A Multitude of IoT Operating Systems Is Bad News for the Safety of the Internet

Even though we can safely blame most Internet security issues (and enjoy the growth of the Internet security industry) on vulnerable operating systems and programs deployed over the past two decades, we have actually been lucky that there were only a handful of operating systems that ruled the world. Imagine the life of an Internet security engineer if there had been hundreds of operating systems to choose from, with attacks coming from any one of them. Unfortunately, that challenge is not too far from becoming a reality unless we solve the forthcoming IoT OS proliferation problem.

An IoT OS free-for-all

Nearly every new “thing” being added to the Internet now has its own OS. Think of laundry machines, microwaves ovens, televisions, garage doors, doorbells, street lamps, connected cars, and what not. Nine billion devices are currently connected to the IoT, and that figure is forecast to rise to between 20 and 50 billion devices by 2020.

Unlike PCs and other computing hardware, these devices are not being controlled by just a few standardized operating systems. In fact, they are being manufactured without any standards at all, except that they allow Internet connectivity. To fit into the small footprints of the devices they are providing connectivity for, many of the operating systems installed on these devices are cutting down on security, if it is being considered at all. And to make things worse, most of these devices are running their own proprietary versions of Linux, Android, or increasingly, some other operating system cobbled together with poorly written code embedded with hardcoded backdoors.

Lack of standards is bad news for security

When there are a limited number of Operating Systems available, such as Windows, Linux, Android, etc. – OS and security vendors can focus on and find vulnerabilities and provide patches and fixes in a reasonable manner and time. But when the number of options gets out of control, and have private versions of operating systems begin to proliferate in the market, things get out of hand very quickly.

There are currently a staggering number of IoT OSs in production, including Windows 10 for IoT Core, Windriver VxWorks, Google Brillo, Embedded Applie iOS and OS X, Nucleus RTOS, Green Hills Integrity,  Huawei LiteOS, OpenWrt/LEDE/Linino/DD, Ostro Linux, Raspbian, Snappy Ubuntu Core, Tizen, uClinux, Yocto, Apache Mynewt, Arm Mbed, Contiki, FreeRTOS, Fuchsia, Nuttx, RIOT OS, TinyOS, Zephyr.

But this is just the tip of the iceberg. There are a multitude of new operating systems in the making, many which are not even known yet.

Figure 1 Source Google Trends for DDoS Search Term – The last peak corresponds to the Mirai IoT Bot attack

One CCTV/DVR vulnerability and the first major chaos

The recent notorious (or shall we call it “bot”-orious) IoT-based DDoS attack (see Figure 1), named Mirai, was caused due to the exploitation of a known vulnerability in the operating systems used by dozens of CCTV cameras and DVRs. And a newly discovered Trojan malware, dubbed Rakos, uses a brute force SSH login attack to compromise IoT devices embedded with vulnerable versions of Linux.

Now imagine if someone next finds similar vulnerabilities in smart TVs or washing machines, and then in connected doorbells or lawn sprinkler systems, and on and on. Given the volume of available devices and OSs, the proactive detection of vulnerabilities is increasingly difficult to achieve. Instead, many won’t be discovered until after they have been exploited, and then vendors will have to be found and informed, and the vulnerabilities have to be corrected. And even that may not be enough.

Unfortunately, many IoT devices are headless, meaning that they literally cannot be patched, so other security measures will have to be developed. Until then, the Internet will face the havoc resulting from IoT-based shadownets for hire, and major DDoS attacks and Cyberwars will be launched by exploiting IoT vulnerabilities.

Standardization is the need of the day

Legislative bodies in Europe and the US have already begun to look at this issue and propose new laws and standards. Buyers of IoT also need to unite to force vendors to standardize on the operating systems they use so that this escalating situation can be brought under control. In terms of security, and the potential impact continuing IoT-based attacks could have on our emerging digital economy, less is certainly more.

In the meantime, which may go on for quite some time, here are a few things for you to consider to protect your organization:

1. Establish strong access controls to identify and inspect IoT devices and traffic connecting to your network.

2. Segment your network to isolate IoT traffic, control the spread of attacks, and to identify and quarantine infected devices,

3. Fortify your infrastructure with a security fabric designed to tie your distributed security devices together in order to increase visibility and coordinate responses to attacks