The Internet of Things was born the moment that internet connectivity expanded beyond the setup of a computer hooked up to a router. Today, there is an ever-growing abundance of “things” possessing internet capabilities. These can be flashy, like driverless cars, Fitbits, or an Amazon Echo. Or they can be more prosaic, like coffee makers or washing machines. Gartner predicts that, by 2020, there will be 20 -billion Things connected to the Internet.
A majority of embedded systems constitute internet-connected Things. A clear case is the modern smart factory, where industrial automation relies upon online connectivity to operate smoothly via a network of physical nodes. Most of these embedded systems use ARM chips and device architectures, and run on an operating system based on the Linux kernel.
IoT appliances and devices are wise to use Linux. It allows for multiple suppliers of software, development and support; it has a stable kernel; and it facilitates the ability to modify and redistribute the source code. However, an IoT device running on Linux is as just as susceptible to vulnerabilities as any other Linux system. Worse, because of the nefarious opportunities unique to various types of IoT device, they are even more vulnerable to the attention of hackers.
For example: In January, seven different upstream kernel vulnerabilities emerged, all of which could enable a local malicious application to execute arbitrary code within the context of a privileged process. In May, a Kernel vulnerability (CVE-2019-2054) was discovered that could allow a local attacker to escalate privileges without additional execution privileges. Just last month, a weakness was found (CVE-2019-2101) that could enable a local malicious application to bypass OS protections that isolate application data from other applications. What this means is that – even more pressingly than with other systems – IoT devices with chips running on the Linux kernel need their security to be watertight.
And if you’re rebooting to patch your kernel, you’re not nearly as secure as you could be. Rebooting is the method that most software companies use to apply patch updates to their servers. But because rebooting is a hassle, off-lining websites, kernel patching is always delayed, for weeks or even months.
This gap between patch issue and patch application will leave IoT devices open to every attacker in cyberspace. If you aren’t applying kernel patches as soon as possible, then you are leaving yourself exposed to hackers who know all the current vulnerabilities, and are eager to exploit them to spy, steal or disrupt.
The Internet of Things is a technological marvel, but it is more important than ever not to allow kernel vulnerabilities to linger for a moment longer than necessary. Start live patching today.