隨著數位轉型時代的到來，物聯網應用的蓬勃發展帶動了眾多周邊產業的興起，舉凡智慧家居、智慧城市、智慧醫療等。如何確保所使用的物聯網裝置是否安全，在實務上被寄予高度重視。過去幾年，針對軟體漏洞發生了幾起大規模的DDoS攻擊，並在短時間內造成嚴重傷害，因此，我們需要一套有效的軟體更新解決方案。

本論文提出一個基於區塊鏈技術與MQTT協定之軟體更新框架，其適用於閘道器對外通訊並對內管理多項物聯網裝置的場景。MQTT伺服器被安裝於相應的節點，以自動、即時地進行軟體更新的推送。區塊鏈記錄了裝置製造商發布的軟體更新相關記錄，使裝置擁有者得以驗證所收到的更新其來源與完整性。另外，智慧合約被用來記錄裝置擁有者的購買行為、提供MQTT伺服器與相關金鑰的查詢、提供裝置的軟體訂閱服務等。

本文實作了框架原型並進行相關實驗。結果顯示，本文所提出的框架得以有效、安全、及時地將軟體更新推送至閘道器。另外，與傳統的方案相比，所提出的框架在結合了區塊鏈技術與MQTT協定後，可成為一種針對軟體更新更有效的解決方案。

With the debut of digital transformation epoch, the vigorous development of IoT applications has led to the rise of many peripheral industries like smart homes, smart cities, smart healthcare, etc. The practical issue of how to ensure the security of deployed IoT devices is highly valued. Over the past few years, several large-scale DDoS attacks have exploited software vulnerabilities on IoT devices, and cause severe damage in a short time. Therefore, an effective software update solution on IoT devices is in demand.

In this thesis, a software update framework based on blockchain technology and MQTT protocol is proposed. It is suitable for scenarios that gateways are used to communicate externally and manage multiple IoT devices internally. MQTT servers are installed in corresponding blockchain nodes to support automatic real-time software update delivery. Blockchain technology is used to store software update release records by manufacturers so that users can use records to verify the source and integrity of received software updates. Other than that, smart contracts are adopted to store users' purchasing record, provide inquiries for users about MQTT servers and related keys, and provide subscription services for users about dedicated IoT devices, etc.

A framework prototype is constructed and experiments are conducted. Based on the experimental results, the proposed framework can effectively and securely deliver software updates to targeted gateways in real-time scale. In addition, the results also show that the proposed framework combining existing blockchain and MQTT technologies may be a more efficient way for software updates than traditional solutions.

摘要 I
Abstract II
誌謝 III
Table of Contents IV
List of Figures VI
List of Tables VII
Chapter 1 Introduction 1
1.1 Background 1
1.2 Motivation and Contribution 3
Chapter 2 Preliminaries 6
2.1 Blockchain Technology 6
2.2 MQTT Protocol 7
2.3 ECDH Key Exchange Protocol 8
Chapter 3 Literature Review 10
3.1 Firmware and Software Update 10
3.2 Centralized OTA Software Update 11
3.3 Blockchain-based Software 11
3.4 MQTT-based Software Update 13
Chapter 4 Proposed Framework 15
4.1 Role and Architecture 15
4.2 Assumptions 17
4.3 IoT Device Purchase and Software Update Process 18
4.4 Smart Contracts in the Proposed Framework 20
4.5 MQTT Setup 23
4.6 Three-Phases Operation in the Proposed Framework 25
4.7 Blockchain Node Management 28
Chapter 5 Experiment and Analysis 35
5.1 Experimental Environment 35
5.2 Performance Analysis 36
5.3 Security Analysis 41
Chapter 6 Conclusion and Future Work 43

[1] "Global IoT market will grow to 24.1 billion devices in 2030, generating $1.5 trillion annual revenue," Transforma Insights, 19 May. 2020. [Online]. Available: https://transformainsights.com/news/iot-market-24-billion-usd15-trillion-revenue- 2030. [Accessed 5 Jul. 2020].
[2] "OWASP IoT Top 10 2018," Open Web Application Security Project, 2018. [Online]. Available: https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf. [Accessed 5 Jul. 2020].
[3] "Inside the infamous Mirai IoT Botnet: A Retrospective Analysis," Cloudflare, 15 Dec. 2017. [Online]. Available: https://blog.cloudflare.com/inside-mirai-the-infamous-iotbotnet- a-retrospective-analysis/. [Accessed 5 Jul. 2020].
[4] "Botnets never Die, Satori REFUSES to Fade Away," Network Security Research Lab at 360, 15 Jun. 2018. [Online]. Available: https://blog.netlab.360.com/botnets-neverdie- satori-refuses-to-fade-away-en/. [Accessed 5 Jul. 2020].
[5] "New VPNFilter malware targets at least 500K networking devices worldwide," Cisco Talos Intelligence Group, 23 May. 2018. [Online]. Available: https://blog.talosintelligence.com/2018/05/VPNFilter.html. [Accessed 5 Jul. 2020].
[6] "Mass MikroTik Router Infection – First we cryptojack Brazil, then we take the World?," Trustwave, 1 Aug. 2018. [Online]. Available: https://www.trustwave.com/enus/ resources/blogs/spiderlabs-blog/mass-mikrotik-router-infection-first-wecryptojack- brazil-then-we-take-the-world/. [Accessed 5 Jul. 2020].
[7] Juan Manuel Harán, "Campaña de criptojacking afecta a más de 200.000 routers MikroTik: Brasil el país más perjudicado," Welivesecurity, 3 Aug. 2018. [Online]. Available: https://www.welivesecurity.com/la-es/2018/08/03/campana-decriptojacking- afecta-mas-de-200-000-routers-mikrotik-brasil-el-pais-mas-afectado/. [Accessed 5 Jul. 2020].
[8] S. Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System," Apr. 2008. [Online]. Available: https://bitcoin.org/bitcoin.pdf. [Accessed 5 Jul. 2020].
[9] Cloud Native Computing Foundation, "etcd," GitHub repository, [Online]. Available: https://github.com/etcd-io/etcd/tree/master/raft. [Accessed 5 Jul. 2020].
[10] "MQTT Version 5.0," OASIS Message Queuing Telemetry Transport (MQTT) TC, 7 Mar. 2019. [Online]. Available: https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqttv5.0. pdf. [Accessed 5 Jul. 2020].
[11] R. Hassan, K. Markantonakis and R.-N. Akram, "Can You Call the Software in Your Device be Firmware?," 2016 IEEE 13th International Conference on e-Business Engineering (ICEBE), pp. 188-195, 2016.
[12] H. Tschofenig and S. Farrell, "Report from the Internet of Things Software Update (IoTSU) Workshop 2016," RFC 8240, 2017.
[13] G. Jurkovic and V. Sruk, "Remote firmware update for constrained embedded systems," 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1019-1023, 2014.
[14] S.-G. Hong, N.-S. Kim and T. Heo, "A smartphone connected software updating framework for IoT devices," 2015 International Symposium on Consumer Electronics (ISCE), pp. 1-2, 2015.
[15] S. Dhakal, F. Jaafar and P. Zavarsky, "Private Blockchain Network for IoT Device Firmware Integrity Verification and Update," 2019 IEEE 19th International Symposium on High Assurance Systems Engineering (HASE), pp. 164-170, 2019.
[16] M. Son and H. Kim, "Blockchain-based secure firmware management system in IoT environment," 2019 21st International Conference on Advanced Communication Technology (ICACT), pp. 142-146, 2019.
[17] A. Pillai, M. Sindhu and K.-V. Lakshmy, "Securing Firmware in Internet of Things using Blockchain," 2019 5th International Conference on Advanced Computing & Communication Systems (ICACCS), pp. 329-334, 2019.
[18] M.-N. Islam and S. Kundu, "Remote Configuration of Integrated Circuit Features and Firmware Management via Smart Contract," 2019 IEEE International Conference on Blockchain (Blockchain), pp. 325-331, 2019.
[19] A. Yohan, N.-W. Lo and L.-P. Santoso, "Secure and Lightweight Firmware Update Framework for IoT Environment," 2019 IEEE 8th Global Conference on Consumer Electronics (GCCE), pp. 684-685, 2019.
[20] S. Choi and J. Lee, "Blockchain-Based Distributed Firmware Update Architecture for IoT Devices," in IEEE Access, vol. 8, pp. 37518-37525, 2020. [21] N.-W. Lo and S.-H. Hsu, "A Secure IoT Firmware Update Framework Based on MQTT Protocol," 40th Anniversary International Conference on Information Systems Architecture and Technology, 2020.
[22] Nick Lethaby, "A more secure and reliable OTA update architecture for IoT devices," Texas Instruments, 2018. [Online]. Available: 47 https://www.ti.com/lit/wp/sway021/sway021.pdf. [Accessed 5 Jul. 2020].
[23] "Xively platform APIs," Xively, [Online]. Available: https://www.developerxively.com/reference. [Accessed 5 Jul. 2020].
[24] "Dr. Speed 測速軟體," Chunghwa Telecom, [Online]. Available: http://speed.hinet.net/. [Accessed 5 Jul. 2020].
[25] Web3 Labs, "web3j-quorum," GitHub repository, 5 Jan. 2017. [Online]. Available: https://github.com/web3j/web3j-quorum. [Accessed 5 Jul. 2020].
[26] "Arlo Introduces Next-Generation Pro Series With The All-New Pro 3 Security Camera System," Arlo, 23 Sep. 2019. [Online]. Available: https://www.arlo.com/enus/ about/press-releases/2019/ARLO-Pro3-Release.aspx. [Accessed 5 Jul. 2020].
[27] "How do I update my Arlo firmware manually?," Arlo, 23 Sep. 2019. [Online]. Available: https://kb.arlo.com/4736/How-do-I-update-my-Arlo-firmware-manually. [Accessed 5 Jul. 2020].