Firmware Security: Testing & Certification of your Firmware Update Loader

The security of your firmware updater independently confirmed

Firmware updates are intended to improve a product's functionality and security. However, the opposite is true when an insecure firmware updater opens the door for cybercriminals to successfully attack.

By testing and certifying your firmware update loader, you as a manufacturer can objectively prove that your universally used firmware update mechanism meets the highest security requirements. Our approach makes it possible to test and evaluate only the isolated firmware updater - independent of the actual solution-specific firmware.

The result: A Trusted Product certificate that serves as proof of trust and security to business partners and customers.


  

Our services for your firmware updater

The evaluation comprises four distinct phases, covering both a detailed review of design and source code as well as extensive validation testing.

Services for the security of firmware updater: Scoping Services for the security of firmware updater: Scoping Services for the security of firmware updater: Scoping Services for the security of firmware updater: Scoping

  

  • Define boundaries between firmware updater and other parts

  • Optional: Determine additional security requirements

Services for the security of firmware updater: Design & Code Review Services for the security of firmware updater: Design & Code Review Services for the security of firmware updater: Design & Code Review Services for the security of firmware updater: Design & Code Review

  

  • Review of the updater’s high-level design
  • Detailed review of firmware updater code
  • Derivation of test plan
Services for the security of firmware updater: validation testing Services for the security of firmware updater: validation testing Services for the security of firmware updater: validation testing Services for the security of firmware updater: validation testing

  

  • Logical tests (e.g. fuzz tests)
  • Physical tests (depending on security level including side-channel analysis)
Services for the security of firmware updater: documentation of test results Services for the security of firmware updater: documentation of test results Services for the security of firmware updater: documentation of test results Services for the security of firmware updater: documentation of test results

  

  • Documentation of results
  • If all requirements are met: issuance of certificate

Download our certification concept

Would you like to learn more about the requirements to be met and the certification process of a firmware update loader? Then download our certification concept free of charge.

Download certification concept for free 2 MB | pdf

Download with restricted access

Please fill the form below to download the file "Certification Concept Firmware Updates". In connection you will receive an email with further instructions to start the download.

Firmware security: our firmware update certification concept

  

Timeboxed evaluation

To meet a reasonable time-to-market while maintaining a comparable and suitable rigor of testing, the evaluation is strictly timeboxed. Fixed timeboxes allows to give a precise information on project start on the evaluation and certification duration. In a specified time window, an experienced auditor then determines the attacker potential (attack window, expertise, equipment) in relation to your firmware updater.

Firmware update certification concept: Timeboxed evaluation Firmware update certification concept: Timeboxed evaluation Firmware update certification concept: Timeboxed evaluation Firmware update certification concept: Timeboxed evaluation

The minimal requirements for secure firmware update mechanisms at a glance

  

Minimal Requirements
 

Secure Firmware Updates: Minimal Requirements Secure Firmware Updates: Minimal Requirements Secure Firmware Updates: Minimal Requirements Secure Firmware Updates: Minimal Requirements

Optional Improvements
 

Secure Firmware Updates: Optional Improvements Secure Firmware Updates: Optional Improvements Secure Firmware Updates: Optional Improvements Secure Firmware Updates: Optional Improvements

Need to know
 

The so-called Technical Security Requirements include attributes that have been defined specifically for a firmware update mechanism

Some of these requirements are mandatory for any Secure Firmware Update mechanism, others may be added based on the envisioned use case of a product and are optional in the sense of this evaluation concept.
  

Free download of the certification concept 2 MB | pdf

Download with restricted access

Please fill the form below to download the file "Firmware Update Certification Concept". In connection you will receive an email with further instructions to start the download.

Further certifiable security requirements for the actual use case (optional)

Additional (Optional) Requirements
 

Secure Firmware Updates: Additional (Optional) Requirements Secure Firmware Updates: Additional (Optional) Requirements Secure Firmware Updates: Additional (Optional) Requirements Secure Firmware Updates: Additional (Optional) Requirements

Available Alternatives (Different) or Improvements (Better)
 

Secure Firmware Updates: Available Alternatives (Different) or Improvements (Better) Secure Firmware Updates: Available Alternatives (Different) or Improvements (Better) Secure Firmware Updates: Available Alternatives (Different) or Improvements (Better) Secure Firmware Updates: Available Alternatives (Different) or Improvements (Better)

Your Options
 

Our level system allows to address various industry needs with one single evaluation concept, and to scale the efforts spent in implementing, evaluating and certifying the solution to the envisioned use-case.

Besides choosing optional components to their liking, for some Technical Security Requirements developers can further decide on its level. Levels represent a hierarchy, i.e. a higher level security requirement encompasses the lower level’s ingredients and adds additional checks to address a stronger attacker’s resources (e.g. a quantum computer). 

As the chosen requirements are printed on the certificate, this flexible setup allows users to easily decide if a certified solution fits their needs.

  

Your benefits

  • Faster time-to-market: Only the firmware updater must be ready to start certification; no complete firmware needed.
  • Support for agile development: Since only the updater is certified, all other code can be updated without losing certificate validity.
  • Reusability: The same, certified firmware updater can be used for a variety of products.
  • Cost reduction: Total evaluation and certification time is lower; hence also costs are significantly lower than for full evaluation of firmware.

 

  

Why test & certify your firmware updater?

Every day, more and more IT products that are relevant to our daily lives are connected to the Internet. With the advancing networking, the threat potential from cyber attacks is also increasing at the same time.

In particular, an insecure firmware update mechanism serves as the main attack path for cyber criminals to take control of a device. This makes the security of firmware updates - especially in the Industrial Internet of Things (IIoT) - the most important requirement for the security of embedded systems.

With the help of our new evaluation and certification approach, chip manufacturers can now objectively prove that they have implemented a secure firmware update mechanism that meets the highest security requirements. The Trusted Product certificate thus serves as proof of trust for business partners as well as customers and leads to a clear competitive advantage, as certified manufacturers distinguish themselves positively from their competitors.

Our Focus: Secure Update mechanisms

Firmware Security: Secure Update mechanisms Firmware Security: Secure Update mechanisms Firmware Security: Secure Update mechanisms Firmware Security: Secure Update mechanisms

Frequently asked questions: 
  

What are the differences between the TÜVIT approach and existing certification schemes?

Various evaluation and certification schemes exist, each with the objective to increase the assurance that components and systems implement adequate protection against cybersecurity attacks. However, a certification can only address attacks known as of today, with limited outlook into the future. When studying today’s certification schemes a common ground to mitigate this restriction can be identified: the requirement on the product to provide means to fix a security vulnerability at any time, even after successful certification. While this may sound like a contradiction to security certification on first glance, it is rather a reflection of what consumers are well-used to already: frequent patches distributed to our Personal Computers on well-scheduled, regular patch days.

Another observation that can be made comparing nowadays’ certification schemes is that they address the security of product- or industry-specific functionalities of the component or system, and add the requirement for a (secure) patch mechanism.

However, reality is often different, especially when considering embedded devices such as Integrated Circuits (ICs) or System-on-Chips (SoCs). Here, in contrast to pure software development, processing time for wafer production and wafer testing become a decisive factor, and often build the bottleneck for time-to-market considerations. Therefore, it is beneficial to pull-in these time-consuming steps, and have a solution-agnostic, general purpose hardware, paired with a general purpose firmware loader, at hands even before solution-specific firmware development begins. At the same time decoupling these steps simplifies logistics at the manufacturers’ side, too.

To address this industry approach, the Firmware Update Evaluation Concept from TÜVIT introduced here assesses solely the patch or firmware update mechanism independently of the functionalities the component or system will eventually be used for.

What are the benefits of Trusted Product certification by TÜVIT?

Certification by TÜVIT provides proof of trust and security to business partners and customers, even though – or especially when – the ultimate use case has not yet been determined.

Can you already benefit from TÜVIT's know-how during the development phase?

Absolutely! After a design and code review, the concept provides for penetration tests. If the TÜVIT experts discover weak points already in this phase, these are addressed to the manufacturer. In this way, both the product and the chances of successful certification can be improved.

What is the validity period of the firmware updater certification?

The certificate is valid for two years.

Is the certification also suitable for low-cost products?

Yes, in particular there is the possibility to adjust the evaluation depth, and thus the time and cost of the audit, to the expected attack potential. Further details on this can be found in the certification concept.

Does a certification of the FW loader support a desired certification of the overall solution?

Basically yes. A secure firmware loader is the basis of every secure IT product. Certification methodologies such as Common Criteria or IEC 62443 therefore justifiably demand a security check of these functionalities. Therefore, when developing the set of criteria, we paid special attention to the possibility of reuse for a wide variety of use cases.

Why we are a strong partner for you

Expertise

With us you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS revision, IS consulting and penetration tests.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

International network of experts

Around the globe: We support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.
You have questions? We are pleased to help!

  

Contact Send mail
Eric BehrendtBusiness Development Manager

Tel.: +49 30 2007700 66
Fax: +49 30 2007700-99
e.behrendt@tuvit.de

Further services

Evaluation Body for IT Security

With its evaluation body for IT security, TÜVIT is one of the world's leading providers of testing services for IT products and systems. The evaluation body has been recognized by the German Federal Office for Information Security (BSI) since 1991 and accredited by the DAkkS, the German Accreditation Body, according to DIN EN ISO/IEC 17025.
Read more

Common Criteria

Globally-recognized security evaluations for IT components, products and systems: TÜVIT is one of the world's leading testing service providers for Common Criteria. With our 50 licensed evaluators, we have successfully completed over 600 evaluation projects according to CC (from EAL1 to EAL7).
Read more

Hardware

Hardware tests for more security: Hardware security modules or chip cards are used for the protection of sensitive data. TÜVIT evaluates these IT products and their components in accordance with recognized international security standards and performs the necessary penetration tests in its own hardware test laboratory.
Read more

Software

Making software subsequently secure is always complicated and expensive. This is why it is important to consider the subject of IT security at the beginning and throughout the entire life cycle within the framework of a Common Criteria (CC) evaluation.
Read more

Site Certification

Audit of development and production environments: If IT products are certified in accordance with the Common Criteria IT security standard or EMVCo, audits of development and production environments represent an integral part of the evaluation process. For many years now, TÜVIT has been successfully carrying out site audits for production and development environments.
Read more

Technical Guidelines of the BSI

Security for government applications and health data: TÜVIT is recognized by the German Federal Office for Information Security (BSI) as an evaluation body for Technical Guidelines (TR).
Read more

FIPS 140-3

Testing of crypto modules and crypto algorithms: The TÜVIT test laboratory is approved by the National Institute of Standards and Technology (NIST, USA) for testing and validation according to FIPS PUB 140-3.
Read more

Electronic Payments

Components that are used within electronic payment systems must fulfil specific security standards and require corresponding approvals. TÜVIT performs these approval procedures in its capacity as an accredited security assessor.
Read more

FIDO

The FIDO Alliance has developed open standards especially for authentication solutions, allowing manufacturers to objectively demonstrate the security of their products. As a security laboratory accredited by the FIDO Alliance, TÜVIT is entitled to perform corresponding evaluations.
Read more

GSMA NESAS

TÜVIT carries out security assessments throughout the entire product life cycle process in accordance with the NESAS standard. This enables us to offer network equipment manufacturers a complete audit and testing portfolio from a single source.
Read more