Cybersecurity is a quickly evolving and critical aspect of any medical device software development effort. Much of the focus and discussion has been centered around devices with network connectivity or cloud-based services. However, a critical aspect that is not often discussed is securing low-level device firmware against security risks. Some of these risks include corrupted firmware or malicious actors attempting to modify the functionality of the device. These risks can be mitigated by implementing a Secure Bootloader and Secure Firmware Updates.
Implementing Secure Boot and Secure Firmware Updates in embedded devices ensures trusted code execution.
SECURE BOOT
Most microcontrollers have their own bootloader that may support updates through UART, SPI, or other communication methods. These bootloaders do not implement any security measures, and only execute firmware loaded in the base memory of flash. Because of this, engineers must implement their own secondary bootloader that is executed first and verifies the authenticity and integrity of the target image. When the firmware is built, private keys are used to sign the image. The cryptographically calculated hash can be compared during the boot process to ensure the firmware has been unmodified and originates from the manufacturer of the device. Once the authenticity and integrity of the image is verified, the device can boot into the target firmware application.
It is important to note that the keys stored within the bootloader must be stored in an inaccessible part of flash memory. Microcontrollers like the STM32 allow manufacturers to disable access to common debug ports by enabling read and write protections with a one-time programmable fuse. Full JTAG access should be disabled to disallow malicious actors from reading out the firmware and gaining access to keys or other proprietary information.
Arm TrustZone can also be utilized on compatible processors to implement secure boot, isolation of non-secure processing environments from secure processing environments, and other crypto services.
SECURE FIRMWARE UPDATES
Firmware updates can be implemented in many ways, but it is becoming increasingly common for IoT devices to implement Over-The-Air updates via wireless communication. OTA can expose methods for malicious actors to apply untrusted firmware to the device. Implementing Secure Firmware Updates is imperative to give manufacturers confidence that only verified and validated firmware is executing on their devices. Firmware update images can be encrypted using the shared keys with the bootloader and can be decrypted and validated during the boot process. If firmware integrity or authenticity checks fail, the image can be discarded, and the device can continue executing the firmware previously stored on the device.
This implementation requires developers to lay out their flash memory to allow multiple slots of firmware images. At the cost of flash memory, this ensures a fail-safe firmware update mechanism so that devices cannot be “bricked” in the field in the case of a failed update. When choosing a microcontroller, it is important to consider flash memory size and accommodate for a secure bootloader and multiple firmware images.
CONCLUSION
Deliver high quality and secure products by implementing a secure bootloader with secure firmware update functionality to ensure trusted code is executing on your embedded devices.
- Secure Bootloader – Verifies authenticity and integrity of the firmware
- Secure Firmware Update – Fail-safe firmware updates in the field
- JTAG Protections – Disable debug port access to the device
- Memory Protections – Disable flash memory read and write functionality
Tensentric is a team of highly experienced engineers developing a wide range of medical devices and in vitro diagnostic systems. Tensentric has completed over 300 development projects for clients in the medical device and IVD space since the company’s inception in 2009 and is ISO 13485:2016 certified for design and manufacturing. With capabilities for BSL-2 lab use, manufacturing process development, rapid prototyping, human factors validation and consulting, and in-house design for injection molding expertise, Tensentric is uniquely suited to a wide variety of medical device design, development, and manufacturing application.