Yet that update channel is a door for other attacks. Either its perfectly secure...

alexeldeib · on April 17, 2018

I agree with you that this creates a new attack vector. I understand Microsoft is doing some research in the area of IoT device security. This paper describes an interesting approach [1]. It seems there is an eye towards compromised devices (from the fourth page):

"Highly secure devices have renewable security. A device with renewable security can update to a more secure state automatically even after the device has been compromised. Security threats evolve and attackers discover new attack vectors. To counter emerging threats, device security must be renewed regularly. In extreme cases, when compartments and layers of a device are compromised by zero-day exploits, lower layers must rebuild and renew the security of higher levels of the system. Remote attestation and rollback protections guarantee that once renewed, a device cannot be reverted to a known vulnerable state. A device without renewable security is a crisis waiting to happen."

1: https://www.microsoft.com/en-us/research/wp-content/uploads/...

n.b.: MSFT employee, not associated with above work

e: hmm, I realized that the IoT linux offering is actually paired with the MediaTek chip announcement. I guess this is the product incarnation of the technology from the paper?

komali2 · on April 17, 2018

I do frontend so I don't have intimate knowledge with our device onboard security, but I do know at the very least any update must have the correct key, access to which is remarkably controlled.

The "ensure device updates are not malicious" question gets asked at least once a month here. It only gets stronger.

You are asking exactly the right questions, though. These are the sort of holes we find in customer home rolled solutions. Another one is factory enrollment vulnerabilities - how do you guarantee that factories don't walk out with your code, stick some malicious stuff on it, then install it on the device before shipping it?