Enhancing IoT Security Through Manifest-Based

Firmware Updates
Madhavan M Paramaguru V Mrs. K. Abirami
Electronics and Communication Electronics and Communication Electronics and Communication
Engineering Engineering Engineering
Easwari Engineering College Easwari Engineering College Easwari Engineering College Chennai,
Chennai,Tamil Nadu 600089,India Chennai,Tamil Nadu 600089,India Tamil Nadu 600089, India
[email protected] [email protected] [email protected]

Abstract—The growing number of Internet of Things (IoT) II. LITERATURE SURVEY

devices on the market has increased the focus on reliable and
secure systems that manage firmware updates. Low-end IoT IoT device firmware upgrades are essential for preserving
devices are particularly challenging to secure during upgrades
security, improving functionality, and fixing flaws. Device
because of their limited processing power and memory
resources. A secure firmware update approach based on heterogeneity, power limitations, and security risks are some
manifests for low-end IoT devices is described in this work. of the difficulties in guaranteeing safe and effective
Digital signatures and encryption are used in the system to firmware updates. Numerous solutions have been
ensure the integrity of firmware upgrades, which have been investigated by researchers, such as cryptographic methods,
integrated with the MicroECC library to make better use of the blockchain-based update systems, and Trusted Execution
available resources. Manifest manipulation and integrity Environments (TEEs). This section highlights several
verification, firmware image validation, signature techniques and approaches for safe firmware updates while
authentication, and firmware update server connection via reviewing important contributions made to the field.
WiFi are all included. It demonstrated low response time, low
energy consumption, and resistance to specific cyberattacks,
such as replay and tampering, using an ESP8266 WiFi A thorough analysis of the security issues surrounding
equipped module. This study contributes to the advancement of firmware updates in embedded and Internet of Things
secure IoT system development by offering fresh perspectives devices can be found in Reference [2]. The requirement for
on the effective deployment of secure firmware update scalable update systems, the variety of hardware platforms,
procedures for low-resource IoT devices. and the scarcity of computational power are the main
challenges. The security of the update process is improved
by a number of methods, including as TEEs, Remote
Keywords—IoT Security, Firmware Update,Low end IoT Attestation, and Lightweight Cryptography. Blockchain
devices, Manifest Based Security,Digital Signatures, Encryption,
technology is also investigated as a possible remedy for
MicroECC, Resource Limited Devices
distributed firmware that is decentralized and impenetrable.
I.INTRODUCTION The study emphasizes how crucial it is to have strong
security features that are lightweight and adaptable to
The Internet of Things (IoT) has revolutionized the world of different IoT scenarios without noticeably affecting
technology by making it possible for billions of devices to performance. This study offers a thorough grasp of
be interconnected worldwide [1]. The importance of contemporary security issues and possible fixes, providing a
firmware in updating devices is emphasized as they are solid basis for creating safe firmware update procedures.
essential in maintaining operations and addressing
vulnerabilities with new features [3]. Nonetheless, the RFC 9019, a standardized architecture that outlines a
challenge remains in securing firmware updates for IoT methodical and safe procedure for firmware updates in IoT
devices, especially those with restrictions on memory, devices, is introduced in [3]. In order to keep upgrades safe
energy, and processing abilities [4]. and impenetrable, the article describes fundamental ideas
including firmware image secrecy, integrity protection, and
Most IoT devices have limited computing abilities and authentication. In order to secure upgrades and guarantee
operational capabilities and thus rely on traditional that only authentic software is installed on IoT devices, the
mechanisms for firmware updates. However, such processes study highlights the usage of both symmetric and
often involve complex cryptographic mechanisms, making asymmetric cryptography. This work's manifest-based
security a challenge [7]. Additionally, many devices face
update mechanism, which standardizes the format for
update procedures performed insecurely, making them
susceptible to replay attacks, unauthorized alterations, and firmware distribution and installation, is one of its
malware injection that can compromise entire IoT setups noteworthy contributions. RFC 9019 offers a thorough
[6]. guideline for safe firmware updates by outlining the roles of
various stakeholders and the required cryptographic
To address these challenges, this paper proposes a feasible activities. Because it provides a standard for safe firmware
method for performing secure firmware updates, leveraging update implementations, guaranteeing uniformity and
digital signatures for authenticity and encryption for interoperability across various IoT platforms, this work is
confidentiality. A manifest-based system is implemented to very pertinent.
ensure structured updates[3], and MicroECC is integrated to
enable lightweight cryptographic operations [12].
Firmware vulnerabilities and security auditing techniques A manifest file is created to accompany the firmware. It
are the main topics of [6], which highlights the expanding contains metadata that helps the IoT device validate and
threat landscape in IoT situations. IoT security threats can be manage the update. Importantly, the manifest includes a
divided into eight categories, including system properties, digital signature that ensures authenticity and integrity,
network interfaces, and access restrictions. The paper states enabling the IoT device to verify the update's validity upon
that hybrid vulnerability audits and reverse engineering are receipt[3].
crucial techniques for locating firmware security A.1.3. Hashing Process
vulnerabilities. Furthermore, the potential for blockchain
and machine learning to enhance and automate firmware Both the manifest and firmware files undergo a secure
security assessments is examined. Two significant findings hashing process, such as SHA-256, generating unique hash
values that act as digital fingerprints.
from this study include the need for proactive security
measures and the growing complexity of IoT firmware A.1.4 Digital Signature Generation
attacks. The results indicate that in order to ensure that
The hash of the manifest file is encrypted using the sender’s
vulnerabilities are identified and addressed before
private key, creating a digital signature. This cryptographic
distribution, firmware security auditing needs to be proof ensures that the manifest and firmware are sent by a
integrated into the update process. Their research serves as trusted source and have not been tampered with during
a practical demonstration of how security and efficiency can transmission. The digital signature is embedded in the
be balanced, making a significant contribution to real-world manifest file for validation on the IoT device [12].
IoT firmware update implementations .

While existing research provides comprehensive insights

into secure firmware update mechanisms, several challenges
remain unaddressed. The present work builds upon these
studies by integrating a manifest-based firmware update
mechanism, ensuring end-to-end security while maintaining
efficiency. By leveraging insights from prior research, this
paper aims to contribute to the practical realization of secure
firmware updates in mid-end and high-end IoT devices,
addressing the challenges of integrity verification, security
enforcement, and performance optimization.

III. METHODOLOGY

This section outlines the methodology adopted for

implementing a secure firmware update mechanism on
resource-constrained IoT devices using the ESP8266
microcontroller[5]. The proposed approach ensures
authenticity, integrity, and reliable firmware deployment
while addressing the challenges posed by limited
computational and storage capabilities.

A. System Architecture
The architecture is divided into two segments:
● Firmware Sender Side
● IoT Device Side
Fig.1.Flow chart explaining sender side process
A.1. Firmware Sender Side
The Firmware Sender Side is responsible for preparing the A.2 IoT Device Side
firmware update package, generating a manifest file, and The IoT device side is tasked with receiving, verifying, and
signing it before transmission to the IoT device. The key installing the firmware update. The key steps involved are as
steps involved are as follows: follows:
A.1.1 Firmware Generation A.2.1 Receiving Components
The sender begins by preparing a new version of the The IoT device receives the manifest file and firmware
firmware file, incorporating new features, improvements, or package from the Firmware Sender. The manifest file
security patches. contains metadata such as the firmware version, sequence
number, hash values, and digital signature.

A.2.2 Version and Sequence Number Validation

The firmware version and sequence number in the manifest
are validated to ensure the update is recent and consistent
A.1.2. Manifest File Creation
with the device's current firmware.
A.2.3 Hash Calculation next restart. If the validation fails, the system retains the
previous firmware, preventing device failure.
The IoT device computes a hash of the received firmware
file using the same algorithm (e.g., SHA-256) used by the A.2.7 Firmware Slot Management & Bootloader Switching
sender. This generates a hash value that represents the
firmware's current state[8]. To ensure a fail-safe firmware update mechanism, we
implemented a dual-slot firmware update approach, where
A.2.4 Digital Signature Verification the new firmware is written to an inactive slot before
The device decrypts the manifest's digital signature using switching. This method prevents device bricking by
the sender's public key, verifying the sender's authenticity allowing the bootloader to revert to the previous firmware in
and ensuring the manifest has not been altered during case of an update failure.
transmission[10].
The ESP8266 microcontroller was chosen for this
A.2.5 Hash Comparison implementation due to its predefined partitioning scheme
The IoT device compares the calculated firmware hash with and built-in OTA update libraries, which simplify the
the hash value stored in the manifest: process of managing multiple firmware slots. During an
update, the device downloads the firmware, verifies its
Matching Hashes: Confirms the firmware is
integrity, and writes it to the inactive partition. Once
untampered and safe for installation.
validated, the bootloader updates the boot flag, ensuring that
Non-Matching Hashes: Indicates tampering or the device executes the newly installed firmware upon
corruption, prompting the device to reject the reboot[7].
update.
B. Manifest-Based Security
The firmware update process is governed by the use of a
manifest file, which provides a secure and standardised
mechanism for validating updates [3]. The manifest includes
the following fields:

1. firmware version: Specifies the version number of

the firmware update.
2. sequence number: Contains a timestamp or unique
identifier to enforce sequential updates and prevent
rollback attacks.
3. firmware format: Defines the format of the
firmware file, such as a binary (BIN) file.
4. firmware URI: Specifies the location of the
firmware file on the update server.
5. SHA-256 digest: Stores the cryptographic hash of
the firmware file to verify its integrity.
6. digital signature: A hash of the entire manifest,
signed using the sender’s private key, enabling the
authenticity of the update to be verified.

C. Update Process

The firmware update process starts with the IoT device

querying the update server for the manifest file. Once
downloaded, the firmware version and sequence number are
validated to ensure that the update is both recent and
sequential, preventing rollback attacks. The device then
verifies the manifest’s digital signature using a pre-stored
public key to confirm its authenticity and ensure that it has
not been tampered with.
Fig.2.Flow chart explaining IoT device side process

If these validations succeed, the device proceeds to

download the firmware from the URI specified in the
manifest[3]. A SHA-256 hash of the downloaded firmware
is computed and compared against the digest stored in the
manifest to verify data integrity. Upon successful
A.2.6 Firmware Installation verification, the firmware is written to an inactive memory
Upon successful validation of the firmware’s integrity and slot to prevent corruption of the currently running system.
authenticity, the IoT device writes the update to the inactive The bootloader then updates the boot flag, ensuring that the
slot. The bootloader then updates the boot flag, ensuring that device executes the newly installed firmware on the next
the system boots from the newly installed firmware on the reboot.
If any verification step fails, the update process is aborted, C. Impersonation of Firmware Sender
and an error is logged for further analysis, ensuring system
Attackers could impersonate the legitimate firmware sender
reliability and preventing unauthorized or corrupted updates.
to distribute unauthorised firmware. The use of digital
IV. LIGHTWEIGHT CRYPTOGRAPHIC signatures ensures that only firmware and manifests signed
IMPLEMENTATION by the trusted sender can be accepted. The IoT device
verifies the sender’s authenticity using their public key,
The secure firmware update mechanism leverages making impersonation infeasible without access to the
lightweight cryptographic techniques to ensure compatibility sender’s private key[11].
with low-end IoT devices, which often face resource D. Man-in-the-Middle (MitM) Attacks
constraints such as limited computational power, memory,
and storage. The mechanism employs two key cryptographic In a MitM attack, adversaries intercept communication to
algorithms: SHA-256 for hashing [8] and Elliptic Curve modify or inject malicious updates. While the system's
Cryptography (ECC) for digital signature operations [10]. cryptographic measures, such as hashing and signing,
SHA-256 ensures data integrity by generating a unique hash protect the integrity and authenticity of the data, secure
value for the firmware and manifest. Any alteration in the transport protocols like HTTPS or TLS can be used
data results in a different hash, enabling reliable tamper alongside this mechanism to safeguard the communication
detection. ECC, on the other hand, is used for digital channel[6].
signatures to authenticate the firmware’s source. Its smaller
key sizes make it more efficient than traditional algorithms VI. PERFORMANCE ANALYSIS
like RSA[13], reducing memory usage and processing This section presents a detailed performance evaluation of
overhead without compromising security.
the secure firmware update mechanism, focusing on
execution time and memory utilization at various key stages.
To optimize these cryptographic operations for low-end
The analysis is based on real-time logs collected during the
devices, the system adopts several measures. ECC is used to
reduce key sizes, and lightweight cryptographic libraries update process.
such as MicroECC are employed to minimise memory A. WiFi Connection & Initialization
consumption and processing overhead [12]. The SHA-256
algorithm is implemented efficiently to ensure low memory The device requires approximately 21.8 seconds to establish
usage and computational demand. Moreover, cryptographic a WiFi connection. This duration includes the time taken for
operations are designed to complete within milliseconds, scanning available networks, authentication with the access
ensuring a seamless update process with minimal delays. point, and obtaining an IP address via DHCP. The
connection process is influenced by multiple factors, such as
V. THREAT MODEL AND SECURITY network congestion, signal strength, and retry attempts in
ANALYSIS case of failed authentication.

A robust threat model and security analysis are critical to Once connected, the heap memory drops slightly to 46,568
evaluating the effectiveness of the secure firmware update bytes, indicating that some memory is allocated for network
mechanism. The proposed system addresses various attack buffers and connection parameters. This memory
vectors that threaten IoT devices, ensuring the integrity, consumption remains constant throughout the update
authenticity, and confidentiality of firmware updates. Below process, suggesting that network-related memory usage is
are the key threats considered and the corresponding stable after the initial connection phase.
mitigation strategies.
B. Manifest Retrieval & Processing
A. Tampering with Firmware or Manifest
Attackers may attempt to alter the firmware or manifest B.1 HTTP GET Request for Manifest
during transmission to inject malicious code or disrupt
device functionality. The system mitigates this threat by Fetching the manifest from the firmware server takes 3.5
using SHA-256 to generate a hash for both the manifest and seconds, which includes the time required for DNS
firmware. The hash acts as a digital fingerprint, ensuring any resolution, establishing an HTTP connection, sending the
modifications can be detected. Additionally, the sender’s GET request, and receiving the manifest response. The
private key is used to sign the manifest, and the IoT device retrieval time is reasonable given that the manifest size is
verifies this signature with the sender’s public key, ensuring relatively small.
authenticity[9].
B. Replay Attacks
In replay attacks, attackers resend old, valid manifests B.2 Manifest Parsing
and firmware to roll back devices to vulnerable states. To
counter this, the manifest includes a sequence_number field, The parsing process is highly efficient, taking only 8
which is a timestamp or incremental counter. The IoT device milliseconds. The memory drop of approximately 1.2 KB
maintains a record of the latest sequence number it has suggests that temporary buffers were allocated during
processed, rejecting manifests with older sequence parsing, possibly for extracting JSON fields such as version,
numbers[7]. sequence number, firmware URI, hash, and signature. Once
parsing is completed, the heap memory stabilizes, ensuring
that unnecessary memory is not held beyond its required memory, likely due to temporary buffers used for hash
usage. computation [8].
C. Version & Sequence Number Verification
F. Over-the-Air (OTA) Update & Reboot
This process involves comparing the retrieved manifest's
version and sequence number with the previous values The OTA update process, which involves writing the new
stored on the device. The 18-millisecond execution time firmware to flash memory and rebooting the system, takes
indicates that this is a lightweight operation, as it only approximately 22 seconds. The logs confirm that the device
involves reading stored values from memory and performing successfully loads the new firmware, and there are no
basic comparisons. indications of boot failures or corrupted firmware.

The heap memory drops slightly, reflecting the temporary The bootloader verifies the integrity of the flashed firmware
allocation of buffers for loading and comparing stored before execution, ensuring that the update process has been
manifest values. However, since the difference is minor, this completed correctly. The device then transitions to normal
step does not significantly impact overall memory operation, running the newly installed firmware.
availability.
D. Digital Signature Verification
Heap Memory
Process Time Elapsed
(Approx.)
The cryptographic verification of the manifest’s digital
WiFi Connection 21.8 sec 46,568 bytes
signature is a computationally intensive step, requiring 478
milliseconds to complete. This duration accounts for the Manifest Download 3.5 sec 45,824 bytes
cryptographic operations involved in validating the Manifest Parsing 8 ms 44,320 bytes
authenticity and integrity of the received manifest using the Version Check 18 ms 42,584 bytes
embedded public key. Signature Verification 478 ms 42,584 bytes
Firmware Download
50 sec 42,440 bytes
Interestingly, there is no noticeable drop in free heap & Hashing
memory during this process, suggesting that the OTA Update &
22 sec Not measured
cryptographic computations are optimized for memory Reboot
efficiency. The implementation does not seem to create
excessive memory overhead, allowing the device to perform Table.1. Overall Performance Summary
signature verification without running into resource
constraints. VII. CONCLUSION

E. Firmware Download & Hash Computation IoT device security and performance depend on firmware
updates, yet putting in place a safe and effective update
E.1 HTTP GET Request for Firmware system is still quite difficult. This project presents a
manifest-based firmware update methodology that verifies
Retrieving the firmware binary from the update server takes the firmware's validity and integrity prior to installation. The
approximately 50 seconds, making it the most time- system makes sure that only trustworthy firmware is
consuming step in the update process. The transfer time is installed, avoiding malicious or unauthorized changes, by
directly influenced by network conditions, HTTP server utilizing digital signatures and hash-based integrity checking
response time, and available bandwidth. [9].

Given that the firmware size is 272 KB, the download speed Before installing the firmware, the project effectively creates
is around 5.4 KB per second, which suggests that either the a methodical updating procedure that starts with manifest
network bandwidth is limited or the embedded device has retrieval, integrity validation, and signature verification. The
constraints in processing and storing the incoming data manifest file contributes significantly to increased security
efficiently. by offering the structured metadata required for verification.
By doing away with manual intervention, automating the
E.2 Firmware Hash Verification manifest verification process increases efficiency and
security[10]. The reliability of IoT firmware updates is
The computed hash of the downloaded firmware matches improved by this project's emphasis on crucial security
the expected hash provided in the manifest, confirming that elements such firmware authenticity, integrity, and safe
the firmware has not been tampered with during deployment. By ensuring that IoT devices receive updates in
transmission. The hash verification process runs a secure manner, the suggested method reduces the
concurrently with the download process, ensuring that data possibility of altered firmware and cybersecurity concerns
integrity is validated before proceeding with the installation. while preserving the system's general stability and
functionality[6].
The entire step takes 50.2 seconds, which is similar to the
download time, indicating that hash computation is
performed in real-time while receiving firmware chunks. This project successfully demonstrates a secure and efficient
Heap memory remains stable, with only a minor drop in free manifest-based firmware update mechanism that enhances
the integrity and authenticity of firmware installations in IoT
devices. By incorporating automated verification and Things: A survey”.International Multidisciplinary Information
cryptographic security measures, the system mitigates the Technology and Engineering Conference (IMITEC).
risks associated with unauthorized firmware modifications.
Future work will focus on extending this update mechanism [5] Ojo, M. O. ;Giordano, S. ;Procissi, G. and Seitanidis, I. N.
to multiple low-end IoT devices with even lower resource (2018.) “A Review of Low-End, Middle-End, and High-End Iot
Devices,” IEEE Access, vol. 6, no. November, pp 70528–70554.
constraints than the ESP8266. This will require optimizing
cryptographic operations, minimizing memory and
[6] Taimur Bakhshi , Bogdan Ghita and Ievgeniia Kuzminykh
processing overhead, and exploring lightweight (2024) ‘A Review of IoT Firmware Vulnerabilities and Auditing
communication protocols to ensure secure updates on highly Techniques’, MDPI IOT Cybersecurity .
constrained hardware. Additionally, implementing
alternative update methods for devices lacking native [7] Zandberg, K. ;Schleiser, K. ;Acosta, F. ;Tschofenig, H. and
internet connectivity, such as serial or offline updates, will Baccelli, E. (2019) ‘Secure Firmware Updates for Constrained IoT
further enhance applicability. By broadening the system's Devices Using Open Standards: A Reality Check’ ,IEEE Access,
reach to lower-end IoT devices, this approach aims to pp 71907–71920 .
improve security and reliability across diverse embedded
systems, making secure firmware updates more accessible [8] Hasan, Haifaa Ahmed Hasan. (2022). A Review of Hash
and practical for resource-limited environments. Function Types and their Applications. Wasit Journal of Computer
and Mathematics Science. 1. 120-139. 10.31185/wjcm.52.

VIII. ACKNOWLEDGEMENT [9] Edem, Swathi & Vivek, G. & Rani, G.. (2016). Role of Hash
Function in Cryptography. 10-13. 10.22161/ijaers/si.3.
We extend our deepest gratitude to the individuals who [10] Ramakrishna, Donagani & Shaik, Mohammed. (2024). A
played pivotal roles in this endeavor. Our heartfelt Comprehensive Analysis of Cryptographic Algorithms: Evaluating
appreciation goes to our cherished family and friends, whose Security, Efficiency, and Future Challenges. IEEE Access. PP. 1-1.
unwavering encouragement, love, advice, and financial 10.1109/ACCESS.2024.3518533.
support were indispensable pillars throughout this journey.
Their belief in our pursuit fueled our determination. [11] Xu, Jingkun. (2025). A Comprehensive Study of Digital
Signatures: Algorithms, Challenges and Future Prospects. ITM
Web of Conferences. 73. 10.1051/itmconf/20257303009.
Sincere acknowledgments are extended to our esteemed
professor guide, Ms. K. Abirami. Her invaluable reminders
[12] Varchola, Michal & Güneysu, Tim & Mischke, Oliver. (2011).
and consistent supervision were instrumental in shaping the MicroECC: A Lightweight Reconfigurable Elliptic Curve Crypto-
trajectory of our study. Her unwavering support and processor. 204-210. 10.1109/ReConFig.2011.61.
guidance not only provided clarity but also served as a
source of motivation. The collaborative efforts of family, [13] Luo, Zhengping & Liu, Ruowen & Mehta, Aarav.
friends, and Ms. K. Abirami formed a foundation for (2023). Understanding the RSA algorithm.
success. Each played a unique and crucial role in our 10.48550/arXiv.2308.02785.
achievements. Their contributions enriched our experience
and made overcoming challenges possible.

IX. REFERENCE

[1] Alansari, Z. et al., (2018) “Internet of Things: Infrastructure,

Architecture, Security and Privacy,” in IEEE International
Conference on Computing, Electronics & Communications
Engineering, pp 211–238.

[2] Catuogno, L. and Galdi, C. (2023) ‘Secure Firmware Update:

Challenges and Solutions’,MDPI Cryptography,pp 7-30.

[3] Moran, B. ;Tschofenig, H. ; Brown, D. and Meriac, M. (2021)

‘A Firmware Update Architecture for Internet of Things’, RFC
9019, pp 1–25.

[4] Mtetwa, N. S. ;Tarwireyi, P. ;Abu-Mahfouz, A. M. and

Adigun, M. O. (2019) “Secure Firmware Updates in the Internet of