In October, a DDoS attack on Dyn’s infrastructure took down a big chunk of the internet, making sites like Amazon and Twitter inaccessible. It was the first major attack involving IoT (internet of things) devices. Fortunately, it was also a benign attack: no one got hurt, no one died.
However, the next attack could be catastrophic. No one knows when it will happen. No one knows the magnitude.
There are billions of IoT devices out there: web cameras, thermostats, doorbells, smart bulbs, refrigerators, heaters, ovens, and much more. IoT devices are low hanging fruits for cybercriminals because for all theoretical and practical purposes a majority of these IoT devices are insecure by design, they are insecure by default. It should be called IIoT: insecure internet of things.
Enough whining, is there any solution?
Nowadays many security experts are debating if the government should intervene through regulations to prevent any doomsday scenarios. As far as regulations are concerned, not much is going to happen until Donald J. Trump takes over the office. Mr. Trump is quite conservative about federal regulations and has publicly stated that for every new federal regulation, two existing regulations must be eliminated. In addition to that, trade organizations like the U.S. Chamber of Commerce and the Consumer Technology Association are against any regulations, citing that it will hinder innovation.
Either way, whether the government moves toward the development of such regulations or not, regulations alone can’t solve the problem. Technical solutions are needed. There are many technical and economic challenges when it comes to IoT security.
A majority of IoT vendors are hardware manufacturers who make money by selling more hardware. They come up with newer versions of devices on weekly basis. They don’t have an incentive to support these devices once they are sold. At the same time, they also don’t have any incentive to invest resources into making and keeping these devices secure. Software development, especially security, can be expensive when you are constantly chasing a moving target; cybercriminals are always a step ahead.
Security is not a one night stand
Security isn’t something that you can ship with your device and forget about. No software is immune to bugs, and as Linus Torvalds said, these bugs can become security issues and smart developers can exploit them for malicious purposes. Most IoT devices run on Linux and the Linux kernel community is doing an amazing job when it comes to security, they fix things immediately.
Greg Kroah Hartman, the leading kernel developer said during his keynote at Core OS Fest, “There are over 10,800 lines of code added, 5,300 lines of code removed and over 1,875 lines of code modified. Every. Single. Day. That amounts to over 8 changes per second.” No other software project, including those by Apple and Microsoft can beat this speed of development.
That’s where Kroah-Hartman gets upset with software and hardware vendors. Even if these patches and changes are there in the kernel, these fixes don’t reach target devices. “If you make a product with Linux and you can’t update it, or any piece of software, it’s dead. The environment changes. We’re in a world and the joke is: The only thing that’s constant is change,” he told me in an interview. “You have to design your system so it can update itself.”
There are systems that offer automated updates to mitigate the security issue. These systems include Core OS, Chrome OS and even Android. But none of these systems are targeted at IoT devices.
Ubuntu Core enters the picture
Canonical, the parent company of Ubuntu has developed a free and open source operating system called Ubuntu Core, specifically for IoT devices. It’s designed ground up with security and ease of maintenance in mind and it approaches IoT the way it should.
According to the IoT page of Ubuntu.com:
Ubuntu Core is a tiny, transactional version of Ubuntu for IoT devices and large container deployments. It runs a new breed of super-secure, remotely upgradeable Linux app packages known as snaps ‐ and it’s trusted by leading IoT players, from chipset vendors to device makers and system integrators.
I spoke with Jamie Bennett, Engineering Manager, Snappy Ubuntu and he explained how Ubuntu Core works. Software on an Ubuntu Core system is distributed as a snap. This packaging format makes it super easy for an Independent Software Vendor (ISV) to deliver software to an Ubuntu Core device. The actual route an ISV has to take to fix a vulnerability is:
- Fix the vulnerability in their code
- Use the snapcraft tool to create a new snap (which can also update a dependency within the snap, so if there is a vulnerability in any library they can easily upgrade their snap with the fixed version of that library)
- Upload this to the Ubuntu Store
“Afterward, all internet-connected Ubuntu Core devices will receive the update within 8hrs (we have a refresh mechanism on the device that checks for updates 4 times a day and downloads new versions of any software installed if it finds it in the Ubuntu Store). Note that this is the same for any software on the device, including Ubuntu Core itself. In a similar vein, if an OEM has their own software on the device they use the same mechanism to update their software too,” said Bennett.
What it means is that the software component of the IoT device running Ubuntu Core will remain updated automatically, without any user or vendor intervention. In most cases, the devices won’t even require a reboot, which means no downtime.
Could Ubuntu Core have avoided Dyn attack?
What if the devices involved in Dyn attack were running Ubuntu Core? Is it possible that Ubuntu Core could have prevented that attack?
“Yes, there are things that could have been done to prevent that particular attack, but the more important point is that we need to be able to learn and improve, and FIX issues on devices after they have shipped. That’s the main improvement in Ubuntu Core, we can ALWAYS fix issues, on every device, almost entirely automatically,” Mark Shuttleworth, the founder of Ubuntu and Canonical told me, “We cannot say that Ubuntu Core is immune to attack, but we can be very confident that any detected attack can be addressed quickly and globally through automatic updates.”
Can Ubuntu Core thwart future attacks?
“Security is about vigilance and responsiveness. There is no up-front strategy to avoid future attacks, it’s more important to be able to fix things quickly and reliably,” said Shuttleworth. That’s the crux. I see no reason for IoT vendors to no use systems like Ubuntu Core that offer optimum security and almost zero cost.
It ought to be super expensive
I hear you. But no. It’s free of cost. Just like any other Ubuntu distribution, Ubuntu Core can be downloaded from the Ubuntu website today. “Canonical offers support and extra services around this product, just like we do with the Ubuntu Desktop and Server (and other products). If a vendor wanted to use Ubuntu Core there is no up-front charge,” said Bennett.
Win-win situation
IoT vendors don’t have to do any extra work than they are already doing. They don’t have to invest in security or in system updates. “They can take a standard Linux system that a team of Canonical experts created and currently maintain, that is rigorously tested in-house, has security, updates, and rollback features baked in from the start, and has the ability to offer the OEM’s customers a full application ecosystem on top, then that is pretty compelling,” said Bennett. There is a clear incentive for OEMs. They don’t have to worry about the software, the security and updates of the devices. They can focus on creating great devices that are more secure, robust and extensible. Which may translate into the sale of more devices.
Additionally, if such vendors do write any IoT-specific code and contribute that code as open source, they will benefit from each other’s work by distributing and cutting the R&D and software development cost.
No matter how you look at it, it’s a win-win situation.
This article is published as part of the IDG Contributor Network. Want to Join?