The Slow Pace of Linux Kernel Updates is a Frightening IoT Security Problem

When patching holes in your core security kernel takes upwards of three years on average from discovery to patch release, it obviously raises concerns. Add in the view of security analysts that the basic approach of the security design is outdated and not responsive when under attack, and the picture grows ever more worrisome. It is a very big scenario indeed when you consider the vast number of devices out there that are exposed to the hacking fraternity and which probably never receive OS updates ever.

Linux drives the majority of the world’s Internet-connected devices. Its open source nature provides a stark contrast to proprietary platforms such as iOS and Windows in the speed of bug fixing and patch development. The security aspects being highlighted in recent debates have a lower impact on servers housed in data centers than they do on exposed devices in the IoT world. The latter is the real cause for concern.

Device manufacturers deploy Linux on everything from digital video recorders to vacuum cleaners. The cost is attractive and it is customizable and scalable. The downside is that native Linux does not offer patch push functionality to devices in the way that, say, Microsoft does. Often derided for many aspects of Windows development, nobody can deny that Microsoft appears to do all in its power to ensure that connected devices receive frequent OS updates and patches. At the same time, a vast number of connected Linux devices may never receive an OS update in their lifetime.

At the core of the problem is the often very poor code quality and risible security of the countless device drivers that vendors add. This on top of the disjointed not-thought-through nature of the IoT landscape. The Linux security kernel faces challenges not of its own making but which potentially pose a major threat to the Internet itself. Recent massive DDoS attacks launched by botnets of zombie IoT devices generated an unprecedented a level of traffic. An attack measured at over 600 Gbps raises the possibility that even bigger attacks may be possible. Those traffic levels can swamp the routers that connect the Internet’s backbone with its spokes.

Manufacturers and vendors must take a share of the blame for failure to develop code that at least attempts to provide adequate security protection. One senses that the quick buck mentality overrules the genuine need to make drivers and the like robust enough. Of course, there is no money in building security features into vacuum cleaner device drivers. Only attractive functionality might increase the bottom line. Developing security aspects is a cost that may not be justifiable in the boardroom.

Criticism has been levelled at Linus Torvalds and the Linux community for taking a bug fixing approach rather than overhauling the security kernel design. Torvalds is infamous for his tendency to drive his own path forward and ignore arguments for change that potentially have merit. The security debate may be the single biggest challenge to his authoritative approach since 1991 when Linux was first released. Architecture that is 25 years old was not designed to cope with security demands and ever increasing hacking threats of 2016. It does appear that the time has come for a major rethink that will adequately cope with the nature and shape of foreseeable threats of the next 25 years.