I do frontend so I don't have intimate knowledge with our device onboard security, but I do know at the very least any update must have the correct key, access to which is remarkably controlled.
The "ensure device updates are not malicious" question gets asked at least once a month here. It only gets stronger.
You are asking exactly the right questions, though. These are the sort of holes we find in customer home rolled solutions. Another one is factory enrollment vulnerabilities - how do you guarantee that factories don't walk out with your code, stick some malicious stuff on it, then install it on the device before shipping it?
The "ensure device updates are not malicious" question gets asked at least once a month here. It only gets stronger.
You are asking exactly the right questions, though. These are the sort of holes we find in customer home rolled solutions. Another one is factory enrollment vulnerabilities - how do you guarantee that factories don't walk out with your code, stick some malicious stuff on it, then install it on the device before shipping it?