The Attack of the #ThingWars

In April I warned about the risks, but now it happened. We will all get hacked sooner than later by IoT. Botnets, viruses, hackers and ransomware are attacking our less smart or at least less safe smart devices. The biggest denial of service attack we have ever seen in the history of the Internet is happening and 150,000 IP cameras and DVRs are actively involved. For insiders it is no surprise that whole classes of embedded devices can easily be hacked. Most of these devices are sold by hardware companies that wouldn't know how to create a secure Linux kernel if there survival depends on it. The truth is insecurity might soon kill their brand’s reputation. We live in a world where devices are sold for hundreds, tens or sometimes mere dollars. Margins are in the low single digits. Competition is very stiff. So what do you do as a device manufacturer if your customers see no difference? You add a home-brew Linux to your device, you ship and you pray. Most consumer hardware manufacturers have no easy way to patch their products once they have shipped. That used to be fine because the device was so constraint you couldn't do a lot with it. Cheap ARM, MIPS and Intel processors are changing the rules. You can now have yesteryear’s spec-ed supercomputers smaller than a credit card for under $10 retail. Gigabytes of storage. Gigahertz speed. Gigabyte memory. Giga-hacker-fest.

So what can be done?

Thanks to value chain mapping we knew this was going to happen, so we created an open source solution: Snappy Ubuntu Core. You can securely run apps, called Snap, on devices and they can’t attack their neighbouring apps or the operating system. You can upgrade the Snaps, operating system and kernel separately. Thanks to transactional upgrades, if something goes wrong you just rollback to the last previous working version. The operating system is automatically updated with the latest security patches. You can now run Snaps on lots of different Linux flavours and easily make your own Snap. Soon you will be able to even run your own branded snap store. So any device manufacturer that does not want to reinvent the wheel, does not want an insecure product and wants to get extra revenues years after their product got sold, should check it out. The rest of us, we should just ask next time if this new device we want to buy can be transactionally upgraded and if apps are securely constrained. If not then we might convert our home or office in a hacker’s paradise!