← Back to blog

OTA firmware updates: how they work and how to secure them

June 18, 2026 · 7 min read

An electronic product doesn't end when it leaves the factory. Bugs appear, features are added and security vulnerabilities emerge. OTA updates (Over-The-Air) let you update a device's firmware remotely, with no cables and no user intervention. They're no longer a luxury: Europe's new cybersecurity regulation (the Cyber Resilience Act) effectively requires them for any connected product.

Server / Cloud signed firmware WiFi · cellular · BLE Device Partition A (in use) Partition B (new) verify signature, write B and reboot rollback on fail
Dual-partition OTA flow: the new version is written to B, verified and booted; if it fails, it falls back to A.

What an OTA update is

An OTA update is the process by which a device downloads a new firmware version from a server and installs it on its own, securely and without "bricking" the unit if something goes wrong. It's what lets a wearable, an industrial sensor or a smart lock keep improving for years after being sold.

How it works: bootloader and A/B partitions

The key to reliable OTA is not overwriting the firmware that's currently running. The most robust method uses two memory partitions (A/B):

  • The device runs from partition A while downloading the new version into partition B.
  • A small, highly reliable program, the bootloader, verifies the new image and boots from B.
  • If the new firmware doesn't boot properly or doesn't "confirm" it's healthy, the bootloader automatically rolls back to A. The device never ends up dead.

This architecture is the difference between a serious product OTA and one that turns the device into a paperweight if the power drops mid-update.

Security: signing, encryption and secure boot

A remote update is a perfect entry point for an attacker: if they can inject their own firmware, they own the product. That's why a serious OTA relies on three layers:

  • Digital signature: the device only accepts firmware signed by the manufacturer. It checks the signature before installing; if it doesn't match, it rejects it. Prevents fake or tampered firmware.
  • Encryption: the image travels encrypted, so nobody can intercept it to read your intellectual property or learn how to attack it.
  • Secure boot: the chip only runs signed code, chaining trust from the bootloader to the application. Even if someone writes to memory, the device won't boot unauthorized firmware.

Skipping this part is the most expensive mistake: an insecure OTA isn't a feature, it's a vulnerability.

How it arrives: connectivity and transport

The "over the air" depends on how your product connects. The most common paths:

  • WiFi or cellular (4G/NB-IoT/LTE-M): the device downloads the image directly from the server, usually over HTTPS or MQTT with TLS.
  • Bluetooth Low Energy (BLE DFU): the update arrives from a mobile app acting as a bridge. Ideal for wearables and devices without their own internet connection.
  • Gateway: in networks like Zigbee, Thread or LoRa, a hub receives the update and distributes it to the devices on the network.

Connectivity drives image size, power budget and strategy: updating over mains-powered WiFi is not the same as a battery sensor over BLE.

Conclusion

A good OTA system —with A/B partitions, rollback and security through signing and encryption— is what keeps a product alive, secure and compliant throughout its life. Designing it well from the start (memory, bootloader, keys) is far cheaper than bolting it on later. At Regular Solids we implement secure OTA and custom bootloaders in embedded products; if your device needs to update in the field, let's talk.

Keep reading