Mender: An Open Source Software Updater for the Internet of Things

The cyberattacks on Tesla and Jeep Cherokee embedded devices have made clear the security risks associated with the Internet of Things, not only of having systems commandeered but “bricked” — made useless as the malware strain BrickerBot does in a permanent denial-of-service attack.
Better updating of software would certainly help mitigate against such attacks, though updating remote devices can be tricky, due to bandwidth and processing restraints. San Francisco-based Mender provides an open source over-the-air (OTA) software updater for connected Linux devices focused on security, robustness and ease of use.
“When we started out, there was no standard way to do software updates in IoT devices. About half the people we talked to had no way to do updates at all, which is scary; the other half had built their own homegrown updater. That seems wasteful and leads to instability of devices because it’s a difficult thing to get right,” said Eystein Stenberg, Mender chief technology officer and co-founder.
“So we decided it was time for somebody to build an open source updater that everybody can use.”
Mender consists of a management server and client device, both under the Apache License, Version 2.0. It’s currently an on-premise solution, with a hosted version still in beta.
It’s a block-based rather than file-based system, which enhances robustness by eliminating the risk posed by different file versions or only partial updates. Everything updates or nothing. If the full image update fails due to power failure or poor network connectivity, the device automatically rolls back to the previous working state.
Developers like the ability to use the same mechanism to update the Linux kernel as well as applications, according to Ralph Nguyen, head of community development.
Written in Golang, the client regularly polls the management server over HTTPS to check for updates so no ports need to be opened at the client. If any are available, the client pulls the update from the management server, an approach that limits the attack surface. Only Transport Layer Security (TLS) connections are allowed; the server rejects insecure connections.
Developers can use state scripting for additional checks to ensure the device and applications are working properly.
It’s a dual-partition system using a boot partition containing the U-Boot bootloader, and a data partition that contains data files that are persistent between updates. In addition, there are two root file systems called the active and passive partitions. The update loads on one partition while running on the other, then it switches to the new one. If there’s a problem, it switches back to the old one.
The Mender update client can run in standalone mode through the CLI or custom integration, or managed mode, in which it runs as a daemon and will regularly poll the server, automatically apply updates, reboot, report and commit the update.
Mender is tightly integrated with the Yocto Project, open source collaboration project that provides templates, tools and methods for creating custom Linux-based systems for embedded products regardless of the hardware architecture. However, it can be ported to non-Yocto build systems such as Debian, Ubuntu and Raspbian.
Mender supports updates to sensors and other smaller devices through the gateway as a proxy using network protocols such as ZigBee, Bluetooth low energy and other local network technologies which eliminate the need for an agent to run on them.
Customers include “smart-tinting” glass vendor Kinestral; IOTAS, which provides smart home technology for renters; and utility technology vendor GridX.
Mender competes with first-generation OTA software vendors such as Artik, which was acquired by Samsung and Movimento, acquired by Delphi Automotive. Hosted IoT backends such as Mode and Kuzzle provide some update capabilities, along with application performance management, log management, authentication and other services as do full platforms such as Resin.io, as well as those from major players such as IBM, SAP and Oracle.
Patrick Ohly, a software engineer at Intel GmbH, Germany, who works on the Yocto Project and the IoT Reference OS Kit for Intel(r) architecture, discussed file-based versus block-based updaters at last year’s Embedded Linux Conference.
He noted “they all have pros and cons, and in some cases, need further work.”
Block-based systems like SWUpdate and Mender have fixed partition sizes, which, he said, means “you can’t have an update stream that is supplied to different devices with different hard disks because they have to be partitioned the same way.” He added that file-based systems like swupd and OSTree make it easier to support a variety of devices.
File-based updates can be smaller and faster, but Mender is focused on security and believes the “all-or-nothing” approach with rollbacks provides the necessary robustness, Stenberg said.
Going forward, the company plans to expand its range of Linux distributions with Ubuntu and Debian at the top of the list, as well as support for ever-smaller devices through proxy deployment.
Feature image via Pixabay.