Over-the-Air Firmware Updates for Connected Products
After a device leaves the factory, the software inside it will need to change: bug fixes, security patches, regulatory compliance, new features. Without a reliable OTA update infrastructure, every change requires either a service call or the acceptance that deployed devices stay permanently outdated.
A reliable update infrastructure means you can ship security patches to every device in the field, stay compliant with regulations like the EU Cyber Resilience Act, and continue improving your product after it has been deployed.
Without it, the software on a shipped device is fixed at the point of manufacturing.
Building OTA from scratch is one of the most underestimated problems in connected product development. Here is what it actually involves, and how to get it right.
The challenge with OTA updates
Most teams discover the complexity of OTA updates after they've shipped their first batch of devices. The problems compound:
- No rollback: a bad firmware image can render thousands of devices unresponsive, with no way to recover remotely.
- No staged rollouts: pushing an update to every device simultaneously means a single regression affects the entire fleet.
- No signing: unsigned firmware packages can be tampered with in transit, turning every update into a security risk.
- Protocol fragmentation: devices use different transports (MQTT, HTTP, custom protocols); building a generic update mechanism is non-trivial.
- Connectivity gaps: devices in industrial environments may be offline for hours or days; a naive update client that assumes reliable connectivity will fail in the field.
- EU Cyber Resilience Act: from 11 December 2027, connected products sold in the EU must support vulnerability patching via OTA. An absent update mechanism is a compliance blocker.
What it takes to get it right
A production-grade OTA system needs:
- Signed firmware packages, only images with a valid manufacturer signature are accepted by the device. Prevents supply-chain attacks and accidental deployment.
- Delta updates, send only the changed bytes rather than the full image. Critical for devices on metered or slow connections.
- A/B partition support, the device keeps the current firmware active in one partition while downloading the new image into the other. If the update fails to boot, it automatically reverts.
- Staged rollout, deploy to 1% of devices first, verify telemetry, then expand. Limits the blast radius of a bad release.
- Fleet segmentation, different firmware versions for different device models, hardware revisions, or customer groups.
- Update orchestration, scheduling, retry logic, and status tracking across thousands of devices in parallel.
- Monitoring, know which devices have updated, which are pending, and which have failed, in real time.
How Connhex solves it
Connhex provides OTA update infrastructure as a built-in component of the platform, not a bolt-on.
Connhex Edge runs as a lightweight agent on the device. It handles the update client side: downloading packages, verifying signatures, managing A/B partitions, and reporting status back to the cloud. It is designed to run on constrained Linux-based hardware and handles interrupted connections gracefully.
Connhex Control is the server-side orchestration layer. From the Control dashboard or API you can:
- Upload and version firmware images
- Define rollout strategies: percentage-based staged rollouts, device-group targeting, scheduled deployments
- Monitor update progress across the fleet in real time
- Roll back a campaign immediately if anomalies are detected
Firmware images are cryptographically signed during upload. Connhex Edge verifies the signature on-device before accepting any update, a device that receives a tampered or unsigned package will refuse it and report the incident.
The update flow integrates with Connhex Monitoring: post-update telemetry is automatically analyzed to detect regressions in device health metrics, giving your team early warning before a bad update reaches the broader fleet.
For compliance, Connhex's OTA infrastructure directly satisfies the update and vulnerability-patching requirements of the EU Cyber Resilience Act.
See it in practice
HVAC manufacturer Seitron integrated Connhex into their existing cloud infrastructure without replacing it, demonstrating that OTA and provisioning can be added modularly to products already in the field.
The Connhex Remote Init flow is exactly what we needed. It also handles cases we didn't foresee at all: I'm confident it will be one of our infrastructural pillars for many years.
Senior Software Engineer - Seitron
For HVAC, smart home, and industrial applications, see the relevant use case pages: Connhex for HVAC · Connhex for Industrial Washing Machines · Connhex for the Smart Home