What if an attacker compromises TrustKernel’s network and pushes a malicious update to users? Are there protections against this?
I should say, that’s impossible.
To successfully push a malicious PlugOS update, an attacker would need to compromise far more than a network.
At an organizational level, the update process is intentionally split across multiple independent teams and control points. No single team, system, or role has the authority to generate and release a valid system update on its own. Even with control over internet-facing infrastructure, an attacker would still need to defeat separate review, approval, and signing steps owned by different teams, operating under audited security and quality frameworks (including CC EAL4+, CMMI Level 3, and ISO 27001).
At last, OTA signing keys are not part of the online infrastructure. They are managed by a dedicated hardware security module (HSM) and handled by designated personnel only.
In practical terms, this means an attacker would need to simultaneously compromise multiple independent teams, identities, and management processes, not just technical systems. This is not a realistic single-vector attack.
At a system level, PlugOS does not blindly trust the delivery channel. Updates are verified locally and cannot be installed without proper authorization. PlugOS does not rely on persistent backend control services.
Most importantly, the user retains final control. Network access can be restricted, updates are not silently forced, and PlugOS provides local mechanisms (such as its built-in firewall) for users to observe and limit network behavior.
So the security model does not assume “the network is safe”.
It assumes the opposite — and requires multiple, independent failures and loss of user control for an attack to succeed.