TrustMANAGER FOTA
Discover how Microchip’s TrustMANAGER delivers secure, scalable firmware-over-the-air (FOTA) updates—protecting your devices from cyber threats and meeting regulations.
Securing IoT With Over-the-Air Updates: How TrustMANAGER Enables Secure FOTA Deployments
In today’s fast-paced IoT landscape, maintaining device security and functionality throughout their lifecycle and at scale is crucial. As billions of connected devices operate across industries, verifying that firmware updates remain secure and efficient is a top priority. Firmware Over-the-Air (FOTA) updates provide a seamless way to enhance security, fix vulnerabilities by delivering patches remotely and introduce new features without requiring physical access to devices. However, securing these updates is a significant challenge. Microchip’s TrustMANAGER solution addresses this challenge by enabling secure FOTA deployments, allowing IoT devices to receive authenticated and tamper-resistant firmware updates throughout their lifespan.
FOTA Is Now a Regulation in Europe
The Cyber Resilience Act (CRA) in Europe mandates companies to implement a mechanism to deliver remote patches that will fix identified vulnerabilities (read our white paper on CRA) at no cost to the end user. In December 2027, the legislation will be enforced in Europe. But many other countries are following the security practices from the EU in the shape of frameworks or standards to follow.
The Challenges of Secure Firmware Updates
IoT manufacturers face several challenges when deploying firmware updates. Certifying that only authenticated firmware is installed on devices is critical to prevent malicious attacks. Unauthorized firmware can introduce vulnerabilities, compromise sensitive data or even render devices inoperable. But since human error is inevitable and vulnerabilities in firmware are unavoidable, having a trusted infrastructure for updates is always a best practice.
Traditional update methods often rely on pre-loaded credentials embedded within the firmware itself or unsecured delivery channels, increasing the risk of firmware tampering. Manufacturers need a scalable and secure infrastructure to authenticate and schedule firmware updates, control and monitor the versions, protect cryptographic keys and mitigate risks associated with cyber threats.
What Is Secure FOTA?
Secure FOTA updates involve cryptographic authentication, code signing, firmware delivery via encrypted communications and installation on the target system to confirm that only authorized updates are installed on IoT devices. This process requires robust key management and protection, firmware validation and secure storage of cryptographic material to prevent unauthorized modifications or access.
By implementing secure FOTA mechanisms, manufacturers can remotely update devices with confidence, addressing vulnerabilities in real time and verifying compliance with industry security regulations.
Microchip’s Solution: TrustMANAGER for Secure FOTA
Microchip’s TrustMANAGER platform provides a comprehensive solution for secure FOTA, combining hardware-based security ICs to protect update credentials with a SaaS that remotely provisions keys and certificates, manages them and offers code signing and firmware over-the-air update services. TrustMANAGER allows manufacturers to implement a secure and scalable FOTA process by integrating cryptographic authentication and key management directly into the firmware update flow.
At the core of the embedded solution is the ECC608 TrustMANAGER secure authentication IC, which provides tamper-resistant protection for cryptographic credentials and establishes that only verified firmware is executed on IoT devices. The ECC608 TrustMANAGER works seamlessly with the keySTREAM cloud platform, which hosts cryptographic credentials and firmware packages. It not only facilitates firmware deployment but also provides a comprehensive overview of active devices in the field, including their status and firmware versions.
How It Works
To lay the groundwork for FOTA, users must first create the secure infrastructure for in-field provisioning of cryptographic keys and certificates within keySTREAM. To understand how keys and certificates are in-field provisioned within the ECC608-TMNGTLS device, read the blog post: Securing the Future of IoT: How In-Field Provisioning Protects Your Connected Devices.
Once you have created a device fleet and its associated PKI through the initial keySTREAM set up, you can now create components and component versions that are used to build a campaign which releases the update to the selected fleet of devices. A component is an individual part of the complete firmware. It could be a library, an RTOS, wireless communication stack, application code…
Users create a private/public key pair in keySTREAM. The public key is in-field provisioned into slot 14 of the ECC608-TMNGTLS. The private key is securely stored in the keySTREAM HSM, certifying you never lose your signing key.
Once a firmware package is developed, it is uploaded into keySTREAM where it is signed by the private key. When the update is initiated and the subject device is connected, keySTREAM will send a download URL with the necessary information to the keySTREAM Trusted Agent (KTA) library hosted on the device microcontroller which communicates the access point to download the firmware package.
Once the package is downloaded, the signature generated during code signing is verified using the corresponding public key in the ECC608. If the verification succeeds, the firmware package is loaded into the bootloader for installation. If the verification fails, the transaction is terminated, and a notification will be reported in keySTREAM indicating the FOTA update failed.
Once the update is complete, the KTA will report the device state and firmware/component version to keySTREAM for continuous device and fleet management.
The Benefits of TrustMANAGER for Secure FOTA
Our TrustMANAGER offers several advantages for manufacturers looking to implement secure FOTA:
- Regulatory Compliance: Secure FOTA helps manufacturers meet security standards such as the Cyber Resilience Act (CRA) and other IoT security standards which require patch updates in response to vulnerabilities.
- Turnkey Infrastructure: The TrustMANAGER powered by the keySTREAM SaaS is a streamlined infrastructure equipped with properly networked HSMs, ready-to-use solution that naturally integrates security practices into the FOTA process.
- Reliable Security: The ECC608 TrustMANAGER secure element provides hardware-based protection for cryptographic credentials, confirming that only authenticated firmware is installed. keySTREAM manages the HSM to protect all the necessary keys in the cloud.
- Scalability: TrustMANAGER enables seamless FOTA deployments across large device fleets, eliminating the need for manual intervention. At any point of the firmware update journey, keySTREAM will synchronize to the proper version and schedule device updates.
- Reduced Operational Costs: By enabling remote updates, TrustMANAGER eliminates the need for costly device recalls and on-site maintenance.
- Tamper Resistance: Hardware-based security mechanisms protect against physical and cyber threats, providing long-term device integrity.
Why Secure FOTA Is Essential for IoT Security
The European Union now requires that patch updates be offered for free in the event of vulnerabilities, and as cyber threats continue to evolve, IoT manufacturers must prioritize security throughout the entire device lifecycle. Secure FOTA provides a proactive approach to device protection, allowing manufacturers to address vulnerabilities promptly and maintain compliance with industry regulations.
With TrustMANAGER, manufacturers gain a reliable and scalable solution for secure firmware updates, enabling their IoT devices to remain protected against emerging threats while continuing to deliver high performance and reliability.
Conclusion
Firmware updates are essential to IoT security, but they must be delivered and authenticated securely to prevent unauthorized access and cyber threats, and to comply with CRA legislation. Microchip’s TrustMANAGER offers a robust, hardware-based solution for secure FOTA, allowing devices to remain protected and updated throughout their operational lifespan.
By integrating TrustMANAGER into their IoT security strategies, manufacturers can enhance device security, reduce operational risks and maintain compliance with evolving regulations. To learn more about how TrustMANAGER can help secure your FOTA deployments, contact us today or explore our security solutions.