Existing IoT firmware update mechanisms focus on whole-package integrity, overlooking security vulnerabilities introduced by modular customization—making customization-phase vulnerabilities difficult to detect and mitigate. This paper proposes IMUP, the first framework to establish a cross-module integrity chain, enabling secure and efficient firmware updates in large-scale customized deployments. Its core innovations include: (1) chameleon hashing per module for fine-grained integrity assurance; and (2) server-side proof-of-work offloading coupled with caching to jointly optimize security and performance. Experimental evaluation demonstrates that, compared to conventional package-based approaches, IMUP reduces server-side signature generation time by 2.9×, decreases device downtime by 5.9×, and increases the cost of forgery attacks by 300×.

Firmware updates remain the primary line of defense for IoT devices; however, the update channel itself has become a well-established attack vector. Existing defenses mainly focus on securing monolithic firmware images, leaving module-level customization -a growing user demand-largely unprotected and insufficiently explored. To address this gap, we conduct a pilot study on the update workflows of 200 Linux-based IoT devices across 23 vendors, uncovering five previously undocumented vulnerabilities caused by customization practices. A broader analysis of update-related CVEs from 2020 to 2024 reveals that over half originate from customization-induced issues. These findings highlight a critical yet underexamined reality: as customization increases, so does the attack surface, while current defenses fail to keep pace. We propose IMUP (Integrity-Centric Modular Update Platform), the first framework to address two key challenges: constructing a trustworthy cross-module integrity chain and scaling update performance under mass customization. IMUP combines three techniques: per-module chameleon hashing for integrity, server-side proof-of-work offloading to reduce device overhead, and server-side caching to reuse module combinations, minimizing rebuild costs. Security analysis shows that even when 95 percent of secret keys are exposed, forging a valid image incurs over 300 times the cost of the legitimate server. Experiments on heterogeneous IoT devices demonstrate that IMUP reduces server-side generation time by 2.9 times and device downtime by 5.9 times compared to a package-manager baseline.