Securing Over-the-Air Code Updates in Wireless Sensor Networks

Introduction

With the growing number of wireless devices in the Internet of Things (IoT), maintaining and managing these devices has become a key issue. In particular, the ability to wirelessly update devices is a must in order to fix security issues and software bugs, or to extend firmware functionality. Recent attacks, such as the Mirai Distributed-Denial-of-Service (DDoS) attack (Kolias, Kambourakis, Stavrou, & Voas, 2017), where IoT devices were used as a botnet, have shown that IoT can be used very easily to cause serious damage.

Thereby, code update mechanisms in these devices must cope with limited computational resources, power constraints, and limited bandwidth for communication. On top of that, the capability of wireless code updates also opens new security vulnerabilities in these systems.

Wireless Sensor Networks (WSNs) are a subset of IoT networks that are suited for long time operations without any human interaction. The elements of the network, called nodes, are mostly battery powered. For this reason, the resource restriction in terms of power consumption is even more critical than in classical IoT applications. Classical security measures may be impractical because of these restrictions. Focusing on WSNs is therefore useful because they represent an edge case for IoT applications.

When the over-the-air (OTA) code update feature for devices is placed in the context of an IoT ecosystem (Rahman, Daud, & Mohamad, 2016), it becomes clear that additional measures are needed to prevent the opening of new security holes. An IoT ecosystem typically identifies four layers, as shown in Figure 1.

Figure 1.

OTA code update in the context of an IoT ecosystem

The code update initially affects all layers, as it passes from the users/devices/applications via the IoT fog and network to the addressed IoT devices/sensor nodes. However, potential new security vulnerabilities only affect the wireless communication between the network’s gateway and IoT devices, assuming that security mechanisms of an IoT security framework are already in place. The code update feature may allow already existing security mechanisms to be bypassed. This means that an IoT security framework (Babar, Stango, Prasad, Sen, & Prasad, 2011; Pacheco & Hariri, 2016; Rahman, Daud, & Mohamad, 2016) needs to be extended with additional mechanisms to secure the OTA code update functionality.

This chapter first presents a general overview of various OTA code update techniques for WSNs. This ranges from interpreter-based systems, over modularized systems that allow exchanging particular modules to systems where the full binary image can be replaced. Distribution protocols and techniques for improving the reliability of these updates are also presented. In particular, the authors discuss important techniques for reducing the size of the code update that must be transmitted wirelessly, taking into account some practical limitations. The authors focus on two main techniques: first, a differencing algorithm to find reusable data, or the optimal combination of instructions; second, preprocessing the binary files to increase their similarity. Examples are provided for both techniques.

Based on this overview of existing OTA code update techniques, their security flaws as well as some existing attacks and possible countermeasures are presented. Although the code update feature has several benefits, it also comes with new scopes from the attacker’s point of view. For this reason, securing the code update is a very important issue. Therefore, the authors will present a classification of security threats and discuss which of them can be used more easily with code update functionality. In particular, the authors will show which of the basic security objectives confidentiality, integrity, and availability are weakened and to what extent. Finally, the authors present state-of-the-art countermeasures and clearly compare them to whether they are securing the above-mentioned weakened security objectives.