Network Working GroupInternet Architecture Board (IAB) H. TschofenigInternet-Draft ARM Limited Intended status: InformationalRequest for Comments: 8240 S. FarrellExpires: August 7, 2017 Trinity College Dublin February 3,Category: Informational September 2017 ISSN: 2070-1721 Report from the Internet of Things(IoT)Software Update (IoTSU) Workshop 2016draft-iab-iotsu-workshop-01.txtAbstract This document provides a summary of the'Workshop onInternet of Things(IoT)Software Update(IOTSU)' which(IoTSU) Workshop that took place at Trinity College Dublin, Ireland on the 13th and 14th of June, 2016. The main goal of the workshop was to foster a discussion on requirements,challengeschallenges, and solutions for bringing software and firmware updates to IoT devices. This report summarizes the discussions and lists recommendations to the standards community. Note that this document is a report on the proceedings of the workshop. The views and positions documented in this report are those of the workshop participants and do not necessarily reflect IAB views and positions. Status of This Memo ThisInternet-Draftdocument issubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsnot an Internet Standards Track specification; it is published for informational purposes. This document is a product of the InternetEngineering Task Force (IETF). NoteArchitecture Board (IAB) and represents information thatother groups may also distribute working documents as Internet-Drafts. The listthe IAB has deemed valuable to provide for permanent record. It represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe Internet Architecture Board (IAB). Documents approved for publication by the IAB are not amaximumcandidate for any level ofsix monthsInternet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 7, 2017.https://www.rfc-editor.org/info/rfc8240. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents(http://trustee.ietf.org/license-info)(https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Requirements and QuestionsArisingRaised . . . . . . . . . . . . . . 5 4. Authorizing aSoftware / FirmwareSoftware/Firmware Update . . . . . . . . . . . 12 5. End-of-Support . . . . . . . . . . . . . . . . . . . . . . .1213 6. Incentives . . . . . . . . . . . . . . . . . . . . . . . . . 14 7. Measurements and Analysis . . . . . . . . . . . . . . . . . . 15 8. Firmware Distribution in Mesh Networks . . . . . . . . . . . 16 9. Compromised Devices . . . . . . . . . . . . . . . . . . . . . 16 10. Miscellaneous Points . . . . . . . . . . . . . . . . . . . . 17 11. Tentative Conclusions and Next Steps . . . . . . . . . . . . 18 12. Security Considerations . . . . . . . . . . . . . . . . . . . 19 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 14.Acknowledgements . . .Informative References . . . . . . . . . . . . . . . . . . . 1915.AppendixA:A. Program Committee . . . . . . . . . . . . . . . .19 16.. 22 AppendixB:B. Accepted Position Papers . . . . . . . . . . . .19 17.. . 22 AppendixC:C. List of Participants . . . . . . . . . . . . . .21 18. Informative References. . 24 Acknowledgements . . . . . . . . . . . . . . . . . . . . .23. . . 26 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .2526 1. Introduction This document provides a summary of the'Workshop onInternet of Things(IoT)Software Update(IOTSU)' [IoTSU], which(IoTSU) Workshop [IoTSU] that took place at Trinity College Dublin, Ireland on the 13th and 14th of June, 2016. The main goal of the workshop was to foster a discussion on requirements,challengeschallenges, and solutions for bringing software and firmware updates to IoT devices. The views and positions in this report are those of the workshop participants and do not necessarily reflect those of their employers/ sponsors, the authors of thismemomemo, nor the Internet Architecture Board (IAB), under whose auspices the workshop was held. The IAB holds occasional workshops designed to consider long-term issues and strategies for the Internet, and to suggest future directions for the Internet architecture. The topics investigated often require coordinated efforts of different organizations and industry bodies to improve an identified problem. One of the goals of such workshops is to assist with communication between relevantorganisations, companiesorganizations, companies, and universities,speciallyespecially when the topics are partly out of the scope for the Internet Engineering Task Force (IETF). This long-term planning function of the IAB is complementary to the ongoing engineering efforts performed by working groups of the IETF. In his essay'The"The Internet of Things Is Wildly Insecure -- And OftenUnpatchable' [BS14]Unpatchable" [BS14], Bruce Schneier expressed concerns about the status of software/firmware updates forInternet of Things (IoT)IoT devices. IoT devices, which have a reputation for being insecurealready atfrom the timewhenthey are manufactured, are often expected to stay active in the field for10+10 or more years and to operate unattended with Internet connectivity. Incorporating a software update mechanism to fix vulnerabilities, to update configuration settingsas well as addingand, to add new functionality as well, is recommended by securityexperts butexperts. However, there are challenges when using software updates, as documented in the United States Federal Trade Commission (FTC)staff in their "Internetreport titled "internet ofThings -things: Privacy & Security in a Connected World" [FTC] and in the Article 29 Data Protection Working PartyOpiniondocument "Opinion 8/2014 on the on [sic] Recent Developments on the Internet ofThings [WP29] reported. AmongstThings"[WP29]. Among the challenges in designing a basic software/firmware update function are: - Implementations of software update mechanisms may incorporatevulnerabilitiesvulnerabilities, becoming an attractive attacktarget, seetarget. See, forexample [OS14],example, [OS14]. - Operationalchallengeschallenges, such as the case of an expired certificate in a hub device[BB14],[BB14]. - Privacy issues if devices "call home" often to check forupdatesupdates. - A lack of incentives to distribute software updates along the valuechainchain. - Questions such as the following. Who should be able to update device software after normal support stops? When should an alternate source of software updates take over? There are various (often proprietary) software update mechanisms in usetodaytoday, and the functionality of those varies significantly with the envisioned use of the IoT devices. More powerful IoT devices, such as those running general purpose operating systems (like Linux), can make use of sophisticated software update mechanisms known from the desktop and the mobile world. This workshop focused on more constrained IoT devices that often run dedicated real-time operating systems or potentially no operating system at all. There is a real risk that many IoT devices will continue to be shipped without a solid software/firmware update mechanism in place. Ideally, IoT software developers and product designers should be able to integrate standardized mechanisms that have experienced substantial review and where the documentation is available to the public. Hence, the IAB decided to organize a workshop to reach out to relevant stakeholders to explore thestate-of-the-artstate of the art and to identify requirements and gaps. In particular, the call for position papers askedforfor: - Protocol mechanisms for distributing software updates. - Mechanisms for securing software updates. -Meta-dataMetadata aboutsoftware / firmwaresoftware/firmware packages. - Implications of operating system and hardware design on the software update mechanisms. - Installation of software updates (in context of software and hardware security of IoT devices). - Privacy implications of software update mechanisms. - Implications of device ownership and control for software update. The rest of the document is organized as follows:Basicbasic terminology is provided in Section22, followed by a longer section discussing requirements. Subsequent sections explore selected topics, such asincentives,incentives andmeasurements,measurements in more detail. Most of thewriteupwrite-up does raise more questions than it answers. Nevertheless, we tried tosynthesisesynthesize possible conclusions and offer a few next steps. 2. Terminology As is typical with people from different backgrounds, workshop participants started the workshop with a discussions of terminology. This section is more intended to reflect those discussions than to present canonical definitions of terms. Device Classes: IoT devices come in various "sizes" (such as size ofRAM,RAM or size of flash memory). With theseconfigurationsconfigurations, devices are limited in what they can support in terms ofoperating systemoperating-system features, cryptographic algorithms, and protocol stacks. For this reason, the group differentiated two types of classes, namely ARM CortexA-class / IntelA-class/Intel Atom and CortexM-class / IntelM-class/Intel Quark types of devices. A-class devices are equipped with powerful processors typically found in set-top boxes and home routers. The Raspberry Pi is an example ofaan A-classdevice, whichdevice that is capable of running a regular desktop operating system, such as Linux. There are differences between the Intel and the ARM-based CPUs in terms of architecture,micro-codemicrocode, and who is allowed to update aBIOSBasic Input/Output System (BIOS) (ifavailable) and the micro-code.available). A detailed discussion of these hardware architectural differences were, however, outside the scope of the workshop. The implication is that lower-end microcontrollers have constraints that put restrictions on the amount of software that can be put on them. While it is easy to require support of a wide range offeaturesfeatures, those may not necessarily fit on these devices. Software Update and Firmware Update: Based on the deviceclassesclasses, it was observed that regular operating systems come with sophisticated software update mechanisms (such asRPM [rpm]Red Hat Package Manager (RPM) [RPM] orPacman [pacman])pacman [PACMAN]) that make use of the operating system to install and run each application in a compartmentalized fashion. Firmware updates typically do not provide such a fine-grained granularity for software updates and instead distribute the entire binary image, which consists of the (often minimalistic) operating system and all applications. While the distinction between the mechanisms that A-class and M-class devices will typically use may get more fuzzy over time, most M-class devices use firmware updatesandwhile A-class devices use a combination of firmware and software updates (with firmware updates being less frequent operations). Hitless Update: A hitless update implies that the user experience is not "hit", i.e., it is not impacted. It is possible to impact the user experience when applying an update even when the device does not reboot (to obtain or apply said update). If the update is applied when a user is not using a product and their service is not impacted, the update is "hitless". 3. Requirements and QuestionsArisingRaised Workshop participants discussed requirements and several of these raised further questions. As with the previoussectionsection, we aim to present the discussion as it was. - There may be a need to be support partial (differential)updates,updates that do not require the entire firmware image to be sent. This may mean that techniques like bsdiff[bsdiff][BSDIFF] and courgette[courgette][COURGETTE] are used but might also mean devices supporting the download of applications and libraries alone. The latter feature may require dynamic linking and position independent code. It was unclear whether position independent code should be recommended for low-end IoT devices. - The relative importance of dynamic linkers for low-end IoT devices is unclear. Some operating systems used with M-class devices, such as Contiki, provide support for a dynamic linker according to [OS-Support]. This could help to minimize the amount of data transmitted during updates since only the modified application or library needs to be transmitted. - How should dependencies among various software updates be handled? These dependencies may include information about the hardware platform and configuration as well as other software components running on a system. For firmwareupdatesupdates, the problem of dependencies are often solved by the manufacturer orOEMOriginal Equipment Manufacturer (OEM) rather than on the device itself. - Support for devices with multiplemicro-controllersmicrocontrollers mayrequiredrequire an architecture where onemicro-controllermicrocontroller is responsible for interacting with the update service and then dispatching software images to the attachedmicro-controllersmicrocontrollers within its local realm. The alternative of letting each microcontroller interact with an update service appeared less practical. - Support may be required for devices with multiple owners/ stakeholders where the question arises about who is authorized to push a firmware/software update. - Data origin authentication (DAO) was agreed to be required for software updates. Without DAO, updates simply become a perfect vulnerability. Itis however non-trivialis, however, nontrivial to ensure that the actual trust relationships that exist aremodelledmodeled by the DAO mechanism. For some devices and deployment scenarios, any DAO mechanism is onerous, possibly to the point where it may be hard to convince adevice-makerdevice maker to include the functionality. - Should digital signatures and encryption for software updates be recommended as a best current practice? This questionparticualrlyparticularly raises the question about the use of symmetric key cryptography since not alllow endlow-end IoT devices are currently using asymmetric crypto. - DAO is most commonly provided via digital signature mechanisms, but symmetric schemes could also be developed, though IETF discussion of such mechanisms (for purposes less sensitive than software update) has proved significantly controversial. The main problem seems to be that simple symmetric schemes only ensure that the sender is a member of agroupgroup, and they do not fully authenticate a specific sender. And with a software update, we do not want any (possibly compromised) device to be able tobeauthenticate new software for all other similar devices. - What are the firmware update signing key requirements? Since devices have a rather longlifetimelifetime, there has to be a way to change the signing key during the lifetime of the device. - Should a firmware update mechanism support multiple signatures of firmware images? Multiple signatures can come in two differentflavours, namely aflavors, namely: A single firmware image may be signed by multiple different parties. In thiscasecase, one could imagine an environment where anOriginal Equipment Manufacturer (OEM)OEM signs the software itcreatescreates, but then the software is again signed by the enterprise that approves the distribution within the company. Other examples include regulatory signatures whereathe software for a medical device may be signed as approved by a certification body.aA software image may contain libraries that are each signed by their developers. Is a device expected to verify the different types of signatures or is thisrathera service provided by somenon-constrainedunconstrained device? This raisesthe questionquestions about who the IoT device should trust for what and whether transitive trust is acceptable for some types ofdevices?devices. - Are applications from a range of sources allowed to run on a device or only those from the OEM? If the device is a "closed" device that only supports/runs software from theOEMOEM, then a single signature may be sufficient. Inanya system that is more"open" system, 3rd party"open", third-party applications may require support of multiple signatures. - There is a need for some form of secure storage, at least for those IoT devices that are exposed to physical attacks. This includes at least the need to protect the integrity of the public key of the update service on the device (ifsignature basedsignature-based DAO is in use). The use of symmetric key cryptography requires improved confidentiality protection (in addition to integrity protection). - Is there a need to allow the updateinfrastructure-sideinfrastructure side to authenticate the IoT device before distributing an update? Questions about the identifier used for such an authentication action were raised. The idea ofre-use MACreusing Media Access Control (MAC) addresses lead to concerns about the significant privacy implications of such identifierre-use.reuse. - It is important to minimize device/service downtime due to updateprocessing,processing and to minimize user interaction (e.g., car should not distract the driver) (seehitless updates)."Hitless Update" in Section 2). While it may not be possible to avoid all downtime, there was agreement that one ought to strive for "no inappropriate" device downtime. This means minimal downtime impacting the user/operation of the device. The definition of "downtime" also depends on the use case, with a smart light bulb, the device could be "up" if the light is still on, even if some advanced services are unavailable for a short time. Whether an update can be done without rebooting the device depends on the software being installed, on the OS architecture, and potentially even on the hardware architecture. Thecost/ benefitcost/benefit ratio also plays a role. - It is desirable tominimiseminimize the time taken from the start of the update to when it is finished. In some systems with many devices (e.g., industriallighting)lighting), this can be a challenge if updates need to be unicasted. - In some systems with multiple devices, it can be a challenge to ensure that all devices are at the same release level, especially if some devices are sleepy. There are some systems where ensuring all relevant devices are at the same release level is ahard-hard requirement. In other cases, it is acceptable if devices converge much more slowly to the current release level. - It ought not be possible for a factory worker to compromise the update process (e.g., copy signingkeys,keys and install unauthorized public keys/trust anchors) during the manufacturing process. There are typically two factoriesinvolved, firstinvolved: the first factorythatproduces microcontrollers and othercomponents. Thecomponents and the second factory produces the complete product, such as a fridge. This fridge contains many of the components previously manufactured. Hence, the firmware of components produced in the first stage may be6 monthsix months old when the fridge leaves the factory. One does not want to install a firmware update when the fridge boots the first time. For thattimetime, the firmware update happens already at the end of the manufacturing process. - Should devices have a recovery procedure when the device gets compromised? How is the compromise detected? - There was a bit of discussion about the importance for IoT devices to know the current time for the purpose of checking certificate validity. For example, what does "real-time clock" (RTC) actually mean? And whatconstitute 'good enough'constitutes "good enough" time? There are, however, cost, power, size, and environmental constraints that can make the addition of a real-time clock to an IoT device complex: o Cost:battery-Battery- or supercap-backed RTC modules might be several times the cost of the rest of the bill of materials. o Size:theThe battery and other components are often several times larger than the rest of the material. o Manufacturing:someSome modules require an extra assembly step, because the battery could bedamaged/explodesdamaged or explode at hightemperaturetemperatures during the reflow process. o Supply chain:devicesDevices containing fitted batteries need additionalsupply chainsupply-chain management to account for storage temperature and to avoid shipping aged devices. o Environmental: Real-time-clock modules are typically not rated at industrial temperature ranges. Those that are have extremely reduced lifetime at high temperatures. o Lifetime:someSome of these modules last only a few years at the top of their environmental range. While a good solution is needed, it is not clear whether there is one true solution. A recent proposal from Google calledRoughtime"Roughtime" [RT] may be worthwhile to explore. - How do devices learn about a firmware update? Push or Pull? What should be required functionality for a firmware update protocol? - There is a need to find out whether a software update was successful. In one discussedsolutionsolution, the bootloaderanalysesanalyzes the performance of the running image to determine which image to run (rather than just verifying the integrity of the received image). One of the key criteria is that the updated system is able to make a connection to the device management/software update infrastructure. As long as it is able to talk to the updateinfrastructureinfrastructure, it can receive another update. As an alternativeperspectiveperspective, the argument was made that one needs to have a way to update the system withouthavehaving the full system running. - Gateway requirements. In somedeploymentsdeployments, gateways terminate the IP-based protocol communication and use non-IP mechanisms to communicate with othermicro-controllers,microcontrollers, for example, within a car. The gateway in such a system is theend pointendpoint of the IP communication. The group had mixed feelings about the use of gatewaysvsversus the use of IP communication to everymicro-controller.microcontroller. Participants argued that there is a lack of awareness of IPv6 header compression (with the6lowpanIPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) standards) and of the possible benefits of IPv6 in those environments in terms of lowering the complexity of the overall system. - The amount of energy consumed due to software update needs to be minimized. For example, awakening a sleepy device regularly only to check for new software would seem wasteful if the device cannot feasibly be exploitedwhilstwhile asleep. However, the trade-off is that once the device awakens with old software, there may be a window ofvulnerability,vulnerability if some relevant exploit has been discovered. - The amount of storage required for update ought to be minimized and can sometimes be significant. However, there are also benefits to schemes that store two or three different software images for robustness, e.g., if one has space for separatecurrent, last- known-goodcurrent last-known-good and being-updatedimagesimages, then devices can better survive the buggy occasional updates that are also inevitable. Which of the features discussed in the list above are nice to have? Which are required? Not all of these are required to achieve improvement.WhatWhich are most important? Among theparticipantsparticipants, there was consensus that supporting signatures (for integrity and authentication) of the firmware image itself and the need for partial updateswaswere seen as important.There were, however,However, there were also concerns regarding the performanceimplicationsimplications, since certain device categories may not utilize public key cryptography atall and henceall; hence, only a symmetric key approach seems viable, unless some other scheme such as a hash-based signaturebecomebecame practical (they currentlyaren'taren't, due to signature size). This aspect raised concerns andtriggertriggered adiscussionsdiscussion around the use of device management infrastructure, similar to Kerberos, that manages keys and distributes them to the appropriate parties. As such, in thisset-upsetup, there could be a unique key shared with the key distributioncentercenter; but for use with specific services (such as a software updateservice)service), a fresh and unique secret would be distributed. In addition to the requirements for the enddevicesdevices, there are also infrastructure-related requirements. The infrastructure may consist of servers in the local network and/or various servers deployed on the Internet. It may also consist of someapplication layerapplication-layer gateways. The potential benefits of having such a local server might include: - The local server acting forneighbouringneighboring nodes. For example, in a vehicle onemicro-controllermicrocontroller can process all firmware updates and redistribute the relevant parts of those to interconnectedmicro- controllers.microcontrollers. - Local infrastructure could perform some digital signature checks on behalf of the devices, e.g.,certificate revocationcertificate-revocation checking. - Local multicast can enable transmission of the same update to manydevicesdevices. - Local servers can hide complexity associated withNATNetwork Address Translation (NAT) andFirewallsfirewalls from thedevicedevice. Another point related to local infrastructure is that since many IoT devices will not be (directly) connected to the Internet, but only through a gateway, there may in any case be a need to develop asoftware / firmwaresoftware/firmware update mechanism that works in environments where no end-to-end Internet connectivity exists. Some current firmware update schemes need to identify devices. Different design approaches are possible. - In an extreme form in onecasecase, the decision about updating a device is made by the infrastructure based on the unique device identification. The operator of the firmware update infrastructure knows about the hardware and software requirements for the IoT devices, knows about the policy for updating the device, etc. The device itself is provisioned with credentials so that it can verify a firmware update coming from an authorized device. - In anotherextremeextreme, the device has knowledge about the software and hardware configuration and possible dependencies. It consults software repositories to obtain those software packages that are most appropriate. Verifying the authenticity of the software packages/firmware images will still be required. Hence, in some deployed software update mechanisms there is no desire for the device to be identified beyond the need to exchange information about the most recent software versions. For other devices, it is seen as important to identify the device itself in order to provide the appropriate firmware image/software packages. Related to deviceidentificationidentification, various privacy concerns arise, such as the need to determine what information is provided to whom and the uses to which this information is put. For IoT devices where there is a close relationship to an individual (see[RFC6973])[RFC6973]), privacy concerns are likely higher than for devices where such a relationship does not exist (e.g., a sensor measuring concrete). Thesoftware / firmwaresoftware/firmware update mechanism should, however, not make the privacy situation of IoT devices worse. The proposal from the group was to introduce a minimal requirement of not sending any new identifiers over an unencrypted channel as part of an update protocol.Software updateHowever, software updates willhoweverprovide yet another venue in which the tension between those advocating better privacy and those seeking to monetize information will play out. It is in the nature of software update that it requires devices to sometimes "call home" and such interactions provide fertile ground for monetization. 4. Authorizing aSoftware / FirmwareSoftware/Firmware Update There were quite a few points revolving aroundauthorization.authorization: - Who can accept or reject an update? Is it the owner of the device,ortheuseruser, or both? The user may not necessarily be the owner. - With products that fall under a regulatory structure, such as healthcare, you don't want firmware other than what has been accredited. - In somecasescases, it will be very difficult for a firmware update system to communicate to users that an update is available. Doing so mayrequiresrequire tracking the device andit'sits status withregardsregard to the installed firmware/software, with all the privacy downsides if such tracking is badly done. - Not all updates are the same. Security updates are often treated differently compared to featureupdatesupdates, and the authorization for these may differ. - Some people may choose to decline updates, often on the basis that their system is currently stable, but also possibly due to concerns about unwanted changes, such as the HP printer firmware update pushed in March 2016 [HP-Firmware] that turned off features thatend-usersend users liked. 5. End-of-Support There was quite a bit of discussion about end-of-support for products/devices and how to handle that. - How shouldend-of-support,end-of-support or end-of-features be treated? Devices are often deployed for 10+ years (or even longer in some verticals).Device-makersDevice makers may not want or be able to support software and services for such an extended period of time. Will these devices stop working after a certain, previously unannounced period of time, such as Eye-Fi cards[eyefi].[EYEFI]? - There will be a broad range ofdevice-makersdevice makers involved in IoT, who may differ substantially in terms of how well they can handle the full devicelife-cycle.life cycle. Some will be large commercial enterpriseswhothat are used to dealing with long devicelife times, whilstlifetimes, whereas others may be very small commercial entities where the device lifetime may be longer than the companylife-time.lifetime. Yet other devices may be the result of open-source activities that prosper or flounder. The problem of end-of-support arises in all these cases, though feasible solutions for software update may substantially differ. In somecases device-makerscases, device makers may not be willing to continue to update devices, forexampleexample, due to a change in business strategies caused by a merger. In yet othercasescases, a company may have gone bankrupt. - While there are many legal, ethical, andbusiness related questionsbusiness-related questions, can we technically enable transfer of device service to another provider? Could there even be business models for entities that take over device updates for originaldevice-makers whodevice makers that no longer wish to handle software update? - The release of code, as it was done with the Little Printer manufactured and developed by a company calledBerg"Berg" [LittlePrinter], could provide a useful example. While the community took over the support in that case, this can hardly be assumed in all cases. Just releasing the source code for a device will not necessarily motivate others to work on the code, to fixbugsbugs, or to maintain a service. Nevertheless, escrowing code so that the community can take it over if a company fails is one possible option. - The situation gets more complex when the device has security mechanisms to ensure that only selected parties are allowed to update the device (which is really a basic requirement for any secure software update). In this case, private signing keys (or similar) may need to be made available as well, which could introduce security problems foralready deployedalready-deployed software. In the bestcasecase, it changes assumptions made about the trust model and about who can submit updates. - How should deployed devices behave when they are end-of-support and support ends? Many of them may still function normally, but others may fail due to the absence of cloud infrastructure services. Some products are probably expected to fail safely, similarly to a smoke alarm that makes a loud noise when the battery becomes empty. Cell phones without a contract can, in some countries, still be used for emergency services (although at the expense ofthesociety due to untraceable hoax calls), as discussed in RFC 7406 [RFC7406]. The recommendation that can be provided todevice-makersdevice makers and users is to think about theend-of-support,end-of-support and end-of-support scenarios ahead of time and plan for those. Whiledevice-makersdevice makers rarely want to consider what happens if their businessfailsfails, it is definitely legitimate to consider scenarios where they are hugely successful and want to evolve a product line instead of supporting previously sold products forever. Maybe there is alsoavalue in subscription-based models where product and device support is only provided as long as the subscription is paid. Without asubscriptionsubscription, the product is deactivated and cannot pose a threat to the Internet at large. 6. Incentives Workshop participants also discussed how to create incentives for companies to ship software updates, which is particularly important for products that will be deployed in the market for a long time. It is also further complicated by complex value chains. - Companies shipping software updates benefit from improved security. Their devices are less likely to be abused as a vector to launch other attacks, whether on their ownnetworks,networks or (as part of a botnet) on other Internet hosts. This clearly creates an incentive to support and use software updates. - On the otherhandhand, updates can also break things. The negative customer experience can be due to service interruptions during or after the update process but can also result from bad experience from deliberate changes introduced as part of an update--- such as a feature that is not available anymore, orthata "bug" that another service has relied upon being fixed. - For most classes of device, there does not seem to be a regulatory requirement to report orfix,fix vulnerabilities, similar todata breach notificationdata- breach-notification laws. - Subscription models for device management were suggested so that companies providing the service have an economic interest in keeping devices online (and updated for that). 7. Measurements and Analysis From a security point ofviewview, it is important to know what devices are out there and what version of software they run. One workshop paper[plonka][PLONKA] reported measurementswith initialthat were initially done on buggy devices first distributed in20032003, and that were still detectable in significant numbers just before the workshop 13 years later. As such, in addition to the firmware updatemechanismmechanism, companies have been offering device management solutions that allow OEMs to keep track of their devices. Tracking these devices and their status is still challenging since some devices are onlyconnectconnected irregularly or are only turned on when needed (such as a hockey alarm that is only turned on before a match). Various stakeholders have a justified interest in knowing something about deployed devices. Forexample,example: - Manufacturers and other players in the supply chain are interested to know what devices are out there, how many have been sold, and what devices are out there but have not been sold. This could help to understand which firmware versions to support and for how long. - Device users, owners, and customers like these may want to know what devices are installed over a longer period of time, whatsoftware/ firmwaresoftware/firmware version is the device running, what is the uptime of each of these devices, what types of faults have occurred, etc. Forgotten devices may pose problems, particularly if they (have the potential to) behave badly. - To an extent, network operators offering services to device owners and other actors may also need similar information, forexampleexample, to control botnets. - Researchers doing analysis on the state of the Internet ecosystem (such as what protocols are being used, how much data IoT devices generate,etc.etc.,) need measurements for their work. There can easily be some invasiveness in approaches to acquiring such measurements. The challenge was put forward to find ways to create measurement infrastructures that are privacy preserving. Arnar Birgisson noted that there are privacy-preserving statistical techniques, such as RAPPOR [RAPPOR], and Ned Smith added that techniques like Intel's Enhanced Privacy ID (EPID) may play a role in maintaining some level of anonymity for the IoT device (owners) while also enabling measurement. It seemed clear that naive approaches to measurement (e.g., where devices are willing to expose a unique identifier to anyone on request) are unlikely to prove sufficient. 8. Firmware Distribution in Mesh Networks There was some discussion of the requirements for mesh-based networks, mainly relating to industrial lighting. In these networks, software update can impose unacceptable performance burdens, especially if there are many devices, some of which may bearesleepy. The workshop discussed whether some forms of multicast (perhaps not IP multicast) would be needed to provide acceptable solutions for software update in such cases. It was not clear at which layer amulti-castmulticast solution might be effective in such cases, though there did not seem to benoany clearly applicable standards-based approach that was available at the time of the workshop. 9. Compromised Devices There wasarecognition that there are, and perhaps always will be, large numbers of devices that can be, or havebeenbeen, compromised. While updating these can mitigate problems, there will always be new devices added to networks that cannot be updated (for variousreasons)reasons); so the question of what, if anything, to do about compromised devices was discussed. - There may be value if it were possible to single out adevice, whichdevice that shows faulty behavior or has been compromised, and to shutthatit down in some sense. - Prior work in the IETF on Network Endpoint Assessment (NEA) [NEA] allowed assessing the "posture" of devices. Posture refers to the hardware or software configuration of a device and may include knowledge that the software installed isup-to-date.up to date. The obtained information can then be used by some network infrastructure to create a quarantined region network around the device. - RFC 6561 [RFC6561] describes one scheme for an ISP to send "signals" to customers about hosts (usually those that are part of abotnetsbotnet or generating spam) in their home network. - Neither RFC 6561 nor NEA has found widespread deployment. Whether such mechanisms can be more successful in the IoT environment has yet to be studied. The conclusion of the discussion at the workshop itself was that there is some interestto identifyin identifying andstopstopping misbehavingdevicesdevices, but the actual solution mechanisms are unclear. 10. Miscellaneous Points There were a number of points discussed at the workshop that don't neatly fit under the above headings but that are worth recording. Thoseincluded:include: - Complex questions can arise when considering the impact of the lack of updates on other devices, other persons, or the public in general. If I don't update mydevicedevice, andthatit is used to attack a random host on the Internet, but at no apparent cost to me, then what incentive do I have to doupdates?updates that would have protected that random host? What incentive has my device's vendor to havedone thatprovided those updates in advance? An example of such a case can be found in DDoS attacks from IoT devices, such as printers [SNMP-DDOS] and cameras [DDOS-KREBS]. - With some IoTdevicesdevices, there are many stakeholders contributing to the end product (e.g., contributing differentsubsystems) and ensuringsubsystems). Ensuring that vulnerabilities are fixed and software/firmware updates are communicated through the value chain is known to be difficult, as demonstrated in [OS14]. - What about forgotten devices? There are many such, and there will be more. Even though they are forgotten, such devices may be useless consumers of electricity, or they may be part of some critical system. - Can we determine whether an update impacts other devices in the Internet? Updates to one device can have unintended impact on other devices that depend on it. This can have cascading effects if we are not careful. Changing the format of the output of a sensor could have cascading impacts, e.g., if some actuator reacts to the presence/absence of that sensor's data. - How should a device behave when it is running out-of-datesoftware.software? The example of a smoke alarm was mentioned. We don't want 100 devices in a living room to start beeping when their batteries run low or when they cannot communicate with the cloud. But are devices supposed to simply stop working? - The IETF has published a specification that uses the Cryptographic Message Syntax (CMS) to protect firmware packages, as described in RFC 4108 [RFC4108], which also containsmeta-datametadata to describe the firmware image itself. During theworkshopworkshop, the question was raised whether a solutionwillwill, infuturethe future, be needed that ispost- quantumpost-quantum secure. A post-quantum cryptosystem is a system that is secure against quantum computers that have more than a trivial number of quantum bits. It is open to conjecture whether it is feasible to build such amachinemachine, but current signature algorithms are knowntonot to be post-quantum secure. This would require introducing technologies like the Hash-based Merkle Tree Signature (MTS)[housley-cms-mts-hash-sig],[HOUSLEY], which was presented and discussed at the workshop. Thedownsidedownsides of such solutionsare,are theirnovelty, andnovelty and, for theseuse-cases,use cases, the fairly large signature or key sizesinvolved,involved; e.g., depending on theparametersparameters, a signature could easily have a size of5-10KiB [hashsig].5-10 KiB [HASHSIG] [XMSS]. While it is likely that post-quantum secure signature algorithms will be needed for softwareupdateupdates at some point in time, it may be the case that such algorithms will be needed sooner for services requiringlong termlong-term confidentiality, (e.g., usingTLS)Transport Layer Security (TLS)), so it was not clear that this application would be a first-mover in terms of post-quantum security. - Many devices that use certificates do not check the revocation status of certificates, even though extensions likeOSCPOnline Certificate Status Protocol (OCSP) stapling exists [RFC6961] and is increasingly deployed with Web browsers. The workshop participantswere inconclusivedid not reach a conclusion regarding the recommendations of certificate revocationcheckingchecking, although the importance has been recognized. The reluctanceofregarding deploying certificate revocation deserves furtherinvestigations.investigation. 11. Tentative Conclusions and Next Steps The workshop participants discussed some tentative conclusions and possible next steps: - There wasgoodstrong agreement that having some standardized secure (authorized and authenticated) software update would be an improvement over having none. - It would be valuable to find agreement on the right scope for a standardized software/firmware update mechanism. It is not clear that an entire update system can or should bestandardisedstandardized, but there may be some aspects of such solutions where standards would be beneficial, e.g., (meta-)data formats and/or protocols for distributing firmware updates. More discussion is needed to identify which parts of the problem space could benefit fromstandardisation.standardization. - It will be useful to investigate solutions to install updates with nooperationoperational interruption as well as ways to distribute software updates without disrupting network operations(specifically(specifically, in low-power wireless networks), including the development of a multicast transfer mechanism (with appropriate security). - There will almost certainly be a need for a way to transfer authority/responsibility for updates, particularly considering end-of-support cases. This is very close to calling for a standard way to "root" devices as a feature of all devices. - We would benefit from documentation of proofs-of-concept of software/firmware updates for constrained devices on different operating system architectures. The IETF Light-Weight Implementation Guidance (lwig)working groupWorking Group may be a good venue for such documents. 12. Security Considerations This document summarizes an IAB workshop on software/firmware updates and the entire contentis thereforeis, therefore, security related. Standardizing and deploying a software/firmware update mechanism for use with IoT devices could helptofix security vulnerabilities fasterandand, in somecasescases, be the only via to get vulnerability patched at all. 13. IANA Considerations This document does notcontainrequire anyrequests to IANA. 18.IANA actions. 14. Informative References [BB14] Barrett, B., "Winks Outage Shows Us How Frustrating Smart Homes Could Be", April 2014, <http://www.wired.com/2015/04/smart-home-headaches/>. [BS14] Schneier, B., "The Internet of Things Is Wildly Insecure -- And Often Unpatchable", January 2014, <https://www.schneier.com/essays/archives/2014/01/ the_internet_of_thin.html>.[bsdiff][BSDIFF] Percival, C.,"Binary diff/patch utility","Matching with Mismatches and Assorted Applications", September 2016,<http://www.daemonology.net/bsdiff/>. [courgette]<https://ora.ox.ac.uk/objects/ uuid:4f0d53cc-fb9f-4246-a835-3c8734eba735/datastreams/ THESIS01>. [COURGETTE] Google, "SoftwareUpdates -Updates: Courgette", September 2016, <https://www.chromium.org/developers/design-documents/ software-updates-courgette>. [DDOS-KREBS] Goodin, D., "Record-breaking DDoS reportedly delivered by >145k hacked cameras", September 2016, <http://arstechnica.com/security/2016/09/botnet-of-145k- cameras-reportedly-deliver-internets-biggest-ddos-ever/>.[eyefi][EYEFI] Aldred, J.,"EYEFI TO DROP SUPPORT FOR SOME CARDS. THEY WILL 'MAGICALLY' STOP WORKING ON SEPTEMBER"Eye-Fi to Drop Suport for Some Cards. They Will 'Magically' Stop Working on September 16, 2016", June 2016, <http://www.diyphotography.net/eyefi-drop-support- cards-will-magically-stop-working-september-16-2016/>. [FTC] Federal Trade Commission, "FTC Report on Internet of Things Urges Companies to Adopt Best Practices to Address Consumer Privacy and Security Risks", January 2015,<https://www.ftc.gov/news-events/press-releases/2015/01/ ftc-report-internet-things-urges-companies-adopt-best- practices>. [hashsig]<https://www.ftc.gov/system/files/documents/reports/ federal-trade-commission-staff-report-november-2013- workshop-entitled-internet-things- privacy/150127iotrpt.pdf>. [HASHSIG] Langley, A., "Hash based signatures", July 2013, <https://www.imperialviolet.org/2013/07/18/hashsig.html>.[housley-cms-mts-hash-sig][HOUSLEY] Housley, R., "Use of the Hash-based Merkle Tree Signature (MTS) Algorithm in the Cryptographic Message Syntax (CMS)",March 2016, <https://tools.ietf.org/html/draft- housley-cms-mts-hash-sig-04>.Work in Progress, draft-housley-cms-mts-hash-sig- 07, June 2017. [HP-Firmware] BoingBoing, "HP detonates itstimebomb -timebomb: printers stop accepting third party ink en masse", September 2016, <http://boingboing.net/2016/09/19/ hp-detonates-its-timebomb-pri.html>. [IoTSU] IAB, "Internet of Things Software Update Workshop(IoTSU)",(IoTSU) 2016", June 2016, <https://www.iab.org/activities/workshops/iotsu/>. [LittlePrinter] Berg, "The future of Little Printer", September 2014, <http://littleprinterblog.tumblr.com/post/97047976103/ the-future-of-little-printer>. [NEA] IETF, "Network Endpoint Assessment (nea)(Concluded Working Group)",Concluded WG", October 2016, <https://datatracker.ietf.org/wg/nea/charter/>. [OS-Support] Dong, W., Chen, C., Liu, X., and J. Bu, "Providing OS Support for Wireless SensorNetworks -Networks: Challenges and Approaches", DOI 10.1109/SURV.2010.032610.00045, May 2010, <http://ieeexplore.ieee.org/stamp/ stamp.jsp?arnumber=5462978>. [OS14] Oppenheim, L. and S. Tal, "Too ManyCooks -Cooks: Exploiting theInternet-of-TR-069-Things",Internet of TR-069 Things", December 2014, <http://mis.fortunecook.ie/ too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf>.[pacman] -, "Pacman",[PACMAN] "pacman", 2016, <https://www.archlinux.org/pacman/>.[plonka][PLONKA] Plonka, D. and E. Boschi, "The Internet of Things Old andUnmanage",Unmanaged", June 2016, <https://down.dsg.cs.tcd.ie/iotsu/subs/ IoTSU_2016_paper_25.pdf>. [RAPPOR] Erlingsson, U., Pihur, V., and A. Korolova, "RAPPOR", DOI 10.1145/2660267.2660348, July 2014,<https://github.com/google/rappor>.<http://dl.acm.org/citation.cfm?doid=2660267.2660348>. [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to Protect Firmware Packages", RFC 4108, DOI 10.17487/RFC4108, August 2005,<http://www.rfc-editor.org/info/rfc4108>.<https://www.rfc-editor.org/info/rfc4108>. [RFC6561] Livingood, J., Mody, N., and M. O'Reirdan, "Recommendations for the Remediation of Bots in ISP Networks", RFC 6561, DOI 10.17487/RFC6561, March 2012,<http://www.rfc-editor.org/info/rfc6561>.<https://www.rfc-editor.org/info/rfc6561>. [RFC6961] Pettersen, Y., "The Transport Layer Security (TLS) Multiple Certificate Status Request Extension", RFC 6961, DOI 10.17487/RFC6961, June 2013,<http://www.rfc-editor.org/info/rfc6961>.<https://www.rfc-editor.org/info/rfc6961>. [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, July 2013,<http://www.rfc-editor.org/info/rfc6973>.<https://www.rfc-editor.org/info/rfc6973>. [RFC7406] Schulzrinne, H., McCann, S., Bajko, G., Tschofenig, H., and D. Kroeselberg, "Extensions to the Emergency Services Architecture for Dealing With Unauthenticated and Unauthorized Devices", RFC 7406, DOI 10.17487/RFC7406, December 2014,<http://www.rfc-editor.org/info/rfc7406>. [rpm] -,<https://www.rfc-editor.org/info/rfc7406>. [RPM] "Red Hat Package Manager (RPM)", 2016, <http://rpm.org/>. [RT] Google, "Roughtime", September 2016, <https://roughtime.googlesource.com/roughtime>. [SNMP-DDOS] BITAG, "SNMP Reflected Amplification DDoS Attack Mitigation", August 2012,<https://www.bitag.org/documents/SNMP-Reflected- Amplification-DDoS-Attack-Mitigation.pdf>.<https://www.bitag.org/documents/ SNMP-Reflected-Amplification-DDoS-Attack-Mitigation.pdf>. [WP29] Article 29 Data Protection Working Party, "Opinion 8/2014 on the on Recent Developments on the Internet of Things", 14/EN, WP 223, September 2014,<http://ec.europa.eu/justice/data- protection/article-29/documentation/opinion- recommendation/files/2014/wp223_en.pdf>. 15.<http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2014/ wp223_en.pdf>. [XMSS] Huelsing, A., Butin, D., Gazdag, S., Rijneveld, J., and A. Mohaisen, "XMSS: Extended Hash-Based Signatures", Work in Progress, draft-irtf-cfrg-xmss-hash-based-signatures-10, July 2017. AppendixA:A. Program Committee The following individuals helped to organize the workshop: Jari Arkko, Arnar Birgisson, Carsten Bormann, Stephen Farrell, Russ Housley, Ned Smith, Robert Sparks, and Hannes Tschofenig.16.AppendixB:B. Accepted Position Papers The list of accepted position papers is below. Links to these, and to the workshop agenda and raw minutes are accessible at: <https://down.dsg.cs.tcd.ie/iotsu/>. - R. Housley,'Position"Position Paper for Internet of Things Software Update Workshop(IoTSU)'(IoTSU)" - D. Thomas and A. Beresford,'Incentivising"Incentivising softwareupdates'updates" - L. Zappaterra and E. Dijk,Software"Software Updates for Wireless Connected Lighting Systems: requirements, challenges andrecommendations'recommendations" - M. Orehek and A. Zugenmaier,'Updates"Updates in IoT are more than just oneiota'iota" - D. Plonka and E. Boschi,'The"The Internet of Things Old andUnmanaged'Unmanaged" - D. Bosschaert,'Using"Using OSGi for an extensible, updatable and future proofIoT'IoT" - A. Padilla, E. Baccelli, T.EichingerEichinger, and K. Schleiser,'The"The Future of IoT Software Must beUpdated'Updated" - T. Hardie,'Software"Software Update in a multi-system Internet ofThings'Things" - R. Sparks and B. Campbell,'Avoiding"Avoiding the Obsolete-Thing EventHorizon'Horizon" - J. Karkov,'SW"SW update for Long livedproducts'products" - S. Farrell,'Some"Some Software UpdateRequirements'Requirements" - S. Chakrabarti,'Internet"Internet Of Things Software Update Challenges: Ownership, Software Security &Services'Services" - M. Kovatsch, A. Scholz, and J. Hund,'Why"Why Software Updates Are More Than a SecurityIssue'Issue: Challenges for IETF CoRE and the W3C Web of Things" - A. Grau,'Secure"Secure Software Updates for IoTDevices'Devices" - Birr-Pixton,Electric"Electric Imp's experiences of upgrading half a million embeddeddevices'devices" - Y. Zhang, J. Yin, C. Groves, and M. Patel,'oneM2M"oneM2M device management and software/firmwareupdate'update" - E. Smith, M. Stitt, R. Ensink, and K. Jager,'User"User Experience (UX) Centric IoT SoftwareUpdate'Update" - J.-P. Fassino, E.A. Moktad, and J.-M. Brun,'Secure"Secure Firmware Update in Schneider Electric IOT-enabledoffers'offers" - M. Orehek,'Summary"Summary of existing firmware update strategies for deeply embeddedsystems'systems" - N. Smith,'Toward"Toward A Common Modeling Standard for Software Update and IoTObjects'Objects" - S. Schmidt, M. Tausig, M. Hudler, and G. Simhandl,'Secure"Secure Firmware Update Over the Air in the Internet of Things Focusing on Flexibility andFeasibility'Feasibility" - A. Adomnicai, J. Fournier, L. Masson, and A. Tria,'How"How careful should we be when implementing cryptography for software update mechanisms in theIoT?'IoT?" - V. Prevelakis and H. Hamad,'Controlling"Controlling Change via PolicyContracts'Contracts" - H. Birkholz, N.Cam-WingetCam-Winget, and C. Bormann,'IoT"IoT Software Updates need SecurityAutomation'Automation" - R. Bisewski,'Comparative"Comparative Analysis of Distributed Repository Update Methodology and How CoAP-like Update Methods Could Alleviate Internet Strain for Devices that Constitute the Internet ofThings'Things" - J. Arrko,'Architectural"Architectural Considerations with Smart Objects and SoftwareUpdates'Updates" - J. Jimenez and M. Ocak,'Software"Software Update Experiences forIoT'IoT" - H. Tschofenig,'Software"Software and Firmware Updates with the OMA LWM2MProtocol' 17.Protocol" AppendixC:C. List of Participants - Arnar Birgisson, Google - Alan Grau, IconLabs - Alexandre Adomnicai, Trusted Objects - Alf Zugenmaier, Munich University of Applied Science - Ben Campbell, Oracle - Carsten Bormann, TZI University Bremen - Daniel Thomas, University of Cambridge - David Bosschaert, Adobe - David Malone, Maynooth University - David Plonka, Akamai - Doug Leith, Trinity College Dublin - Emmanuel Baccelli, Inria - Eric Smith, SpinDance - Jean-Philippe Fassino, Schneider Electric - Joergen Karkov, Grundfos - Jonathon Dukes, Trinity College Dublin - Joseph Birr-Pixton, Electric Imp - Kaspar Schleiser, Freie Universitaet Berlin - Luca Zappaterra, Philips Lighting Research - Martin Orehek, Munich University of Applied Science - Mathias Tausig, FH Campus Wien - Matthias Kovatsch, Siemens - Milan Patel, Huawei - Ned Smith, Intel - Robert Ensink, SpinDance - Robert Sparks, Oracle - Russ Housley, Vigil Security - Samita Chakrabarti, Ericsson - Stephen Farrell, Trinity College Dublin - Vassilis Prevelakis, TU Braunschweig - Hannes Tschofenig, ARM Ltd.14.Acknowledgements We would like to thank all paper authors and participants for their contributions. The IoTSU workshop is co-sponsored by the Internet Architecture Board and the Science Foundation Ireland funded CONNECT Centre for future networks and communications. Theprogrammeprogram committee would like to express their thanks to Comcast for sponsoring the social event. Authors' Addresses Hannes Tschofenig ARM LimitedEMail:Email: hannes.tschofenig@gmx.net Stephen Farrell Trinity College Dublin Dublin 2 Ireland Phone: +353-1-896-2354EMail:Email: stephen.farrell@cs.tcd.ie