sender.
And with software update, we do not want any (possibly compromised)
device to be able to be authenticate new software for all other
similar devices.
</t>
<t>What are the firmware update signing key requirements? Since devices have a rather long
lifetime there has to be a way to change the signing key during the lifetime of
the device.</t>
<t>Should a firmware update mechanism support multiple signatures of firmware
images? Multiple signatures can come in two different flavours, namely <list style="number">
<t>a
single firmware image may be signed by multiple different parties. In this case one could imagine an environment where an
Original Equipment Manufacturer (OEM)
signs the software it creates but then the software is again signed by the
enterprise that approves the distribution within the company.
Other examples include regulatory
signatures where a the software for a medical device may be signed as approved by a certification body.</t>
<t>a
software image may contain libraries that are each signed by their
developers.</t>
</list>
Is a device expected to verify the different types of signatures
or is this rather a service provided by some
non-constrained device? This raises the question about who the IoT device
should trust for what and whether transitive trust is acceptable for some types of
devices? </t>
<t>Are applications from a range of sources allowed to run on a device or only
those from the OEM? If the device is a “closed” device that only supports/runs
software from the OEM then a single signature may be sufficient. In any more
“open” system, 3rd party applications may require support of multiple
signatures.</t>
<t>There is a need for some form of secure storage, at least for those IoT devices that are exposed
to physical attacks. This includes at least the need
to protect the integrity of the public key of the update service on the
device (if signature based DAO is in use). The use of symmetric key cryptography requires improved confidentiality protection (in addition to integrity protection).
</t>
<t>Is there a need to
allow the update infrastructure-side to authenticate the IoT device before
distributing an update? Questions about the identifier used for such an
authentication action were raised. The idea of re-use MAC addresses lead
to concerns about the significant privacy implications of such
identifier re-use.</t>
<t>It is important to minimize device/service downtime due to update processing, minimize user interaction
(e.g., car should not distract the driver) (see hitless updates).
While it may not be possible to avoid all downtime,
there was agreement that one ought strive for “no inappropriate” device downtime. This means
minimal downtime impacting the user/operation of the device.
The definition of “downtime” also depends on the use case,
with a smart light bulb, the device could be "up" if the light is still on, even
if some advanced services are unavailable for a short time.
Whether an update can be done
without rebooting the device depends on the software being
installed, on the OS architecture, and potentially even on the hardware
architecture. The cost/benefit ratio also plays a role.
</t>
<t>
It is desirable to minimise the time taken from the
start of the update to when it is finished.
In some systems with many devices (e.g., industrial lighting) this
can be a challenge if updates need to be unicasted.
</t>
<t>In some systems
with multiple devices, it can be a challenge to ensure that all
devices are at the same release level, especially if some devices
are sleepy. There are some systems where ensuring all relevant
devices are at the same release level is a hard-requirement. In
other cases, it is acceptable if devices converge much more slowly to the
current release level.
</t>
<!--
SF: I don't recall this being presented? And I'm not even sure
what'd be needed from the net that could interfere with the
production line?
<t>During the manufacturing process it is preferable to
not depend on Internet connectivity that could stall the factory in failure
cases. In one
presented solution HTTP with the caching capabilities was used in the factory
to avoid creating such a dependency. </t>
-->
<t>It ought not be possible
for a factory worker to compromise the update process (e.g., copy signing keys,
install unauthorized public keys/trust anchors) during the
manufacturing process. There
are typically two factories involved, first the factory that produces
microcontrollers and other components. The second factory produces the complete
product, such as a fridge. This fridge contains many of the components
previously manufactured. Hence, the firmware of components produced in the
first stage may be 6 month old when the fridge leaves the factory. One does not
want to install a firmware update when the fridge boots the first time. For
that time the firmware update happens already at the end of the manufacturing
process.</t>
<t>Should devices have a recovery procedure when the device gets compromised?
How is the compromise detected?</t>
<t>There was a bit of discussion about the importance for IoT devices to know the current time for the purpose of checking certificate validity. For example, what does “real-time clock” (RTC) actually mean? And what constitute ‘good enough’ time? There are, however, cost, power, size, and environmental constraints that
can make the addition of a real-time clock to an IoT device complex:
<list style="symbols">
<t>Cost: battery- or supercap-backed RTC modules might be several times the cost of the rest of the bill of materials.</t>
<t>Size: the battery and other components are often several times larger than the rest of the material. </t>
<t>Manufacturing: some modules require an extra assembly step, because the battery could be damaged/explodes at high temperature during the reflow process.</t>
<t>Supply chain: devices containing fitted batteries need additional supply chain management to account for storage temperature and to avoid shipping aged devices.</t>
<t>Environmental: Real-time-clock modules are typically not rated at industrial temperature ranges. Those that are have extremely reduced lifetime at high temperatures.</t>
<t>Lifetime: some of these modules last only a few years at the top of their environmental range.</t>
</list>
While a good solution is needed, it is not clear whether there is one true solution. A recent proposal from Google called Roughtime <xref target="RT"/> may be worthwhile to explore.</t>
<t>How do devices learn about a firmware update? Push or Pull? What should be
required functionality for a firmware update protocol?</t>
<t>There is a need to find out whether a software update was successful. In
one discussed solution the bootloader analyses the performance of the running
image to determine which image to run (rather than just verifying the integrity
of the received image). One of the key criteria is that the updated system is
able to make a connection to the device management/software update
infrastructure. As long as it is able to talk to the update infrastructure it
can receive another update. As alternative perspective the argument was made
that one needs to have a way to update the system without have the full system
running.</t>
<t>Gateway requirements. In some deployments gateways terminate the IP-based
protocol communication and use non-IP mechanisms to communicate with other
micro-controllers, for example, within a car. The gateway
in such a system is the end point of the IP communication. The group had mixed feelings
about the use of gateways vs the use of IP communication to every
micro-controller. Participants argued that there is a lack of awareness of IPv6
header compression (with the 6lowpan standards) and of the possible benefits of
IPv6 in those environments in terms of lowering the complexity of the overall
system. </t>
<t>The amount of energy consumed due to software update needs to be
minimized. For example, awakening a sleepy device regularly only to
check for new software would seem wasteful if the device cannot feasibly
be exploited whilst asleep. However, the trade-off is that once the
device awakens with old software, there may be a window
of vulnerability, if some relevant exploit has been discovered.</t>
<t>The amount of storage required for update ought be minimized and can
sometimes be significant. However, there are also benefits to schemes
that store two or three different software images for robustness, e.g.,
if one has space for separate current, last-known-good and being-updated
images then devices can better survive the buggy occasional updates that are
also inevitable.</t>
</list></t>
<t>Which of the features discussed in the list above are nice to have? Which are required? Not all of these are
required to achieve improvement. What are most important?</t>
<t>Among the participants there was consensus that supporting signatures (for
integrity and authentication) of the firmware image itself and the need for
partial updates was seen as important.</t>
<t>There were, however, also concerns regarding the performance implications
since certain device categories may not utilize public key cryptography at all
and hence only a symmetric key approach seems viable, unless some other scheme
such as hash-based signature become practical (they currently aren't
due to signature size). This aspect raised
concerns and trigger a discussions around the use of device management
infrastructure, similar to Kerberos, that manages keys and distributes them to
the appropriate parties. As such, in this set-up there could be a unique key shared
with the key distribution center but for use with specific services (such as a
software update service) a fresh and unique secret would be distributed.</t>
<t>In addition to the requirements for the end devices there are also
infrastructure-related requirements. The infrastructure may consist of servers
in the local network and/or various servers deployed on the Internet. It may
also consist of some application layer gateways. The potential benefits of
having such a local server might include:</t>
<t><list style="symbols">
<t>The local server acting for neighbouring nodes. For example, in a vehicle one
micro-controller can process all firmware updates and redistribute the
relevant parts of those to
interconnected micro-controllers.</t>
<t>Local infrastructure could perform some digital signature checks on behalf of the
devices, e.g., certificate revocation checking.</t>
<t>Local multicast can enable transmission of the same update to many devices</t>
<t>Local servers can hide complexity associated with NAT and Firewalls from the device</t>
</list></t>
<t>Another point related to local infrastructure is that since many IoT devices will not be (directly) connected to the Internet,
but only through a gateway, there may in any case be a need to develop a software / firmware
update mechanism that works in environments where no end-to-end Internet
connectivity exists.</t>
<t>Some current firmware update schemes need to identify devices.
Different design approaches are possible.</t>
<t><list style="symbols">
<t>In an extreme form in one case the decision about updating a device is
made by the infrastructure based on the unique device identification. The
operator of the firmware update infrastructure knows about the hardware and
software requirements for the IoT devices, knows about the policy for updating
the device, etc. The device itself is provisioned with credentials so that it
can verify a firmware update coming from an authorized device.</t>
<t>In another extreme the device has knowledge about the software and
hardware configuration and possible dependencies. It consults software
repositories to obtain those software packages that are most appropriate.
Verifying the authenticity of the software packages/firmware images will still
be required.</t>
</list></t>
<t>Hence, in some deployed software update mechanisms there is no desire for
the device to be identified beyond the need to exchange information about most
recent software versions. For other devices, it is seen as important to identify the
device itself in order to provide the appropriate firmware image/software
packages.</t>
<t>Related to device identification various privacy concerns arise, such as the
need to determine what information is provided to whom and the uses to
which this
information is put. For IoT devices where there is a
close relationship to an individual (see <xref target="RFC6973"/>) privacy concerns are likely higher than for
devices where such a relationship does not exist (e.g., a sensor measuring
concrete). The software / firmware update mechanism should, however, not make
the privacy situation of IoT devices worse. The proposal from the group was to
introduce a minimal requirement of not sending any new identifiers over an
unencrypted channel as part of an update protocol.
</t>
<t>Software update will however provide yet another venue in which the
tension between those advocating better privacy and those
seeking to monetize information will play out. It is in the nature of
software update that it requires devices to sometimes "call home" and
such interactions provide fertile ground for monetization.
</t>
</section>
<!--
SF: Not clear to me what this section adds. I think it's all
repetetive other than the energy and storage points (which I've now
added above.
<section anchor="performance" title="Performance">
<t><list style="symbols">
<t>Not just sending updates to each device individually</t>
<t>Differential updates, examples are bsdiff <xref target="bsdiff"/> and
courgette <xref target="courgette"/></t>
<t>firmware update consumes a lot of energy</t>
<t>requires sufficient amount of flash for storing a backup image</t>
</list></t>
</section>
-->
<section anchor="authz" title="Authorizing a Software / Firmware Update">
<t>There were quite a few points revolving around authorization.</t>
<t><list style="symbols">
<t>Who can accept or reject an update? Is it the owner of the device, or the
user or both? The user may not necessarily be the owner.</t>
<t>With products that fall under a regulatory structure, such as healthcare,
you don’t want firmware other than what has been accredited.</t>
<t>In some cases it will be very difficult for a firmware update system to
communicate to users that an update is available. Doing so may requires tracking the
device and it's status with regards to the installed firmware/software,
with all the privacy downsides if such
tracking is badly done.</t>
<t>Not all updates are the same. Security updates are often
treated differently compared to feature updates and the
authorization for these may differ. </t>
<t>Some people may choose to decline updates, often on the basis
that their system is currently stable, but also possibly due
to concerns about unwanted changes, such as the
HP printer firmware update pushed in March 2016 <xref
target="HP-Firmware"/> that turned off features that
end-users liked.</t>
</list>
</t>
</section>
<section anchor="eol" title="End-of-Support">
<t>There was quite a bit of discussion about end-of-support for
products/devices and how to handle that.</t>
<t><list style="symbols">
<t>How should end-of-support, or end-of-features be treated? Devices are often
deployed for 10+ years (or even longer in some verticals). Device-makers
may not
want or be able to support software and services for such an extended period of time.
Will these devices stop working after a certain, previously unannounced period of time, such as Eye-Fi cards <xref target="eyefi"/>.</t>
<t>There will be a broad range of device-makers involved in IoT, who
may differ substantially in terms of how well they can handle the
full device life-cycle. Some will be large commercial enterprises
who are used to dealing with long device life times, whilst others may
be very small commercial entities where the device lifetime may
be longer than the company life-time. Yet other devices may be
the result of open-source activities that prosper or flounder.
The problem of end-of-support arises in all these cases, though
feasible solutions for software update may substantially differ.
In
some cases device-makers may not be willing to continue to update devices,
for example due to a change in
business strategies caused by a merger. In yet other cases a company may have
gone bankrupt. </t>
<t>While there are many legal, ethical, and business related
questions can we technically enable transfer of device service to another
provider? Could there even be business models for entities that
take over device updates for original device-makers who no
longer wish to handle software update?</t>
<t>The release of code, as it was done with the Little Printer
manufactured and developed by a company called Berg <xref
target="LittlePrinter"/>, could provide a useful example.
While the community took over the support in that case, this can
hardly be assumed in all cases. Just releasing the source code for a device
will not necessarily motivate others to work on the code, to fix bugs or to
maintain a service. Nevertheless, escrowing code so that the
community can take it over if a company fails is one possible option.</t>
<t>The
situation gets more complex when the device has security mechanisms to ensure
that only selected parties are allowed to update the device (which is
really a basic requirement for any secure software update). In this case,
private signing keys (or similar) may need to be made available as well, which could introduce
security problems for already deployed software. In the best case it changes
assumptions made about the trust model and about who can submit updates.</t>
<t>How should deployed devices behave when they are end-of-support and
support ends? Many of them may still function normally, but others may fail
due to the absence of
cloud infrastructure services. Some products are probably expected
to fail safely, similarly to a smoke alarm that makes a loud noise when the
battery becomes empty. Cell phones without a contract can, in some countries,
still be used for emergency services (although at the expense of the society
due to untraceable hoax calls), as discussed in RFC 7406 <xref
target="RFC7406"/>.</t>
</list></t>
<t>The recommendation that can be provided to device-makers and users is to
think about the end-of-support, end-of-support scenarios ahead of time and plan
for those. While device-makers rarely want to consider what happens if their
business fails it is definitely legitimate to consider scenarios where they are
hugely successful and want to evolve a product line instead of supporting
previously sold products forever. Maybe there is also a value in
subscription-based models where product and device support is only provided as
long as the subscription is paid. Without a subscription the product is
deactivated and cannot pose a threat to the Internet at large.</t>
</section>
<section anchor="incentives" title="Incentives">
<t>Workshop participants also discussed how to create incentives for companies to ship
software updates, which is particularly important for products that will be
deployed in the market for a long time. It is also further complicated by
complex value chains.</t>
<t><list style="symbols">
<t>Companies shipping software updates benefit from improved security.
Their devices are less likely to be abused as a vector to launch other
attacks, whether on their own networks, or (as part of a botnet) on other
Internet hosts. This clearly creates an incentive to support and use
software updates.</t>
<t>On the other hand updates can also break things. The negative customer
experience can be due to service interruptions during or after the update
process but can also result from bad experience from deliberate changes
introduced as part of an update - such as a feature that is not available
anymore, or that a “bug” that another service has relied upon being fixed.</t>
<!--
SF: I don't get this point
<t>In the open source community public shaming works since the community is
open to feedback. The problem is when changes are available, just not applied,
since there is not necessarily an entity that pushes patches out.</t>
-->
<t>For most classes of device, there does not seem to be a regulatory
requirement to report or fix,
vulnerabilities, similar to data breach notification laws.</t>
<t>Subscription models for device management were suggested so that companies
providing the service have an economic interest in keeping devices online (and
updated for that).</t>
</list></t>
</section>
<section anchor="measurements-and-analysis" title="Measurements and Analysis">
<t>From a security point of view it is important to know what devices are out
there and what version of software they run. One workshop paper <xref target="plonka"/>
reported measurements with initial done on buggy devices first distributed
in 2003 that were
still detectable in significant numbers just before the workshop 13 years later.
As such, in addition to the
firmware update mechanism companies have been offering
device management solutions that allow OEMs to keep track of their devices.
Tracking these devices and their status is still challenging since some devices
are only connect irregularly or are only turned on when needed (such as a
hockey alarm that is only turned on before a match).</t>
<t>Various stakeholders have a justified interest in knowing something about deployed
devices. For example,</t>
<t><list style="symbols">
<t>Manufacturers and other players in the supply chain are interested to know
what devices are out there, how many have been sold, what devices are out there
but have not been sold. This could help to understand which firmware versions
to support for how long. </t>
<t> Device users, owners, and customers these may want to know what devices
are installed over a longer period of time, what software/firmware version is
the device running, what is uptime of each of these devices, what types of
faults have occurred, etc. Forgotten devices may pose problems, particularly if
they (have the potential to) behave badly.</t>
<t>To an extent, network operators offering services to device owners
and other actors may also need similar information, for example to
control botnets.</t>
<!--
SF: I don't see how this relates to measurement?
<t>Regulators and law makers need information to evaluate the effectiveness of cyber
security laws.</t>
-->
<t>Researchers doing analysis on the state of the Internet ecosystem
(such as what protocols are being used, how much data IoT devices generate,
etc. need measurements for their work.</t>
</list></t>
<t>There can easily be some invasiveness in approaches to acquiring such
measurements. The challenge was put forward to find ways to create measurement
infrastructures that are privacy preserving. Arnar Birgisson noted that there
are privacy-preserving statistical techniques, such as RAPPOR <xref
target="RAPPOR"/>, and Ned Smith added that techniques like Intel's Enhanced
Privacy ID (EPID) may play a role in maintaining some level anonymity for the
IoT device (owners) while also enabling measurement. It seemed clear that
naive approaches to measurement (e.g., where devices are willing to expose
a unique identifier to anyone on request) are unlikely to prove
sufficient.</t>
</section>
<section anchor="firmware-distribution-in-mesh-networks" title="Firmware Distribution in Mesh Networks">
<t>There was some discussion of the requirements for mesh-based networks,
mainly relating to industrial lighting. In these networks, software update can impose
unacceptable performance burdens, especially if there are many devices,
some of which may be are sleepy.</t>
<t>The workshop discussed whether some forms of multicast (perhaps not
IP multicast) would be needed to provide acceptable solutions for software
update in such cases. It was not clear at which layer a multi-cast solution
might be effective in such cases, though there did seem to be no clearly
applicable standards-based approach that was available at the time of the
workshop.</t>
</section>
<section anchor="compromised-devices" title="Compromised Devices">
<t>There was a recognition that there are, and perhaps always will be,
large numbers of devices that can be, or have been compromised. While
updating these can mitigate problems, there will always be new devices
added to networks that cannot be updated (for various reasons) so the
question of what, if anything, to do about compromised devices was
discussed.</t>
<t><list style="symbols">
<t>There may be value if it were possible to single out a device, which shows
faulty behavior or has been compromised, and to shut that down in some
sense.</t>
<t>Prior work in the IETF on Network Endpoint Assessment (NEA) <xref
target="NEA"/> allowed assessing the “posture” of devices. Posture refers to
the hardware or software configuration of a device and may include knowledge
that software installed is up-to-date.
The obtained information can then be used by some network infrastructure to
create a quarantined region network around the device.
</t>
<t>RFC 6561 <xref target="RFC6561"/> describes one scheme for an ISP to send “signals” to
customers about hosts (usually those that are part of a botnets or
generating spam) in their home network.
</t>
<t>Neither RFC 6561 nor NEA has found widespread deployment. Whether such
mechanisms can be more successful in the IoT environment has yet to be
studied.</t>
<!--
SF: What's foo?
<t>There is also a desire to explore mechanisms on the device that shuts down
the device itself. An example of such an approach has been studied in <xref
target="foo"/>.</t>
-->
</list></t>
<t>The conclusion of the discussion at the workshop itself was that there is
some interest to identify and stop misbehaving devices but the actual solution
mechanisms are unclear.</t>
</section>
<section anchor="misc" title="Miscellaneous Points">
<t>There were a number of points discussed at the workshop that don't
neatly fit under the above headings but that are worth recording. Those
included:</t>
<t><list style="symbols">
<t>Complex questions can arise when considering the impact of the lack
of updates on other devices, other persons, or the public in
general. If I don't update my device and that is used to attack
a random host on the Internet, then what incentive do I have
to do updates? What incentive has my device's vendor to have
done that in advance? An example of such a case can be found in DDoS
attacks from IoT devices, such as printers <xref target="SNMP-DDOS"/> and cameras <xref target="DDOS-KREBS"/>.</t>
<!--
SF: repetitive I think?
<t>Lack of updates due to end of life /
end of support for a given product may again be treated differently.</t>
-->
<t>With some IoT devices there are many stakeholders contributing to
the end product (e.g., contributing different subsystems) and ensuring that vulnerabilities
are fixed and
software/firmware updates are communicated through the value chain is known to
be difficult, as demonstrated in <xref target="OS14"/>.</t>
<t>What about forgotten devices? There are many such, and will be more. Even
though they are forgotten, such devices may be useless consumers of electricity,
or may be part of some critical system.</t>
<t>Can we determine whether an update impacts other devices in the Internet?
Updates to one device can have unintended impact on other devices that depend
on it. This can have cascading effects if we are not careful. Changing the
format of the output of a sensor could have cascading impacts, e.g., if some
actuator reacts to the presence/absence of that sensor's data.</t>
<t>How should a device behave when it is running out-of-date software. The
example of a smoke alarm was mentioned. We don't want 100 devices in a
living room to start beeping when
their batteries run low or when they cannot communicate with the cloud. But
are devices supposed to simply stop
working?</t>
<t>The IETF has published a specification that uses the Cryptographic Message
Syntax (CMS) to protect firmware packages, as described in RFC 4108 <xref
target="RFC4108"/>, which also contains meta-data to describe the firmware
image itself. During the workshop the question was raised whether a solution
will in future be needed that is post-quantum secure. A post-quantum
cryptosystem is a system that is secure against quantum computers that have
more than a trivial number of quantum bits. It is open to conjecture whether it
is feasible to build such a machine but current signature algorithms are known
to not be post-quantum secure. This would require introducing technologies
like the Hash-based Merkle Tree Signature (MTS) <xref
target="housley-cms-mts-hash-sig"/>, which was presented and discussed at the
workshop. The downside of such solutions are, their novelty, and for these
use-cases, the fairly large signature or key sizes involved, e.g., depending on
the parameters a signature could easily have a size of 5-10KiB <xref
target="hashsig"/>. While it is likely that post-quantum secure signature
algorithms will be needed for software update at some point in time, it may be
the case that such algorithms will be needed sooner for services requiring long
term confidentiality, (e.g., using TLS) so it was not clear that this
application would be a first-mover in terms of post-quantum security.</t>
<t>Many devices that use certificates do not check the revocation status of certificates, even though extensions like OSCP stapling exists <xref target="RFC6961"/> and is increasingly deployed with Web browsers. The workshop participants were inconclusive regarding the recommendations of certificate revocation checking although the importance has been recognized. The reluctance of deploying certificate revocation deserves further investigations.</t>
</list></t>
</section>
<section anchor="next-steps" title="Tentative Conclusions and Next Steps">
<t>The workshop participants discussed some tentative conclusions and
possible next steps:</t>
<t><list style="symbols">
<t>There was good agreement that having some standardized secure (authorized and
authenticated) software update would be an improvement over having none.</t>
<t>It would be valuable to find agreement on the right scope for a
standardized software/firmware update mechanism. It is not clear that an entire
update system can or should be standardised but there may be some aspects of
such solutions where standards would be beneficial, e.g., (meta-)data formats
and/or protocols for distributing firmware updates. More discussion is needed to identify which parts of the problem
space could benefit from standardisation.</t>
<t>It will be useful to investigate solutions to install updates with no
operation interruption as well as ways to distribute software updates without
disrupting network operations (specifically in low-power wireless networks),
including the development of a multicast transfer mechanism (with appropriate
security).</t>
<t>There will almost certainly be a need for a way to transfer
authority/responsibility for updates, particularly considering end-of-support cases.
This is very close to calling for a standard way to "root" devices as a
feature of all devices.<!-- While this would be a dangerous implement, it
is hard to see how to address end-of-support without some such functionality.--></t>
<t>We would benefit from documentation of proofs-of-concept of
software/firmware updates for constrained devices on different operating system
architectures. The IETF Light-Weight Implementation Guidance (lwig) working group may be a good venue for such
documents.</t>
</list></t>
</section>
<section anchor="security-considerations" title="Security Considerations">
<t>This document summarizes an IAB workshop on software/firmware updates and
the entire content is therefore security related. Standardizing and deploying a
software/firmware update mechanism for use with IoT devices could help to fix
security vulnerabilities faster and in some cases the only via to get vulnerability patched at all.</t>
</section>
<section anchor="iana-considerations" title="IANA Considerations">
<t>This document does not contain any requests to IANA.</t>
</section>
<section anchor="acknowledgements" title="Acknowledgements">
<t>We would like to thank all paper authors and participants for their contributions. The IoTSU workshop is co-sponsored by the Internet Architecture Board and the Science Foundation Ireland funded CONNECT Centre for future networks and communications. The programme committee would like to express their thanks to Comcast for sponsoring the social event.</t>
</section>
<section anchor="appendix-a-program-committee" title="Appendix A: Program Committee">
<t>The following individuals helped to organize the workshop: Jari Arkko, Arnar Birgisson, Carsten Bormann, Stephen Farrell, Russ Housley, Ned Smith, Robert Sparks, and Hannes Tschofenig.</t>
</section>
<section anchor="appendix-b-accepted-position-papers" title="Appendix B: Accepted Position Papers">
<t>The list of accepted position papers is below. Links to these,
and to the workshop agenda and raw minutes are accessible at:
<eref target="https://down.dsg.cs.tcd.ie/iotsu/"/>.</t>
<t><list style="symbols">
<t>R. Housley, ‘Position Paper for Internet of Things Software Update Workshop (IoTSU)’</t>
<t>D. Thomas and A. Beresford, ‘Incentivising software updates’</t>
<t>L. Zappaterra and E. Dijk, Software Updates for Wireless Connected Lighting Systems: requirements, challenges and recommendations’</t>
<t>M. Orehek and A. Zugenmaier, ‘Updates in IoT are more than just one iota’</t>
<t>D. Plonka and E. Boschi, ‘The Internet of Things Old and Unmanaged’</t>
<t>D. Bosschaert, ‘Using OSGi for an extensible, updatable and future proof IoT’</t>
<t>A. Padilla, E. Baccelli, T. Eichinger and K. Schleiser, ‘The Future of IoT Software Must be Updated’</t>
<t>T. Hardie, ‘Software Update in a multi-system Internet of Things’</t>
<t>R. Sparks and B. Campbell, ‘Avoiding the Obsolete-Thing Event Horizon’</t>
<t>J. Karkov, ‘SW update for Long lived products’</t>
<t>S. Farrell, ‘Some Software Update Requirements’</t>
<t>S. Chakrabarti, ‘Internet Of Things Software Update Challenges: Ownership, Software Security & Services’</t>
<t>M. Kovatsch, A. Scholz, and J. Hund, ‘Why Software Updates Are More Than a Security Issue’</t>
<t>A. Grau, ‘Secure Software Updates for IoT Devices’</t>
<t>Birr-Pixton, Electric Imp’s experiences of upgrading half a million embedded devices’</t>
<t>Y. Zhang, J. Yin, C. Groves, and M. Patel, ‘oneM2M device management and software/firmware update’</t>
<t>E. Smith, M. Stitt, R. Ensink, and K. Jager, ‘User Experience (UX) Centric IoT Software Update’</t>
<t>J.-P. Fassino, E.A. Moktad, J.-M. Brun, ‘Secure Firmware Update in Schneider Electric IOT-enabled offers’</t>
<t>M. Orehek, ‘Summary of existing firmware update strategies for deeply embedded systems’</t>
<t>N. Smith, ‘Toward A Common Modeling Standard for Software Update and IoT Objects’</t>
<t>S. Schmidt, M. Tausig, M. Hudler, and G. Simhandl, ‘Secure Firmware Update Over the Air in the Internet of Things Focusing on Flexibility and Feasibility’</t>
<t>A. Adomnicai, J. Fournier, L. Masson, and A. Tria, ‘How careful should we be when implementing cryptography for software update mechanisms in the IoT?’</t>
<t>V. Prevelakis and H. Hamad, ‘Controlling Change via Policy Contracts’</t>
<t>H. Birkholz, N. Cam-Winget and C. Bormann, ‘IoT Software Updates need Security Automation’</t>
<t>R. Bisewski, ‘Comparative Analysis of Distributed Repository Update Methodology and How CoAP-like Update Methods Could Alleviate Internet Strain for Devices that
Constitute the Internet of Things’</t>