Over-the-air (OTA) Firmware Update
IoT systems typically involve the deployment of thousands of devices in the field. It is critical for device stability and maintenance costs to be able to manage the software in these devices remotely. The Samsung ARTIK platform provides a way to update or install applications on devices after deployment in the field, incorporating OTA functionality in various components/layers of the platform.
OTA update is possible using either ARTIK cloud services or third-party cloud services.
OTA Update using ARTIK Cloud Services
ARTIK cloud services enable security across the entire IoT pipeline. The complementary ARTIK platform software includes an on-boarding service using secure device registration, edge node device management from the gateway, an over-the-air update protocol, and an easy-to-use API library.
The ARTIK OTA solution supports application firmware updates on ARTIK 053/055 edge node and ARTIK 520/530/710 gateway devices directly from ARTIK cloud services, and on ARTIK 030 edge node devices by way of the gateway. The mechanism used depends on the module type, OS, and available wireless technology.
From the cloud side, ARTIK OTA leverages
- ARTIK Cloud Device Management (AKC DM)
and its underlying
- Lightweight Machine-to-machine (LWM2M) protocol
to deliver update packages.
When Thread edge node devices like the ARTIK 030 are included, ARTIK OTA additionally involves these technologies.
BLE on-boarding service
ARTIK gateway modules incorporate a BLE-based on-boarding service that establishes the LWM2M link to ARTIK Cloud for communication between the cloud and the gateway or edge device. Therefore, gateway devices must be "on-boarded" prior to attempting OTA updates.
Edge Node Manager
The economics, security, reliability and environmental requirements for many IoT edge node devices dictate their connectivity to be restricted to a local network. A small, inexpensive, battery-driven device may not have the memory, processing, or other capabilities for connecting to the public Internet using a TCP/IP stack.
The Edge Node Manager (ENM) securely connects resource-constrained edge node devices to ARTIK Cloud. The forward-looking ENM is based on IoTivity to ensure future compatibility. It has the ability to perform discovery of all edge node devices within its local network, and is capable of using wireless stacks supported by a variety of technologies.
Registration of Thread edge node devices is performed by the ENM after the edge node is commissioned. Then ENM is able to receive firmware updates for the known edge nodes and perform integrity validation before forwarding to each edge node device.
ARTIK cloud services
Over their lifetime, IoT devices may require software updates to support new functionality, standards, security, or environments. At the same time, it is important to ensure that the software update has originated from a legitimate source. The update must be delivered and installed to the intended device in a tamper-free manner.
Samsung ARTIK cloud services offer a secure over-the-air OTA infrastructure for delivery of software updates to all registered ARTIK devices. The ARTIK OTA solution follows the LWM2M payload format as its delivery mechanism over a TLS-secured link. It features:
Resistance against redirect attacks – for example, where an attacker might send an unsuspecting device to a malicious software store that would then cause the device to download a malicious or unauthorized update, or to cease functioning
Protection against DDOS attacks against the image store by ensuring that only registered and authorized devices will be able to download a new image
Generation of a unique single-use URL for each device to download a given update; a different URL is provided for every OTA update.
With these capabilities, ARTIK Cloud offers flexibility in the update mechanism while providing the ability to customize the update process to include additional security measures for different types of application requirements.
Secure Device Registration
ARTIK Cloud Secure Device Registration (SDR) relies on strong mutual authentication between a gateway device and the cloud registration servers. The device registration involves a binding of user and device authentications, with a convenient mobile application to assist the process. The device authentication is based on use of SHA256_ECDSA X.509 certificates for both devices and servers as part of a two-way TLS handshake.
To ensure the integrity of the certificate based TLS authentication, ARTIK devices and servers are provisioned with certificates from a Public Key Infrastructure (PKI) as a root of trust for the ARTIK ecosystem. Furthermore, ARTIK devices are equipped with secure storage for the purpose of storing factory-provisioned keys and assisting the TLS authentication as a session key generation, using secure APIs.
OTA Update using Third-party Cloud Services
The OTA update approach with third-party cloud IoT depends on the demands of the specific IoT service. Update package delivery can rely on LWM2M or other protocols. For example:
Azure IoT sets up delivery of updates over an SSL/TLS-secured network link as dictated by the "desired properties" setting in its Device Twin services.
AWS IoT provides Lambda functions as NodeJS-based compute modules that can be delivered to registered devices, to initiate updates that may also include binary files.
Refer to the articles in this section for information on the required concepts, and to related articles on these third-party IoT services, for details.
ZigBee OTA Update
OTA program update of ARTIK 030 modules programmed for ZigBee is supported by options in the Silicon Labs Simplicity stack. Refer to the Simplicity Studio documentation for more information.