The update path is the most privileged channel into a node.

Software Updates Over CAN as an Attack Vector

The firmware update channel inherits the manufacturer's trust: whatever the bootloader accepts, the device runs. Both CANopen and J1939 originally standardized firmware download for interoperability, not for security. Many real products shipped plain Intel-HEX images alongside a generic download tool, which leaves the update channel wide open to anyone with bus access (or to anyone who can phish a service engineer). The result is a class of attack that is structurally distinct from frame injection: the attacker no longer impersonates a node for one bus session. They replace the code that node runs.

Why Software Updates Are a Threat Surface

Frame-level attacks succeed for the duration of a bus session. Update-channel attacks succeed for the lifetime of the device. Once an attacker can flash arbitrary code into a node, every system parameter and even every cryptographic key on that node is in their hands, every defensive shell on that node can be silenced, and every later "secure" frame the node emits is signed by them. From the rest of the bus's perspective, the compromised node is still legitimate. Update tampering also persists across power cycles, factory resets that the malicious firmware mishandles, and most diagnostic procedures, until someone reflashes the device through a trusted channel, which presupposes the trusted channel still exists.

Standardized Bootloading Without Standardized Security

CANopen (CiA 710) defines firmware-download protocols at the application layer. An Object for security is reserved, but its implementation is not defined. The intent is interoperability: a CANopen download tool from one vendor can update a CANopen device from another. That is the right design goal for a fieldbus standard. It is also the wrong design goal to answer security with: the published profiles do not by themselves require authentication, encryption, or version-rollback protection. Authentication and confidentiality are layered on top of the standard exchange by the manufacturer, or they are not present at all.

The Plain-HEX Shipping Pattern

The most common pattern in industrial CAN for a long time was this: the manufacturer publishes a firmware update as a plain Intel-HEX file, distributed over a website or email, alongside a generic CAN download tool. The device's bootloader speaks the standard download protocol and writes whatever image it receives. There is no signature on the HEX file, no encryption in flight, no version-monotonicity check at the bootloader, and no audit trail of who attempted to flash what. Anyone with bus access can flash arbitrary code: a service engineer, a supply-chain insider, a post-deployment add-on device, or an attacker who phished the support team's distribution channel.

Concrete Attack Patterns

Two operators standing beside an industrial vehicle
            while its dashboard displays an OTA firmware update
            progressing at 12 percent
Over The Air updates during operation are too risky for many industrial applications.

Where Remote Entry Becomes an Update-Distribution Surface

Many Remote Attacks do not require physical bus access. The remote-service gateways, diagnostic ports, and wireless maintenance links are usually how legitimate updates are pushed in the first place. That makes the same paths an attractive route for malicious updates: a compromised cloud back-end, a stolen service-tool credential, or a man-in-the-middle on a maintenance channel can drive the update protocol exactly as the manufacturer would. The threat moves from "attacker has soldered onto the wires" to "attacker has the same access the service team has".

Mitigations

Secure bootloader with PSK

Authenticated firmware update under a dedicated pre-shared key, AES-128-GCM-protected images, and possibly challenge/response gating into the update mode. 
See Secure Bootloader.

Version monotonicity and signed releases

Bind the version into the signed image and refuse to install older releases. Sign the release artifact in a controlled pipeline so the delivery channel cannot be substituted by an attacker who happens to control the distribution endpoint.

Audit logging of every update attempt

Anomaly Event Monitoring captures both successful and rejected update attempts to the security event log, with timestamps and challenger identity. This makes opportunistic attempts visible even when they fail, and supports CRA vulnerability handling.
See Anomaly Event Monitoring.

Hardened update-distribution path

Authenticated, replay-protected channel from the manufacturer's release pipeline through to the device: TLS-PSK or equivalent on remote-service gateways, signed-tool authentication on local diagnostic ports. Closes the remote-entry side of the threat surface from Remote Attacks.

CVSS Scoring for Update-Channel Attacks

The CVSS baseline depends on whether the update path is locally bus-attached or remotely reachable. For a directly bus-attached update channel against an unprotected bootloader, the attack vector is AV:P as elsewhere on classical CAN, but the integrity and availability impacts are higher than the per-frame baseline because firmware tampering is irreversible from the bus side: the device runs attacker code afterwards. For an update path exposed via a remote-service gateway or maintenance back-end, the attack vector is AV:N and the confidentiality impact follows whatever the firmware itself can access.
See CVSS for CAN for how mitigations adjust the score.

Frequently Asked Questions

Why is the firmware update channel a threat surface separate from frame injection?

Frame injection lets an attacker imitate one node for the duration of the bus session. Compromising the firmware update channel lets the attacker replace the code that runs on the target permanently, including any cryptographic keys it holds. The blast radius and persistence are categorically different, even though the underlying bus access can be the same. The mitigation is also different: see Secure Bootloader.

Is the CANopen firmware-download protocol inherently insecure?

The exisitng CiA 710 standardized download protocol solves interoperability, not security. Authentication, encryption, and rollback protection are layered on top by the manufacturer. A device that implements the download exchange but ships unsigned plain-HEX firmware satisfies the protocol while leaving the security properties at zero.

Does shipping plain Intel-HEX firmware fail the EU CRA?

CRA Article 13(2)(c) requires that vulnerabilities can be addressed through security updates and that those updates can be applied safely. A plain-HEX update channel that any party with bus access can drive cannot be applied safely in the regulatory sense, and the same channel becomes the manufacturer's vulnerability-introduction surface. Most CRA conformity assessments will flag this.