How can we safely update your secure hardware over the air like this? Every release must be signed by multiple GridPlus private keys which are separated geographically so your device can verify the provenance of the release. The secure bootloader will reject any updates that do not meet these strict criteria before installing anything. You can also use the verification tool to make sure your Lattice1 is authentic - no other device can receive our update.
The device is made up of two elements (the HSM/SCE and the GCE) - the GCE that runs a simple Linux system updates automatically (far less often than the SCE), but every single part of the device is constructed with the idea that the GCE is vulnerable at all times - this means that no part of the system that handles secure data is ever exposed to the update.
In other words, funds are safu.
The Linux GCE is also updated - the updates are very infrequent and automatic - you're not prompted to approve them. These happen completely outside of the secure chip running the firmware and do not touch any secure data or private keys.