Secure Firmware Updates

Security evaluation and certification for your firmware updates

TÜViT’s new evaluation approach offers an isolated view on the firmware update mechanism, allowing to certify its security without looking at other functionality. The result is a Trusted Product certificate, with which manufacturers can objectively prove that their universally used firmware update loader meets the highest security requirements.

Yes we can
Firmware is an essential part of today’s embedded electronics. Its authenticity and integrity is a key factor to ensure product security and safety of embedded systems, e.g. smart x-IoT products getting connected to the internet. While firmware updates are intended to improve the product’s functionality in the field, they are also the ideal mechanism for attackers to hijack a product.

In 2015, security researchers remotely succeeded in gaining control of brakes, acceleration, door locking, air conditioning and windshield wipers via a weak point in the infotainment system of a car. Its informed driver gradually lost control of the vehicle. Although the vehicle’s genuine firmware would not have allowed such access, the attackers could easily upload their own firmware, giving them full access to the car.

For this reason, TÜV Informationstechnik GmbH (TÜViT) has developed a new approach that makes it possible to test and evaluate the isolated firmware updater, irrespective of the actual solution-specific firmware.

Our Service

The evaluation comprises four distinct phases, covering both a detailed review of design and source code as well as extensive validation testing.

* can be done by the developer or in a workshop together with TÜViT

  • Define boundaries between firmware updater and other parts
  • Optional: Determine additional security requirements (see next slides)
  • Review of the updater’s high-level design
  • Detailed review of firmware updater code
  • Derivation of test plan
  • Logical tests (e.g. fuzz tests)
  • Physical tests (depending on security level including side-channel analysis)
  • Documentation of results
  • If all requirements are met: issuance of certificate
Free download of the certification concept

Timeboxed Evaluation

To meet a reasonable time-to-market while maintaining a comparable and suitable rigor of testing, the evaluation is strictly timeboxed. Fixed timeboxes allows to give a precise information on project start on the evaluation and certification duration. They are a rough model to consider attacker’s potential (window of attack, expertise, equipment) by simply restricting an experienced evaluator with expertise knowledge and bespoke equipment primarily in the time domain. Key to success with a timeboxed evaluation is proper brainstorming before actual testing to identify the most promising attack paths.

Your advantage

Faster time-to-market
Only the firmware updater must be ready to start certification; no complete firmware needed.

The same, certified firmware updater can be used for a variety of products.

Support for agile development
Since only the updater is certified, all other code can be updated without losing certificate validity.

Cost reduction
Total evaluation and certification time is lower; hence also costs are significantly lower than for full evaluation of firmware.

Deep Dive to our Firmware Update Evaluation Concept

Every day, more and more IT products relevant for our everyday life get connected to the Internet, from smart smoke detectors to connected cars. As this trend will undoubtedly continue, the threat of cybersecurity attacks on these connected products will increase as well, hour by hour.

Various evaluation and certification schemes exist, each with the objective to increase the assurance that components and systems implement adequate protection against cybersecurity attacks. However, a certification can only address attacks known as of today, with limited outlook into the future. When studying today’s certification schemes a common ground to mitigate this restriction can be identified: the requirement on the product to provide means to fix a security vulnerability at any time, even after successful certification. While this may sound like a contradiction to security certification on first glance, it is rather a reflection of what consumers are well-used to already: frequent patches distributed to our Personal Computers on well-scheduled, regular patch days.

Another observation that can be made comparing nowadays’ certification schemes is that they address the security of product- or industry-specific functionalities of the component or system, and add the requirement for a (secure) patch mechanism.

However, reality is often different, especially when considering embedded devices such as Integrated Circuits (ICs) or System-on-Chips (SoCs). Here, in contrast to pure software development, processing time for wafer production and wafer testing become a decisive factor, and often build the bottleneck for time-to-market considerations. Therefore, it is beneficial to pull-in these time-consuming steps, and have a solution-agnostic, general purpose hardware, paired with a general purpose firmware loader, at hands even before solution-specific firmware development begins. At the same time decoupling these steps simplifies logistics at the manufacturers’ side, too.

To address this industry approach, the Firmware Update Evaluation Concept from TÜViT introduced here assesses solely the patch or firmware update mechanism independently of the functionalities the component or system will eventually be used for.

Our Focus: Secure Update mechanisms

Fit to your Needs

5 mandatory technical security requirements

Minimal Requirements

Optional Improvements

Need to know

In this section we specify attributes for a Firmware Updates mechanism, so called Technical Security Requirements. Some of these requirements are mandatory for any Secure Firmware Update mechanism, others may be added based on the envisioned use case of a product and are optional in the sense of this evaluation concept.

Free download of the certification concept

Optional technical security requirements for the actual use case

Additional (Optional) Requirements

Available Alternatives (Different) or Improvements (Better)

Your Options

Besides choosing optional components to their liking, for some Technical Security Requirements developers can further decide on its level. Levels represent a hierarchy, i.e. a higher level security requirement encompasses the lower level’s ingredients and adds additional checks to address a stronger attacker’s resources (e.g. a quantum computer). This level system allows to address various industry needs with one single evaluation concept, and to scale the efforts spent in implementing, evaluating and certifying the solution to the envisioned use-case.

As the chosen requirements are printed on the certificate, this flexible setup allows users to easily decide if a certified solution fits their needs.

Why we are a strong partner for you


With us you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS revision, IS consulting and penetration tests.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

International network of experts

Around the globe: We consult and support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.


Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.
You have questions? We are pleased to help!


Eric Behrendt

Global Corporate Development Manager Asia-Pacific

+49 30 2007700 66
Fax : +49 30 2007700-99