Patent Application
20230025271
The present disclosure relates to a method for updating software and a communication device, capable of executing such a method.
Internet of Things (IoT) devices are used in a large variety of fields, including consumer products, such as e.g. products related to home automation, wearable technologies, devices enabling connected health and appliances with remote monitoring capabilities, and industrial products, applicable for e.g. manufacturing, monitoring and controlling operations. IoT devices may be configured with various advanced functions, but there is also a growing demand for simpler devices, capable of handling specific tasks with limited resources available. The latter devices are often referred to as constrained devices, i.e. battery driven devices that has limited processing and storage capabilities, which typically comprise a device interface, such as e.g. an inductive interface, adapted for data exchange and possibly also for energy harvesting; and a battery-powered processor, capable of executing specific software instructions. Such a device may be configured to perform periodic measurements via one or more sensors and possibly also to store the measured data in a memory of the device or at another location, accessible to the device.
It is common practice to offer the option of performing a factory reset of an IoT device, where, when applicable, configurations, set by a user or an owner of the device, are erased, and where, potentially, software of the device is reverted to a factory installed image, which is stored on the device, e.g. in a Read-Only Memory (ROM), or a write protected partition of a non-volatile memory.
Flash memories, such as e.g. embedded MultiMediaCards (eMMCs), normally support various types of write protection parts of the memory, such as e.g. permanent, temporary or power-on-reset write locking of a particular area or areas. In order to obtain a higher level of security, memory areas may also be password protected. A temporary write protected area can be opened up during runtime, while a power-on-reset write protected area can be configured, using a write once register, which can be locked during a boot process, but reset and opened up by performing a power-on cycle or a reset of the device. A permanently write protected area, however, can never be updated.
For IoT devices, such as e.g. constrained devices which do not comprise any User Interface (UI), it can be difficult to trigger specific software updating procedures.
If a software updating procedure, such as e.g. a factory reset image updating procedure involves security issues it may be critical to perform such an update procedure reset on a constrained device, as it may be vulnerable to attacks until it has been properly updated or upgraded. If a factory image or other software is stored in a permanently write protected non-volatile memory, such an updating procedure may not even be possible to execute.
It is an aim of the present disclosure to provide a method, an arrangement and a computer program product which, to at least some extent, address one or more of the issues mentioned above.
More specifically, according to one aspect, there is provided a method in a communication device for executing a software updating process at the communication device, where the method is executed by acquiring data captured by at least one sensor which is accessible to the communication device, by comparing the acquired data to predefined conditions for initiating a software updating process, and by initiating the software updating process at the communication device in response to determining that the acquired data meet with predefined conditions for updating software at the communication device.
The suggested method will enable a simple and user friendly, as well as secure, way of initiating a software updating procedure at a device which does not comprise any UI. Typically, the suggested method is usable at a constrained device, but also devices which are not considered to be constrained, or even devices which comprise a UI, may be adapted to apply the suggested method, since the procedure for initiating an updating procedure may be very user friendly and robust.
According to another aspect, a communication device for executing a software updating process is suggested, where the communication device is configured to: acquire data captured by at least one sensor which is accessible to the communication device; compare the acquired data to predefined conditions for initiating a software updating process and initiate the software updating process at the communication device in response to determining that the acquired data meet with predefined conditions for updating software at the communication device.
According to yet another embodiment a computer program product is suggested, where the computer program product comprise a non-transitory computer readable medium on which a computer program is stored, which, when run on the communication device, will cause the communication device to execute the suggested method.
Embodiments will now be described in more detail in relation to the accompanying drawings, in which:
In order to enable software updatability in a simple and predictable way, yet with at least a basic level of security, a method is suggested where a communication device, which may be e.g. a constrained communication device, such as e.g. an IoT device, a Machine to Machine (M2M) device, a Machine Type Communication (MTC) device, or any other type of device which is adapted to determine a need for, initiate and execute a software updating procedure, based on some external manipulation of the environment of one or more sensors which are accessible to the device.
The suggested method is very suitable for manual, as well as automated execution of a software updating procedure. Especially in a situation with hundreds, or maybe even thousands, of devices, an automated procedure of the suggested software updating procedure may be preferred.
Although the suggested method is particularly suitable for initiating updating of software at a communication device which does not comprise any UI, it is however to be understood that the suggested method is also applicable for communication devices which do have a UI, but where the intention is e.g. to provide a reliable and easy method for updating software of a communication device according to an alternative approach which does not require a user to interact with the device via any UI. The suggested method may e.g. replace a physical reset button on a communication device, which has the disadvantage that it may be pressed unintentionally.
In situations where a communication device is placed in a rough environment, such as e.g. in an ironworks or underwater, where the device needs to be sealed the suggested method may also be suitable.
Referring to
Alternatively, data may be captured according to a combination of conditions, where some or all conditions may be applicable at all times or in an optimized or scheduled manner, such that e.g. certain time based conditions become applicable if a threshold based condition has not triggered data capturing from a specific sensor when a pre-defined time interval has elapsed. It is also to be understood that according to one embodiment, data may be acquired by data being sent to the communication device from a sensor, without requiring any intervention from the communication device, whereas according to another embodiment, data is being acquired from a sensor on request from the device.
If any of the approaches mentioned above is applied, data, relevant for the mentioned method can be captured at any time, providing that predetermined conditions for capturing the data have been fulfilled with or without requiring any intervention for initiating the acquiring of data from the device. According to an alternative embodiment, the initiation of the suggested method and acquiring of data, is instead triggered at a preceding, optional step 110, where a function of the communication device, which may be referred to as an analysis function, or a software updating analysis function, determines that a software updating procedure is required. Such a determination may comprise one or more consideration, already mentioned above, such as e.g. expiry of a time interval, indicating that the total runtime calls for a software update, or expiry of a time interval, without receiving any sensor data. Such a determination may alternatively be based on more or less complex analysis of the functioning of the device, such as e.g. based on unpredictable outcome of one or more executable functions of the communication device, such as e.g. when processing and analyzing sensor data, captured for conventional purposes.
According to one embodiment, detection or suspicion of specific security issues related to certain software of a communication device, such as e.g. presence of data virus may trigger the device to initiate the suggested method. According to another embodiment, repeated occurrence of a specific error message may trigger initiation of the suggested method. According to yet another embodiment, a sensor which is considered by the communication device to be faulty may trigger execution of the suggested method at the communication device.
Once data has been acquired by the communication device it is compared to predefined updating conditions, as indicated with step 130. The predetermined conditions may comprise a threshold, a specific pattern of the captured data or a combination thereof.
According to another step 140, it is determined if the acquired data, compared at step 130, meet with the predefined updating conditions. The conditions are specifically selected such that captured data will not fall within a normal range without the environment of a respective sensor being manipulated. More specifically, in order to meet with the conditions, the environment need to be manipulated, either manually or automatically. This means that under normal conditions, data acquired from one or more sensors will not meet with the predefined conditions associated with the method described herein. Instead the described method will, under those circumstances, be terminated, as indicated with the “No” branch pointing to the right in the figure, which is applicable if no timer or counter is applied by the method.
Alternatively, in case an optional timer is applied, the timer is started at step 130, i.e. upon comparing the first acquired data. If the acquired data does not meet the predefine condition in step 140, it is determined if the timer has expired in a subsequent step 150, and the method is to terminate, or if time still permits further data to be acquired, whereas the method instead continues from step 120. As long as the timer has not expired, steps 120-140 are repeated, allowing data to be acquired for the duration of the time interval of the timer, whereas when the timer expires, without the acquired data meeting with the predefined conditions, the suggested method is terminated.
Although not shown in the figure, the timer may alternatively be replaced by a counter, where, instead of applying a certain time limit, data may be captured a predefined number of times, and if data meet with predefined conditions for any of the captured data sets, a software updating procedure is triggered.
Manipulated data is to be construed as meaning that acquired data has been manually or automatically forced to fall within a specific interval, pattern or in a specific way in relation to a threshold value, contrary to data which is fully representative of the environment in which the respective is located, where the environment has not been, at least intentionally, affected, neither manually, nor automatically.
Environment is to be construed as one or both of the air surrounding, and effecting the data acquired from a sensor, or a device on which the sensor is attached, which may be the actual communication device or another device which is connected to the communication device. When the environment of a sensor is the surrounding air, the air may e.g. be manipulated by warming it up if e.g. a temperature sensor is used for measuring the air temperature, whereas in case a device comprising a pressure sensor, the device may e.g. be manipulated by a user pressing the device and the pressure sensor together.
If the acquired data meet with the predefined conditions, a software updating procedure is initiated by the device, as indicated with step 170. According to one embodiment, the communication device requests software update from one or more external servers, typically by transmitting a request to the server in an out-of-band communication between the server and the communication device, after which the software is transmitted to the communication device 300. According to one possible embodiment, another communication device, storing updatable software, acts as a server, from which the communication device can request the software.
According to another embodiment, an initiation of a software updating procedure will involve that software, such as e.g. a specific software image, available at a storage of the communication device itself is acquired and used in a software updating procedure, executed at the communication device.
Depending on the severity of the reason for requiring software update, steps 130-170 may be executed by conventional functionality of the communication device or by a specific function or circuitry, which may be referred to as a secure function or circuitry, where a secure function or circuitry is isolated from the remaining functionality of the device, so that it is still able to operate also when the remaining functionality of the device does not operate in an adequate or predicted way. The secure function or circuitry may be controlled by the same processor as the processor which is controlling the conventional functionality of the communication device, or it may be controlled by another, separate processor, thereby increasing the chances of successful execution of the mentioned method also is situations where the processor managing the conventional functionality of the communication device has stopped working.
The functionality of the communication device may, according to one embodiment, be arranged so that data acquired for determining if it meet with the predefined conditions is always processed by the same functionality as the one handling data, which is captured for conventional sensor data processing.
According to another embodiment the communication device has a primary function and a secondary function, where the primary function is limited to handling data captured by a communication device, operating under normal conditions, i.e. without initiating any software updating procedure according to any of the embodiments described herein, whereas the second function is activated and executed when it is found that captured data meet with predefined conditions for initiation of the suggested software updating procedure. The separation of a first and a second function may provide a way of separating functionality to be executed for conventional sensor capturing processing from functionality to be executed when a software updating is required.
Irrespective of whether or not the communication device has one single function for acquiring sensor data, or a primary and a secondary function, as suggested above, one or more physical quantities, which are suitable for manipulation, is applied, together with suitable, associated condition settings, which may refer to one or more of e.g. temperature, pressure, acceleration force, backscattering coefficients, angle, rotation, motion, vibrations, length or light. All of the mentioned physical quantities are suitable for being measured by a sensor when the environment of the sensor is being manipulated so that a value within a wanted range, which differs from the range to expect in an un-manipulated environment, can be acquired.
Suitable sensors may be connected to, attached to, or integrated with the communication device. A temperature sensor may e.g. be arranged to capture the temperature of its environment, i.e. the air surrounding it, a pressure sensor may capture the pressure exposed to a device on which the sensor is attached, an accelerometer may capture an acceleration force exposed to a device on which the accelerometer is arranged, a radar equipment may capture backscattering coefficients associated with a device on which the radar equipment is arranged, an angel measuring sensor may capture an angle of a device on which the angle measuring sensor is arranged, a rotation sensor may capture a rotation of a device on which the rotation sensor is arranged, a motion sensor may capture motion of a device on which the rotation sensor is arranged, a vibration sensor may capture vibration of a device on which the vibration sensor is arranged, a length sensor, which may e.g. be located in a sonar, may capture a specific length, and a light sensor, such as e.g. a photocell, may capture light in the environment of the sensor.
When applying manipulated sensor values, a temperature sensor may e.g. be placed in a location where the temperature of the environment is typically varying within the range of −10° C.-+30° C., but not above 50° C. By applying a threshold at 50° C., setting a rule for initiation of a software update procedure to when a temperature is captured above 50° C. and by manipulating the environment of the sensor by warming up the air close to the sensor so that it reach above 50° C., it will be possible to trigger a software update at the communication device to be initiated at such an occasion.
According to another embodiment, light pulses may e.g. be flashed at a light sensor so that a light pattern is recognized as a pattern which triggers a software update procedure at a communication device.
Alternatively, two sensors, capable of measuring different physical quantities, may be combined so that e.g. data from an acceleration force sensor and an angle sensor may capture data indicative of a user shaking a communication device according to a certain instruction or pattern when the angle sensor at the same time is being tilted above a certain angle. The latter embodiment is particularly suitable when both sensors are attached to the communication device, but one sensor may alternatively be attached to the device while another senor is connected to it. By combining different sensors, e.g. as suggested, an even more robust procedure for when to actually initiate a software update may be achieved, since the specific combination of manipulations of the various sensors may typically be very difficult to execute in the specified combination, without knowing the required combination of conditions in advance.
In addition to any of the approaches mentioned above, the mentioned conditions may be applied to consider data captured from one or more sensors, suitable for capturing manipulated data in combination with data captured from one or more sensors suitable for capturing un-manipulated data.
Physical quantities suitable to be captured as un-manipulated data may comprise e.g. geographical coordinates, distance, orientation, biometrics or visual sensor data, where e.g. a GPS may be used for capturing geographical coordinates, an ultrasonic sensor may be used for capturing distance data, an accelerometer may be used for capturing data indicative of an orientation, a biometric fingerprint reader may capture a fingerprint, or visual sensor data, which may include e.g. digital pictures, which may e.g. be captured by a digital camera.
By combining manipulated data, such as e.g. motion, captured e.g. with a motion sensor with un-manipulated data, such as e.g. geographical coordinates, captured with e.g. a GPS, it will be possible to trigger an updating procedure of software e.g. when a communication device is shaken according to a certain predefined pattern when, at the same time, located at a certain geographical location, such as e.g. at a car service station, where the respective software update may be required and initiated by a person being aware of the required pressure pattern, which may e.g. only be known to authorized personal of the service station.
In another scenario a communication device may be shaken or squeezed according to a certain pattern in combination with exposing a fingerprint of a user to a fingerprint sensor, where the fingerprint sensor may be configured to sense any human fingerprint or identify a specific fingerprint. In one alternative scenario the device may be shaken in combination with covering a light sensor with the shaking hand of the user, i.e. the combination of a shaking pattern and no light exposed to the light sensor will initiate a software updating procedure.
By combining capturing of one or more specific physical quantities, suitable for manipulation with capturing of e.g. geographical coordinates, the suggested method is not only very suitable for initiating a software update procedure for a constrained device, but also for devices, for which a specific software update is to be executed only when the communication device is at a certain location, but once at that location it shall be easy for a user, who is aware of the specific pattern, to initiate the update by manipulating the environment of a manipulatable sensor.
Due to the fact that a specific pattern may be required for triggering a specific software updating procedure, different patterns may be applicable for updating different parts, or areas of a memory. Alternatively, or additionally, different software versions may be selected depending on the applied pattern, which is triggering the software updating procedure.
Manipulation of an environment in which there is one or more sensors may be executed manually, so that e.g. a pressure sensor is being squeezed or the environment of a temperature sensor is being warmed up. Manual manipulation may come in handy e.g. if one or a few communication devices are to be updated. However, in case of a large number of communication devices that need to be updated at more or less the same time, an automated process may be more appropriate. The latter use case may, especially for communication devices located in remote places, involve e.g. drones or land-based or underwater-based robots that are sent out to the relevant one or more sensors to manipulate the environment of these one or more sensors in a manner which will trigger a software updating procedure to be initiated at the communication devices.
In case one or a few sensors are to be used only for sensing manipulated data, this or these sensors may be connected to a plurality of communication devices. Thereby, a manipulation of the environment of only one or a few sensors may, with a relatively limited effort, trigger a software updating procedure at a plurality of communication devices.
In order to increase the security with respect to the software updating procedure, certain relevant memory areas of a communication device may be adapted accordingly when software updating is to be executed at the device, as well as when the process has been completed.
The communication device 300 of
A communication device is, in the present context, to be referred to as a device which comprise, or have access to, at least one sensor, which is adapted to communicate with one or more other devices and a communication network, such as e.g. a network operable according to a network technology compliant with e.g. one or more of 2G, 3G, 4G, 5G, or of a short range technology, such as e.g. Zigbee, Bluetooth, Wi-Fi, Near-Filed Communication (NFC) or Ultra-wideband (UWB).
A communication device adapted to operate according to any of the embodiments described herein may, according to one embodiment, be configured as indicated in
The communication device 300a also comprises at least one sensor interface, here represented by sensor interface 370a. Typically, the sensor interface 370a comprise a cache, or a separate cache (not shown) is connected to the sensor interface 370a, so that data acquired from a sensor can be cached at the communication device 300a before it is determined whether it meet with predetermined conditions or not. In
The communication device 300a may also comprise a computer program product, 380a, comprising a non-transitory computer readable medium on which a computer program is stored, which when run on the communication device 300a will cause the communication device 300a to execute a method according to any of the methods suggested herein.
Although not indicated in the figure, the communication device 300a typically also comprise further functional circuitry or functions, such as e.g. power source, further memory areas, such as e.g. Read Only Memory (ROM) and an interface for communication with a server, if applicable. Such functionality has been omitted from the figure in order not to obscure the mechanism, relevant for the understanding of the claimed technical solution.
The communication device 300a of
Irrespective of if a communication device is provided with secure circuitry or not, the communication device may be configured to execute a primary and a secondary function where a primary function is adapted to capture data from at least one sensor, such as e.g. sensor 400a, where the captured data provides a representation of the environment in which the respective sensor is located, or, in other words, data captured by a sensor in a conventional way, and a secondary function is adapted to capture data from at least one sensor, such as e.g. sensor 400b, where the captured data provides a potential trigger for the software updating process, i.e. the data is captured for the purpose of triggering a software updating procedure when conditions for such a procedure is considered to be fulfilled. The processor 310b of the communication device 300b therefore receives data to be handled by the first function without requiring any interaction from any secure circuitry 380c, if applied, whereas the secondary function is configured to process data recognized as a trigger for a software updating procedure. With secure circuitry applied, sensor data acquired by the processor 310b of the communication device 300b, which is to be handled in a conventional manner, i.e. which is not intended to initiate a software updating procedure will be forwarded to the processor 310b in a transparent manner.
The communication device 300a,300b described above according to any of
The communication device 300a,300b may alternatively also comprise computer readable instructions 320a,320b which, when executed by the processor 320a,320b, causes the communication device 300a,300b to execute a method according to any of the embodiments described herein.
According to another aspect, a communication device 300c for executing a software updating process as suggested herein is described below with reference to
Further functional units which is normally acquired in a communication device capable of operating as suggested herein, such as e.g. a power regulating unit and communication unit, which are not necessary for the understanding of the functionality as suggested herein, have been omitted for simplicity reasons.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2019/086360 | 12/19/2019 | WO |
