Ubuntu Core has the keys to IoT security

In October, a DDoS attack on Dyn's infrastructure took down a big chunk of the internet, making sites like Amazon and Twitter inaccessible. It was the first major attack involving IoT (internet of things) devices. Fortunately, it was also a benign attack: no one got hurt, no one died.

However, the next attack could be catastrophic. No one knows when it will happen. No one knows the magnitude. 

There are billions of IoT devices out there: web cameras, thermostats, doorbells, smart bulbs, refrigerators, heaters, ovens, and much more. IoT devices are low hanging fruits for cybercriminals because for all theoretical and practical purposes a majority of these IoT devices are insecure by design, they are insecure by default. It should be called IIoT: insecure internet of things.

Canonical, the parent company of Ubuntu has developed a free and open source operating system called Ubuntu Core, specifically for IoT devices. It's designed ground up with security and ease of maintenance in mind and it approaches IoT the way it should.

According to the IoT page of Ubuntu.com:

Ubuntu Core is a tiny, transactional version of Ubuntu for IoT devices and large container deployments. It runs a new breed of super-secure, remotely upgradeable Linux app packages known as snaps ‐ and it's trusted by leading IoT players, from chipset vendors to device makers and system integrators.

Jamie Bennett, Engineering Manager, Snappy Ubuntu and he explained how Ubuntu Core works. Software on an Ubuntu Core system is distributed as a snap. This packaging format makes it super easy for an Independent Software Vendor (ISV) to deliver software to an Ubuntu Core device. The actual route an ISV has to take to fix a vulnerability is:

• Fix the vulnerability in their code
• Use the snapcraft tool to create a new snap (which can also update a dependency within the snap, so if there is a vulnerability in any library they can easily upgrade their snap with the fixed version of that library)
• Upload this to the Ubuntu Store

"Afterward, all internet-connected Ubuntu Core devices will receive the update within 8hrs (we have a refresh mechanism on the device that checks for updates 4 times a day and downloads new versions of any software installed if it finds it in the Ubuntu Store). Note that this is the same for any software on the device, including Ubuntu Core itself. In a similar vein, if an OEM has their own software on the device they use the same mechanism to update their software too," said Bennett.

What it means is that the software component of the IoT device running Ubuntu Core will remain updated automatically, without any user or vendor intervention. In most cases, the devices won't even require a reboot, which means no downtime.

"Security is about vigilance and responsiveness. There is no up-front strategy to avoid future attacks, it's more important to be able to fix things quickly and reliably," said Shuttleworth. That's the crux. I see no reason for IoT vendors to no use systems like Ubuntu Core that offer optimum security and almost zero cost.

Source: Ubuntu Core