Skip to content
Inovasense
← Back to Glossary Technology

OTA Update

OTA Update (Over-the-Air) — Wireless firmware delivery enabling remote updates to embedded devices, now mandatory under the EU Cyber Resilience Act.

OTA Update (Over-the-Air)

An OTA (Over-the-Air) update is the process of wirelessly delivering new firmware, software, or configuration data to an embedded device deployed in the field. In the context of the EU Cyber Resilience Act, OTA update capability is no longer optional — it is a regulatory requirement for any connected product that must receive security patches throughout its lifecycle.

Key Facts

DetailInformation
Full termOver-the-Air Update
PurposeRemote firmware/software delivery without physical device access
CRA requirementMandatory secure update mechanism for all products with digital elements
Security standardIETF SUIT (Software Updates for IoT) — RFC 9019 manifest format
Typical protocolsHTTPS, CoAP, MQTT, LwM2M, custom TLS-based
Bandwidth range1 KB (delta patches) to 100+ MB (full firmware images)

Why OTA Is a CRA Requirement

The Cyber Resilience Act mandates that manufacturers provide security updates for the expected product lifetime (minimum 5 years). For devices deployed in the field — industrial sensors, building automation, smart meters, automotive ECUs — physical access for updates is impractical or impossible. OTA is the only viable delivery mechanism.

CRA Article 13 specifically requires:

  • Timely security patches — Vulnerabilities must be remediated without undue delay.
  • Automatic or easily applicable updates — Users should not need technical expertise to apply security fixes.
  • Notification of updates — Users must be informed when security updates are available.

Secure OTA Architecture

A CRA-compliant OTA update system requires multiple security layers:

┌─────────────────────────────────────────────────────┐
│  BUILD SERVER (Manufacturer infrastructure)          │
│  • Compile firmware                                  │
│  • Sign with HSM-stored private key                  │
│  • Generate SUIT manifest with metadata              │
│  • Compute delta patch (optional)                    │
│  • Upload to CDN / distribution server               │
└──────────────────┬──────────────────────────────────┘
                   │ Signed firmware image + SUIT manifest

┌─────────────────────────────────────────────────────┐
│  DEVICE (In the field)                               │
│  1. Download manifest + image over TLS 1.3           │
│  2. Verify manifest signature using HRoT public key  │
│  3. Check version (anti-rollback counter)            │
│  4. Write to inactive partition (A/B scheme)         │
│  5. Verify integrity (SHA-256 hash)                  │
│  6. Atomically switch boot partition                 │
│  7. Boot new firmware via Secure Boot chain          │
│  8. If boot fails → automatic rollback to partition A│
└─────────────────────────────────────────────────────┘

Critical Security Properties

PropertyPurposeCRA Relevance
Code signingEnsures firmware comes from the legitimate manufacturerMandatory — prevents malicious firmware injection
Anti-rollbackPrevents downgrade to vulnerable old firmwareMandatory — monotonic version counter in OTP fuses
A/B partitioningAtomic updates with fallback to known-good imageBest practice — prevents bricked devices
Hardware Root of TrustSigning key verification anchored in tamper-resistant hardwareMandatory — software-only key storage is insufficient
Encrypted transportTLS 1.3 for download channelMandatory — prevents man-in-the-middle attacks
Encrypted payloadFirmware image encrypted (optional)Recommended — protects IP, prevents reverse engineering
Delta updatesOnly changed bytes transmittedOptimization — reduces bandwidth for constrained devices

OTA Without Secure Hardware: The Risk

Many existing IoT devices implement OTA updates with software-only security:

AspectSoftware-Only OTAHardware-Secured OTA
Signing key storageFlash memory or file systemSecure Element / HSM / OTP fuses
Key extraction riskHigh — JTAG/SWD dump, firmware analysisPhysically unextractable
Rollback protectionSoftware flag (modifiable)Hardware monotonic counter (irreversible)
Boot verificationOptional, bypassableSecure Boot from HRoT
CRA compliant❌ No✅ Yes

The firmware trap: A device with software-only OTA can receive updates, but an attacker who extracts the signing key can push malicious firmware to every device in deployment. Hardware-secured OTA makes this physically impossible.

  • Secure Boot — The boot-time verification process that ensures only OTA-delivered, signed firmware executes.
  • Hardware Root of Trust — The tamper-resistant hardware that stores OTA signing key verification material.
  • CRA — The EU regulation mandating secure OTA capability for connected products.
  • SBOM — OTA update metadata should include SBOM diffs to track component changes.

Related Terms

SECURE-BOOT CRA SBOM HARDWARE-ROOT-OF-TRUST