Empowering IoT Firmware Secure Update with Customization Rights

TL;DR

This paper identifies vulnerabilities in IoT firmware update processes caused by customization and introduces IMUP, a novel framework that enhances security and efficiency in module-level updates for IoT devices.

Contribution

The paper presents IMUP, the first framework to secure and optimize module-level firmware updates in IoT devices amid increasing customization demands.

Findings

Uncovered 5 new vulnerabilities in IoT firmware updates due to customization.

Over 50% of update-related CVEs from 2020-2024 are caused by customization issues.

IMUP reduces server generation time by 2.9x and device downtime by 5.9x.

Abstract

Firmware updates remain the primary line of defense for IoT devices; however, the update channel itself has become a well-established attack vector. Existing defenses mainly focus on securing monolithic firmware images, leaving module-level customization -a growing user demand-largely unprotected and insufficiently explored. To address this gap, we conduct a pilot study on the update workflows of 200 Linux-based IoT devices across 23 vendors, uncovering five previously undocumented vulnerabilities caused by customization practices. A broader analysis of update-related CVEs from 2020 to 2024 reveals that over half originate from customization-induced issues. These findings highlight a critical yet underexamined reality: as customization increases, so does the attack surface, while current defenses fail to keep pace. We propose IMUP (Integrity-Centric Modular Update Platform), the first framework to address two key challenges: constructing a trustworthy cross-module integrity chain and scaling update performance under mass customization. IMUP combines three techniques: per-module chameleon hashing for integrity, server-side proof-of-work offloading to reduce device overhead, and server-side caching to reuse module combinations, minimizing rebuild costs. Security analysis shows that even when 95 percent of secret keys are exposed, forging a valid image incurs over 300 times the cost of the legitimate server. Experiments on heterogeneous IoT devices demonstrate that IMUP reduces server-side generation time by 2.9 times and device downtime by 5.9 times compared to a package-manager baseline.