Notifications
Clear all
Topic starter
25/06/2026 10:40 pm
TL;DR: Secure over-the-air updates depend on device identity, authentication, encryption, and signed delivery paths, because wireless update channels can expose devices to malware, downtime, physical safety issues, and tampered payloads, according to DigiCert. The core governance issue is that update integrity fails when connected devices cannot reliably prove who sent the update and who should receive it.
NHIMG editorial — based on content published by DigiCert: What are over-the-air updates?
By the numbers:
- Business Intelligence predicts there will be more than 30 billion connected devices by 2020.
- Nearly 160 million vehicles around the world will have the capability to upgrade their systems with OTA updates by 2022.
Questions worth separating out
Q: How should security teams secure over-the-air updates for connected devices?
A: Security teams should require signed updates, encrypted delivery, and certificate-based recipient verification for every device class.
Q: Why do over-the-air updates create identity risk for IoT fleets?
A: OTA creates identity risk because the device must decide whether an incoming update is legitimate.
Q: What breaks when certificate lifecycle management is missing for connected devices?
A: When certificate lifecycle management is missing, devices can continue trusting expired, stale, or compromised identities.
Practitioner guidance
- Require signed updates for every device fleet Block OTA acceptance unless the payload is signed by an approved authority and the signature chain is validated on-device before installation.
- Bind update acceptance to device identity Use certificates or equivalent identity credentials so each device can verify that an update is meant for its specific class, model, or enrolment state.
- Separate transport security from update trust Encrypt the delivery path, but also validate authenticity and integrity at the application layer so a secure tunnel alone cannot approve a malicious payload.
What's in the full article
DigiCert's full blog covers the implementation detail this post intentionally leaves for the source:
- How certificate-based update signing is used to prove update origin and integrity for connected devices.
- Examples of the device security building blocks DigiCert names for end-to-end OTA protection, including identity, authentication, encryption, and secure infrastructure.
- The article's IoT-specific examples, including smartphones, tablets, smart home systems, learning thermostats, and vehicles.
- DigiCert's own framing of where security should be introduced in the device lifecycle, from manufacturing through post-deployment operations.
👉 Read DigiCert's article on securing over-the-air updates for connected devices →
OTA updates and device identity: are your controls keeping up?
Explore further
25/06/2026 11:18 pm
OTA update security is a machine identity problem before it is a patching problem. The update channel carries trust decisions, because each device must decide whether a sender, payload, and certificate chain are legitimate. When that decision layer is weak, the organisation is not just slow on updates. It has no reliable way to tell a valid maintenance action from an attacker-controlled one. Practitioners should therefore treat OTA as part of the identity plane for connected devices.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Who is accountable when a malicious OTA update reaches production devices?
A: Accountability usually sits across product security, device engineering, and identity governance. Organisations should define who owns signing keys, who approves certificate issuance, who monitors revocation, and who can stop deployment when update trust is uncertain.
👉 Read our full editorial: Secure OTA updates for connected devices: the identity problem
