We’ve built a secure firmware update distribution system for 8,500 industrial IoT devices using IBM Cloud Object Storage with signed URLs. The challenge was ensuring update integrity and security while handling devices on unreliable networks.
Our solution generates time-limited signed URLs for firmware downloads, enforces HTTPS-only access, and implements firmware update monitoring to track rollout progress and failures. We’ve achieved 99.2% successful update rates even with devices on 3G/4G connections in remote locations.
The system handles firmware versioning, staged rollouts (10% → 50% → 100%), automatic rollback on failure detection, and detailed update telemetry. Sharing this because secure OTA updates seem to be a common pain point in IoT deployments.
What about firmware integrity verification? Are you using checksums, or something more sophisticated like code signing? And how do devices verify they’re getting legitimate firmware before applying the update?
How are you handling the staged rollouts? Is that logic in your Cloud Function, or do you have a separate orchestration service? We need similar phased deployment capability for our medical IoT devices where we absolutely cannot risk bricking devices in production.
This is great timing - we’re designing our OTA update system now. How do you generate the signed URLs? Are you using Cloud Functions to create them on-demand, or pre-generating batches? Also curious about the expiration time you set on the URLs.
Rollout orchestration is handled by a separate service running on Code Engine. It maintains rollout state in Cloudant database - tracks which devices are in each cohort (10%, 50%, 100%), monitors success rates, and can pause/rollback automatically if failure rate exceeds 5% threshold. The Cloud Function checks this orchestration service before issuing signed URLs to ensure device is in current rollout cohort.
Also interested in your monitoring approach. What metrics are you tracking during rollouts, and how quickly can you detect a problematic update? We’ve had situations where firmware bugs only manifest hours after installation, making it hard to correlate with the update event.
We generate signed URLs on-demand using a Cloud Function triggered when devices check for updates. The function validates device identity, checks current firmware version, determines if update is available, then generates a signed URL valid for 4 hours. This gives devices time to download even on slow connections while limiting exposure window if URL leaks.