0

As I understand, some IoT devices verify the integrity of firmware updates downloaded from the internet using the checksum of the file before installing the update, making it impossible for attackers to perform a man-in-the-middle attack and modify the firmware in-air.

This does not make much sense to me, because how does the IoT device know the correct checksum? Surely, the update server would need to transmit the checksum along with the firmware update and if the attacker is in a position to modify the firmware update, they could just as easily modify the transmitted checksum to match the modified firmware.

I would very much appreciate if someone could explain how those integrity checks work.

jweik
  • 3
  • 1
  • Generally, updates are signed using a digital signature, as @SteffenUllrich mentioned below. But, if you are seeing somewhere that an update for an IoT device is validated using a checksum, then it's possible that the IoT device gets the checksum from the issuer's web site, and the connection to the site is over HTTPS - and therefore the connection to the site is secure and the site can be authenticated via its certificate. – mti2935 Apr 28 '22 at 21:22

2 Answers2

2

I'm not sure what source of information you had that suggested that only a checksum is used for validating the firmware.

Established approaches for software updates (which includes firmware) use cryptographic signatures. In this case the firmware is signed with a private key, which is kept secret to the issuer of the firmware. The device contains the matching public key which then can be used to verify the signature. This way it is not needed what the checksum of the new firmware will be but only who issued it (i.e. which public key is trusted).

The process might be more complex by not trusting only a specific public key but by relying on trust anchors in a public key infrastructure (PKI), but the basic idea stays the same: trust is in the cryptographically verified issuer of the firmware and not in a specific checksum.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
2

A checksum would indeed verify it's integrity. It would be transferred with the firmware update and the device could ensure integrity based on the checksum.

However, this would not stop MITM. For that one needs to verify authenticity. This is generally done cryptographically, HMAC or digital signature. The cryptographic key involved being held by the IoT device in a (preferably) unmodifiable way.

foreverska
  • 1,115
  • 11