Author Topic: Linux backdoor threat is a wake-up call for IoT  (Read 266 times)

Online javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35588
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Linux backdoor threat is a wake-up call for IoT
« on: May 12, 2024, 05:59:57 PM »
Linux is often the default choice for many IoT devices, but with a recent backdoor threat, we look at why an RTOS can better deliver security and minimalism.

Linux – the biggest name in open-source operating systems – is in crisis after a “trusted” contributor was discovered to have inserted a backdoor in a software package that could have resulted in a massive software supply chain attack.

This is particularly concerning for the Internet of Things (IoT) considering that Linux accounts for about 70% of all device operating systems. For developers, this infiltration suggests that Linux and its subsystems are getting so big that malicious code can be easily injected without notice. One safeguard is to return to operating system (OS) basics and other, simpler alternatives.

Let’s look at why, in this moment of cybersecurity, real-time operating systems (RTOS) are the safer bet amidst Linux’s expanding threat surface.

What just happened in Linux?

This incident marks one of the biggest ecosystem breaches in recent memory for Linux. In late March, a developer uncovered a remote code execution vulnerability in a software package part of XZ Utils, a library for compressing and decompressing files. Alerted by failing SSH logins and high CPU utilization, developers soon realized that the flaw enabled remote attackers to bypass authentication and gain complete system access.

Even more concerning? The backdoor was initiated by a “trusted” collaborator who had been working on the open-source project for several years.


It’s worth taking a step back and considering why this matters in IoT. Of course, when developing a device or system, one of the earliest and most crucial decisions developers make is deciding the type of OS. Linux is often the default choice for many devices and projects, from Android smartphones to smart TVs, thanks to its advanced memory and processing power.

However, these are two features that devices don’t always need.

The case for RTOS

The truth is that many devices don’t need to run on Linux. It’s often the industry preference, sure, but this doesn’t mean it’s the right choice. For example, running simple devices like connected doorbells on a full-fledged Linux OS would have seemed crazy a couple of decades ago due to resource constraints. Now, it’s part and parcel of modern IoT.

This hack should serve as a wake-up call that not every device warrants Linux. Basic devices like sensors or monitors – and, yes, even doorbells – usually serve one function at a time. They can therefore benefit from the resource efficiency and focused functionality of RTOS.

In Linux and other general-purpose operating systems, programs are loaded dynamically after boot, often with the ability to run in separate memory and file spaces under different user accounts. This isolation is beneficial when running multiple applications concurrently on a shared server, as one user’s programs cannot interfere with another’s, and hardware access is shared equally through the operating system.

In contrast, RTOS operates by compiling applications and tasks directly into the system with minimal separation between memory spaces and hardware. Since the primary goal of an IoT device is typically to serve a single application, possibly divided into multiple tasks, this lack of separation is not an issue. Additionally, because the application is compiled into the RTOS, it is ready to run after a very short boot and initialization process.


The ‘how-to’ process using FreeRTOS for a connected device. (Image: Amazon AWS)
This is relevant in IoT because device developers usually know two key pieces of information:

   • How many tasks will be running?

   • How much memory do these applications/processes need?

Therefore, armed with this insight, developers can determine if RTOS is a good fit. Usually, regardless of whether we’re talking about Zephyr, Azure RTOS, or Free RTOS, the ability to guarantee predictable and low-latency task execution makes these systems an attractive choice.

Additionally, Linux adds many more layers of complexity. For example, I’ve seen camera devices where developers didn’t have enough expertise to properly configure and minimize the Linux installation/distribution, leading to potential security risks. Again, selecting the right OS from the start can save unnecessary development hurdles in the long run.

A trade-off worth making

The discovery of this critical vulnerability in a core Linux package, introduced by a trusted contributor no less, demonstrates the escalating security risks facing IoT ecosystems. For developers, this incident underscores the importance of approaching OS selection with security as the top priority. While Linux offers unparalleled functionality, that power often comes at the cost of increased complexity that requires significant expertise to properly configure and harden the installation.


Every IoT device has a unique URL for automatic location over the Internet, and RTOS with an IoT
platform allows secure, authenticated, and extremely low bandwidth peer-to-peer connections to be
established even when the device is deployed behind a NAT firewall. (Image: Nabto)
On the other hand, RTOS is designed from the ground up with security and minimalism in mind. By focusing solely on executing discrete tasks with low latency, rather than multi-process and multi-user multitasking, RTOS offers a reduced attack surface with clear visibility into the limited codepaths. Moreover, since the application is compiled directly into the RTOS, and due to the nature of many microcontrollers, it is extremely difficult – if not impossible – to inject random code for execution through techniques like stack overflows. This is because the only code that can run is located in the system’s flash memory. Consequently, the compile-time integration of components further minimizes potential vulnerabilities.

Of course, RTOS by nature trades some functionality for security. But for the vast majority of IoT use cases that require simple, dedicated operation rather than multi-purpose computing, this kind of system can provide real-time performance and security essentials.

The expanding threat landscape for Linux shows that, particularly for IoT, this separation of security and functionality may be a trade-off worth making.

source