I meant the binary parts always to have the size of a flash page. And then transfer the pages with changes, no matter if there is only one byte changed in a page or all. So there would be not that much overhead.
Sounds like you're having a file system in your flash and your modules are individual files (my device only uses on chip memory). In this case take the above scheme, replace old and new binary version by module versions, put together all module images and place a table of contents at the beginning. Then the device could look for the right module version. And in case the update is interrupted the device can skip the already updated modules.
I only know that DoS attacks are hard to come by since they are using services which should be available normally. On the devices side this might be not to hard as long as it builds up all connections needed itself. But in this case the idea you mentioned earlier of one device informing others abut updates could be a bad idea, because an attacker could use this feature to make a DDoS attack on the server: attacker to all devices: "there is a new update" all devices to server: "fine, send me the new update" server: "what? new update? ... hey, not all at once ... dam it, I quit" ;-) Ok, with this in mind it should be possible to implement that feature in a safe way.
But for the server it will be difficult to prevent DoS attacks (and that's all I know about that).
Ah, users. One can write "In order to make your device secure you have to replace the default key!" in letters big enough so the sentence will fill up an entire page - they won't read it. But after some security issue they'll call the support: "Why wasn't my device secure?"
Anyway, the default key in the source isn't the issue. It's no key, it is just something to make the device work without the user having to do some setup first (although, IMO he should be forced to set a key).
The question is: is it possible read the key which replaced the default key by Step 1: trying to read it over any interface the device offers (easy to cover in software, just don't implement a function for this) Step 2: disassembling the device and than using a JTAG interface or unsoldering the flash chip to read its contents (not to hard to cover if the µC has some internal flash / EEPROM which can be protected so it can't be read out with a JTAG interface) Step 3: by micro probing (ok, if the key it worth this effort, it should be also worth it to hire Schneier to do the security stuff ;-))
A way around this might be to upload the current image for instance once a day (may be at random times) to the update server. This way a corrupted image will be replaced after about a day. The compiling machine should be able to do that. It could also download the image from time to time to check it.
Of course everything can be encrypted, but why do this if you don't need it. The (unencrypted) image file can be used to get a complete binary of your software, which then might be copied to some other hardware, so someone gets a similar device with your application (i.e., without paying for it). Only if this kind of stuff is a problem for you, then you have to encrypt the binary.
Messing around with packets shouldn't be a problem with a secure hash, because it's more than unlikely that someone can mess up the binary and then generate a secure hash, which passes the check.
By, Mike