Linux is often the default choice for many IoT devices, but with a recent backdoor threat, we look at why an RTOS can better deliver security and minimalism.

Linux – the biggest name in open-source operating systems – is in crisis after a “trusted” contributor was discovered to have inserted a backdoor in a software package that could have resulted in a massive software supply chain attack.

This is particularly concerning for the Internet of Things (IoT) considering that Linux accounts for about 70% of all device operating systems. For developers, this infiltration suggests that Linux and its subsystems are getting so big that malicious code can be easily injected without notice. One safeguard is to return to operating system (OS) basics and other, simpler alternatives.

Let’s look at why, in this moment of cybersecurity, real-time operating systems (RTOS) are the safer bet amidst Linux’s expanding threat surface.

What just happened in Linux?

This incident marks one of the biggest ecosystem breaches in recent memory for Linux. In late March, a developer uncovered a remote code execution vulnerability in a software package part of XZ Utils, a library for compressing and decompressing files. Alerted by failing SSH logins and high CPU utilization, developers soon realized that the flaw enabled remote attackers to bypass authentication and gain complete system access.

Even more concerning? The backdoor was initiated by a “trusted” collaborator who had been working on the open-source project for several years.


It’s worth taking a step back and considering why this matters in IoT. Of course, when developing a device or system, one of the earliest and most crucial decisions developers make is deciding the type of OS. Linux is often the default choice for many devices and projects, from Android smartphones to smart TVs, thanks to its advanced memory and processing power.

However, these are two features that devices don’t always need.

The case for RTOS

The truth is that many devices don’t need to run on Linux. It’s often the industry preference, sure, but this doesn’t mean it’s the right choice. For example, running simple devices like connected doorbells on a full-fledged Linux OS would have seemed crazy a couple of decades ago due to resource constraints. Now, it’s part and parcel of modern IoT.

This hack should serve as a wake-up call that not every device warrants Linux. Basic devices like sensors or monitors – and, yes, even doorbells – usually serve one function at a time. They can therefore benefit from the resource efficiency and focused functionality of RTOS.

In Linux and other general-purpose operating systems, programs are loaded dynamically after boot, often with the ability to run in separate memory and file spaces under different user accounts. This isolation is beneficial when running multiple applications concurrently on a shared server, as one user’s programs cannot interfere with another’s, and hardware access is shared equally through the operating system.

In contrast, RTOS operates by compiling applications and tasks directly into the system with minimal separation between memory spaces and hardware. Since the primary goal of an IoT device is typically to serve a single application, possibly divided into multiple tasks, this lack of separation is not an issue. Additionally, because the application is compiled into the RTOS, it is ready to run after a very short boot and initialization process.

This is relevant in IoT because device developers usually know two key pieces of information:

   • How many tasks will be running?

   • How much memory do these applications/processes need?

Therefore, armed with this insight, developers can determine if RTOS is a good fit. Usually, regardless of whether we’re talking about Zephyr, Azure RTOS, or Free RTOS, the ability to guarantee predictable and low-latency task execution makes these systems an attractive choice.

Additionally, Linux adds many more layers of complexity. For example, I’ve seen camera devices where developers didn’t have enough expertise to properly configure and minimize the Linux installation/distribution, leading to potential security risks. Again, selecting the right OS from the start can save unnecessary development hurdles in the long run.

A trade-off worth making

The discovery of this critical vulnerability in a core Linux package, introduced by a trusted contributor no less, demonstrates the escalating security risks facing IoT ecosystems. For developers, this incident underscores the importance of approaching OS selection with security as the top priority. While Linux offers unparalleled functionality, that power often comes at the cost of increased complexity that requires significant expertise to properly configure and harden the installation.

On the other hand, RTOS is designed from the ground up with security and minimalism in mind. By focusing solely on executing discrete tasks with low latency, rather than multi-process and multi-user multitasking, RTOS offers a reduced attack surface with clear visibility into the limited codepaths. Moreover, since the application is compiled directly into the RTOS, and due to the nature of many microcontrollers, it is extremely difficult – if not impossible – to inject random code for execution through techniques like stack overflows. This is because the only code that can run is located in the system’s flash memory. Consequently, the compile-time integration of components further minimizes potential vulnerabilities.

Of course, RTOS by nature trades some functionality for security. But for the vast majority of IoT use cases that require simple, dedicated operation rather than multi-purpose computing, this kind of system can provide real-time performance and security essentials.

The expanding threat landscape for Linux shows that, particularly for IoT, this separation of security and functionality may be a trade-off worth making.

source

As more PC owners avoid Windows 11 than ever before

Despite the serious disadvantages, people are still flocking to Windows 10

   ► The number of people using Windows 10 increased in April 2024

   ► Some 14,000,000 PC users turned to the 9-year-old operating system

   ► The increase came at the expense of its successor, Windows 11

   ► PC users flocked to Windows 10 despite the incoming end of support

   ► It will cost as much as $427 (£337.29) to continue using Windows 10

Microsoft cannot kill Windows 10.

The US company has already confirmed that it will end support for Windows 10 in October 2025 — cutting off millions of PCs from essential security updates and bug fixes. Without these critical software patches, Windows 10 users will be vulnerable to attacks from hackers and other data breaches.

Due to the popularity of Windows 10, Microsoft has confirmed plans to extend its Extended Security Updates (ESU) subscription to everyday users for the first time. Previously reserved for enterprise customers, the annual plan could cost as much as £330 to unlock an extra three years of important security updates.

Many assumed the fast-approaching deadline — not to mention, the threat of having to spend hundreds on software updates — would spur millions of PC users still relying on Windows 10 to finally make the switch to its successor, Windows 11.

But the number of people using Windows 10 every day is increasing, according to the latest figures from Statcounter. The popular website, which monitors and analyses global web traffic to calculate the popularity of devices, web browsers, and operating system, has recorded a rise in the number of people using Windows 10.

PCs powered by this almost decade-old operating system topped 70% for the first time since late 2023.

The increase recorded in April 2024 was roughly 1%, Statcounter shows. During the same time frame, Windows 11's market share dipped slightly to 25.69%, suggesting the increase in people using Windows 10 came at the expense of its successor. That's a serious blow for Microsoft.

Microsoft has previously confirmed there are roughly 1.4 billion Windows PCs worldwide. At that scale, a 1% increase in people flocking to Windows 10 equates to an astonishing 14,000,000 PC users.

With the launch of a new operating system, we'd typically expect to see the number of devices powered by its predecessor declining over time. This happens as users voluntarily switch to the latest software to get their hands on exciting new features or a stylish new appearance and as more devices with the latest operating system preinstalled are sold.

It's rare to see an older operating system regain traction in its twilight years — especially with the threat of the end of support and a new fee looming less than 18 months away.

Those who want to keep using Windows 10 until 2028 will need to spend as much as $427, roughly £337.29 converted, to continue to receive critical patches for security flaws and compatibility issues in Windows 10, Microsoft has confirmed.

If you missed the memo, Microsoft will end support for Windows 10, which was released worldwide in July 2015 and was widely marketed at the time as the “final” iteration of Windows, on October 14, 2025.

Known as Extended Security Updates (ESU), this subscription unlocks up to three years of additional support for ageing operating systems, extending the lifecycle of Windows 10 until the end of 2028. ESU was previously reserved for businesses to offer 36 months of additional time to update their entire fleet of PCs and ready proprietary software to work with the latest operating system from Microsoft.

Windows 10 marks the first time Microsoft will offer Extended Security Updates to anyone.

Microsoft has published the cost of Windows 10 ESU for enterprise users, with the first year setting you back $61 (£48.19). To incentivise Windows 10 users to upgrade to the next iteration of the desktop operating system, Microsoft will double the cost every year. The full breakdown of costs is as follows:

   • Windows 10 ESU — $61 (£48.19) for first year

   • Windows 10 ESU — $122 (£96.39) for second year

   • Windows 10 ESU — $244 (£192.78) for third and final year

This is not the cost for consumers, with Microsoft promising that pricing for the average Windows 10 user “will be shared at a later date.” However, we're likely to see the same pricing structure, with costs doubling each year to try to push people to finally switch away from Windows 11.

Microsoft describes the optional Extended Security Updates subscription as “a last resort option for customers who need to run certain legacy Microsoft products past the end of support.” It offers a maximum of 36 months of additional security updates and emergency bug fixes.

“Extended Security Updates are not intended to be a long-term solution but rather a temporary bridge,” the Redmond-based company explains in a blog post. “You can purchase ESU licenses for Windows 10 devices that you don’t plan to upgrade to Windows 11 starting in October 2024, one year before the end of support date.”

Businesses who are subscribed to a cloud-based solution like Intune or Windows Autopatch will enjoy a 25% discount on Extended Security Updates. Microsoft is offering an even more generous discount to schools, with the first year of ESU dropping to just $1 (79p), this doubles to $2 for year two and $4 for the final year.

Prices have risen sharply for Windows users looking to put off the upgrade to the next major operating system release from Microsoft. When it introduced the ESU plan was introduced for Windows 7, Microsoft charged £9.57 for the first year, rising to £19.15 in the second year.

That cost was per device, so things can become pretty pricey if you have a few devices, like a laptop, desktop PC, or tablet.

Some industry watchers had speculated that Microsoft would be forced to offer extended support for Windows 10 at no extra cost due to the vast number of PCs still powered by the operating system.

However, despite the widespread usage, Microsoft is seemingly set on charging for the privilege.

This has allowed rival Google to take advantage of the situation to bolster its own market share of desktop PCs by offering a free upgrade for all Windows 10 users to its ChromeOS system, which is based on the world's most popular web browser and boasts years of security updates and support.

There’s no guarantee that your current PC will be able to upgrade to Windows 11. With this rebooted operating system, Microsoft introduced several strict system requirements.

Windows 11 only officially supportsIntel’s 8th Generation (known as Coffee Lake) or Zen 2 CPUs and newer, leaving millions of devices sold with Windows 10 preinstalled unable to upgrade.

Following a public backlash, Microsoft did add a number of exceptions to its list of supported chipsets, including the 7th Generation Intel Core i7-7820HQ – a processor that was used in the Surface Studio 2, an all-in-one desktop machine that cost £3,549 at launch back in 2018.

Nevertheless, this marks the first time that Microsoft has enforced such specific processor requirements with its operating system upgrade.

In comparison, Windows 8 and Windows 10 only stipulated a 1GHz processor, at least 1GB of RAM, and 16GB of available storage. Windows 11 requires an Intel processor first launched in October 2017 as well as 4GB of RAM and 64GB of storage.

According to Microsoft, the stricter silicon requirements enable a better experience for those running Windows 11, with a 60% reduction in malware thanks to the requirements that “enable protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI) and Secure Boot.” It also claims a “99.8% crash-free experience” on machines with components from its list of supported hardware.

source

Microsoft has been saying for a while now that it has been working on a mobile game store to compete with the Google Play Store and Apple's iOS App Store. Today, we got a time frame for when that store will actually become available.

Bloomberg reports that Microsoft Xbox President Sarah Bond revealed that its mobile game store will launch sometime in July. Bond made that announcement as part of an interview during the Bloomberg Technology Summit. A video of her remarks was also posted on the Bloomberg Live X (formerly Twitter) account.





Bond said that the store will be released on the web first, rather than as an actual mobile app store. Bond stated the web-based store would be able to reach a bigger audience and more devices.

At first, the mobile game store will offer games that are currently owned like Microsoft. That would include games like the popular Candy Crush titles from King, which Microsoft acquired when it bought Activision Blizzard in October 2023. It would also likely include games like Minecraft and Call of Duty Mobile.

Bon said there is a plan to release third-party mobile games via the new store at some point but details of how that will work have yet to be revealed. Bond also suggested that Microsoft would like to sometime in the future extend the store beyond the web, which may mean it could launch an actual third-party gaming app store for Android and iOS.

Bond didn't offer an actual name for the web-based store, She also didn't state if there will be any testing of the store for Xbox Insiders before it officially goes live.

source

Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.

TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.

Reading, dropping, or modifying VPN traffic

The effect of TunnelVision is “the victim's traffic is now decloaked and being routed through the attacker directly,” a video demonstration explained. “The attacker can read, drop or modify the leaked traffic and the victim maintains their connection to both the VPN and the Internet.”



The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself. Researchers from Leviathan Security explained:

Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.

We use DHCP option 121 to set a route on the VPN user’s routing table. The route we set is arbitrary and we can also set multiple routes if needed. By pushing routes that are more specific than a /0 CIDR range that most VPNs use, we can make routing rules that have a higher priority than the routes for the virtual interface the VPN creates. We can set multiple /1 routes to recreate the 0.0.0.0/0 all traffic rule set by most VPNs.

Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface. This is intended functionality that isn’t clearly stated in the RFC. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.


A malicious DHCP option 121 route that causes traffic to never be encrypted by the VPN process.

We now have traffic being transmitted outside the VPN’s encrypted tunnel. This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server. We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.

The attack can most effectively be carried out by a person who has administrative control over the network the target is connecting to. In that scenario, the attacker configures the DHCP server to use option 121. It’s also possible for people who can connect to the network as an unprivileged user to perform the attack by setting up their own rogue DHCP server.

The attack allows some or all traffic to be routed through the unencrypted tunnel. In either case, the VPN application will report that all data is being sent through the protected connection. Any traffic that’s diverted away from this tunnel will not be encrypted by the VPN and the Internet IP address viewable by the remote user will belong to the network the VPN user is connected to, rather than one designated by the VPN app.

Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks. Network firewalls can also be configured to deny inbound and outbound traffic to and from the physical interface. This remedy is problematic for two reasons: (1) a VPN user connecting to an untrusted network has no ability to control the firewall and (2) it opens the same side channel present with the Linux mitigation.

The most effective fixes are to run the VPN inside of a virtual machine whose network adapter isn’t in bridged mode or to connect the VPN to the Internet through the Wi-Fi network of a cellular device. The research, from Leviathan Security researchers Lizzie Moratti and Dani Cronce, is available here.

source

Many Windows 11 users are up in arms after Microsoft added unremovable ads to its start menu in its latest update. Thankfully, a solution has arrived in "Oh F*ck Go Back" (OFGB), a program that allows users to disable every flavor of ad on the operating system with the click of the mouse.

OFGB comes from Maddy (@xM4ddy), a programmer who drives Arch Linux daily rather than Windows and was inspired to build the novelty tool for Windows anyway. The program presents a simple-to-use GUI that itemizes the ads you can remove, highlighting how many ads we enjoy on Windows now. Each checkbox clicked safely edits the registry for you, saving users undue confusion and the risk of breaking their OS with a typo. The program has found moderate levels of virality through Reddit and Twitter reposts and has even attracted a few thousand users. We could reach her for comment, asking about her reasons for leaving Windows behind, the tool's existence, and what life is like on the Linux side of the fence. Some responses have been minimally edited for clarity.

"I think the most important thing the tool has done is getting people to talk about ads and their place in paid software like Windows," said Maddy about OFGB. She continued, saying the program "is getting people to consider taking a look at alternative software like Linux. Remember, competition is good for consumers." Running Linux would make removing ads from your operating system a breeze; a brief trip to the console might solve the problem. "I only made this after Windows gave me an error when I ran 'sudo pacman -R ads.'"

We asked Maddy why, as a Linux user, she felt the need to build this tool for Windows. She responded, "I was getting more and more annoyed by ads in random places and decided to try to find an easy fix. After coming across a .reg file by Shawn Brink, I found my answer. After thinking more about it, I figured it may be accessible to more people if there was a GUI so that less tech-savvy people could easily set the registry keys without needing any knowledge of the registry."

Our next question for Maddy was about Windows and Linux and what prompted her to leave. "I switched over to Linux when I started programming and getting into tech when I was younger. What drew me to it was the customization it provided and the open-source nature. I was also enamored with other people's beautiful Linux setups," said Maddy. When asked if Windows could win her back, Maddy laughed, "Windows lost me a long time ago by adding more and more telemetry, ads, and the lack of easily configurable options. As soon as the last few programs that I just can't get away from are running right under Wine or Proton I plan to ditch it completely."

Our huge thanks to Maddy for her comments on her project. If you want to clean up the ads on your Windows 11 computer, you can find OFGB version 0.2 on GitHub. Windows' most recent update is undoubtedly less than popular as it brought ads and bugs that break your VPNs - a problem that has yet to be solved. If you want to follow Maddy into the wondrous world of Arch Linux, it recently beat Windows 11 in gaming performance testing, along with a few other more user-friendly Linux distros.

source