A Secure IoT Firmware Update Framework Based on MQTT Protocol

Recently massive Internet of Things have been deployed around the world. With data collected from sensors and functionalities provided by microcontroller based devices, new applications have emerged through big data analytics and autonomous real-time system responses. To support quality of service for deployed IoT devices, firmware update is a necessary task for IoT vendors. However, malicious attackers have been penetrated traditional firm-ware update processes and mechanisms to compromise deployed IoT devices, and launch destructive attacks through these controlled devices. In this paper, a secure IoT firmware update framework based on MQTT protocol is proposed. We picture a general firmware update model with IoT devices, gateway devices, firmware distribution broker servers, and firmware deployment servers of IoT vendors. Based on this model, a secure firmware update mechanism is developed to help IoT devices authenticate the source of received firmware and verify the integrity of the received firmware. MQTT protocol is adopted in the proposed framework to efficiently distribute new versions of firmware for IoT vendors. Cryptologic primitives such as Elliptic Curve based Diffie-Hellman key exchange and key-hashed message authentication code are used to secure the proposed process and corresponding protocols. Security analysis is conducted to evaluate security strength of the proposed framework.