[agustamir]

Nordic's off-the-shelf firmware upgrade process has signed image verification only. The image itself sent over BLE is not encrypted. So anyone using that right off the bat is in for a nice surprise.

[pantalaimon]

Why would anyone be surprised? I'd be very surprised if my firmware was encrypted without setting any encryption key.

[agustamir]

Partially because they call their firmware upgrade process "secure Device Firmware Update (DFU) functionality" (lifted from their documentation). Obviously, an engineer needs to go see the source to see what is actually happening under the hood.

[pantalaimon]

Why do you need Encryption for security? A signature should be enough.

(Don’t conflate security with confidentiality)

[agustamir]

Not in the context of enabling trusted binaries being used for updates, but to your original point about reverse engineering unencrypted firmware

[pantalaimon]

It's not common for firmware to be encrypted, just as it's not common for executables on your PC to be encrypted.