IoT devices are generally implemented with low-cost embedded solutions, and connectivity and communication capabilities are the raison d'être of such devices. But this is a double-edged sword, since connectivity also implies (1) to open the door to more attack possibilities, and (2) the targeted system, once breached, can be the support for attacks at a larger scale, possibly involving many connected systems. Our observation is that such devices lack proper hardware and software security protections. Bootloader and Firmware Update (BFU) mechanisms are critical components in the software stack of IoT devices. BFUs are a target of choice since they use the highest privileges and are executed before the system's security policy is set up. An attacker able to compromise the BFU can gain full control over the target system. Moreover, the update mechanism often supported by the BFU is essential to ensure devices can be upgraded and maintained for a long time. If not properly secured, the BFU allows an attacker to gain control over a system throughout its whole lifetime, including future upgrades. In this paper, we provide an overview of the threats targeting BFUs, and existing protections. We cover the hardware and software attacks that are known to the scientific literature. Also, we argue that vulnerabilities to physical attacks, in particular to fault injection attacks, are mostly left un-attended.