Maarten Ectors
on 23 February 2016
Your broadband modem is likely vulnerable to critical security bugs that allow hackers to remotely control it and you are at their mercy because your telecom operator is not going to do anything about it. Imagine a connected world with billions of things that are insecure. What should you do?
Last Thursday a critical GNU C bug was discovered that let’s anybody remotely bring down a Linux machine. This bug comes months after Shellchock, Heartbleed, LogJam, etc. All bugs that let you either remotely bring down or even take administrative control of a Linux system. Every Linux system that uses C, SSH, encryption, Bash shell, etc. is affected, i.e. most. Ubuntu users got updates before the news about these bugs was made publicly available. However did you upgrade your broadband modem since last Thursday? Did your telecom operator upgraded it? The chances that your broadband modem, WiFi access point or anything in your house or business that runs Linux, i.e. TV, Radio, home appliances, your alarm system, etc. is still not patched are close to a 100%. Cheap hardware has come at the price of badly maintained Linux. Most embedded Linux systems you find in cheap network equipment and home appliances never get an upgrade during its lifetime. Even if a telecom operator wanted to upgrade the broadband modem, they don’t have a way to rollback if the upgrade would fail. So the risk of doing the right thing comes with an even bigger risk of cutting your service if there is any failure in the upgrade.
Why worry?
Botnets can now take control of broadband modems in a country and completely disconnect it from the Internet, spy on everybody, even create RansomWare [i.e. I have encrypted all the files I found in your home or business network and if you don’t pay me I will destroy the key!].
Modern cars have a 100 million lines of codes and recent hacks like the Jeep in which hackers could take over total control of the car and drive the poor Wired journalist from the road.
Baby monitors could be hacked by Paedophiles.
In a world were 100 billion devices will be connected in the next years, it is scary to know how badly maintained lots of Linux systems are and how widespread Linux is.
What can you do?
Transactional updates has been a key feature from Snappy Ubuntu Core in which you can remotely upgrade a connected smart device and if the upgrade fails it will be automatically rolled back. By default any correctly created Snappy Ubuntu Core device will automatically upgrade when security bugs are available. Canonical, the company behind Ubuntu, has taken the stand that by default security updates should be free and installed daily.
The Internet of Scary Things – IoT can kill
Don’t be part of the club of companies that delivers devices and software to customers and prays they will never have a bug. Don’t be part of the Internet of Scary Things, #IoScaryT. Even a connected light bulb that is remotely switched on/off thousands of times a second can provoke a fire and kill the people living in that home. You can’t risk launching a connected product which does not transactionally upgrade. The risk is too high that you or the world pays a high price.
