OTA: prevent stealing the firmware

osiris81
Posts: 6
Joined: Fri Sep 11, 2020 12:57 pm

OTA: prevent stealing the firmware

Postby osiris81 » Wed Dec 16, 2020 10:28 am

Hi,

I've just tested the OTA example via https and it works flawless. The problem is, that anybody can simply download the firmware file (bin file) from the server and flash it to another device, how do I prevent this from happening? What is the recommended way to do this?

Thanks

osiris81
Posts: 6
Joined: Fri Sep 11, 2020 12:57 pm

Re: OTA: prevent stealing the firmware

Postby osiris81 » Wed Dec 16, 2020 2:04 pm

I've just realized that I simply can turn on basic http authentication on the server side and set the authentication in the esp_http_client_config_t:

Code: Select all

esp_http_client_config_t config = {
        .url = "someurl",
        .cert_pem = (char *)server_cert_pem_start,
        .timeout_ms = 5000,
        .username = "myuser",
        .password = "mypassword",
        .auth_type = HTTP_AUTH_TYPE_BASIC
    };

dastoned
Posts: 50
Joined: Fri May 29, 2020 2:52 pm

Re: OTA: prevent stealing the firmware

Postby dastoned » Wed Dec 16, 2020 4:30 pm

If you wish to prevent the firmware file from being downloaded from your HTTPS server, then you could add client authentication to your devices. This means that only an HTTP client with correct authentication is granted access to the file.

I know of two authentication mechanisms that the ESP IDF HTTP client supports. Firstly the good old HTTP authentication in basic or digest variant (just make sure you use HTTPS, not HTTP for basic auth):
https://docs.espressif.com/projects/esp ... entication

The advantage is that it's quite simple to do on both device and server side. The password could be shared between all your devices, or you could issue and send temporary passwords in whatever OTA command you send to the device. I just love that the HTTP client accepts a URL with a user name and password embedded into it (i.e. https://user:pass@server.com) - this really simplifies the job of issuing OTA commands with single-use logins.

Secondly you can do it with HTTPS certificates, i.e. mutual TLS. I don't know of a simple getting started guide existing, but the HTTP client does support it.
https://docs.espressif.com/projects/esp ... t_config_t

The advantage is that you can use the full power of the x509 certificate chain to verify the client as well as the server using trusted CA-s. But the custom PKI is a bit of work, though.

Who is online

Users browsing this forum: axellin and 105 guests