The Errant Race to Embedded Linux

“The Errant Race to Embedded Linux” originally appearing in Automated Buildings
 

shutterstock_222938695As manufacturers race to make their widgets “smart”, and IoT is becoming a household word, there has been an ever increase in the use of embedded Linux systems. When the Raspberry Pi was introduced, the thought of using an ARM processor to web-enable devices became very lucrative. Since then many other items have appeared on the scene, like the Beaglebone, RIOTboard, BananaPi, just to name a few. Each has their unique features, and are readily available. The Pi and Beaglebone developer kits are available online or at your local electronics store. With the proliferation of these devices, many companies are willing and able to private label the open source hardware. That’s right, you too can have your own product line.Utilizing Single Board Computers (SBC) to make devices smart and OEM’ing them is nothing new. Anyone familiar with some of the big chip company development boards would instantly notice similarities in their products and those in the HVAC/R industry. A brief perusal of a Mouser or DigiKey catalog will yield some intriguing finds, to the uninitiated.

shutterstock_189924107The dangers of this rush to smart devices is that some “manufacturers” are taking hobby grade equipment and developing it as a viable commercial solution. This is to the embedded world, as a big box store painting department is to a commercial painter. That paint may be fine in a dorm room, but do you want that in your home or office?

Many of these devices have onboard debugging ports whereby a hacker could gain direct access to the chip, although that would require a user to be physically present. They also come with many of the vulnerabilities that may occur with Linux (shellshock, heartbleed, etc.) A hacker doesn’t have to be at these devices to break them if they are online. How will intellectual property be preserved with open hardware embedded Linux devices?

Hacking a Linux appliance doesn’t require a great bit of sophisticated skill. A simple bench test to discover an open SSH port, then run a cracking program over the SSH port and voila’ you have gained root access to the device. Once there, the device is yours, as are all of its contents. In fact, a more malicious individual could use this knowledge to scan for devices on the internet and effectively “brick” those devices or use them for more devious means.

Tux, the Linux mascot

Tux, the Linux mascot

Embedded Linux devices, like any other device, must maintain updated software to maintain security. The network security world is ever-changing, and how will updates be enforced on these devices? Will users keep “smart” devices as a priority to keep patched? Will the manufacturer auto-update, if so what means will be taken to ensure this is done successfully (remember iOs 8.0.1, 7.1.2, or 6.0.1?).

I feel that some manufacturers may be making a critical error in jumping aboard these devices. The real answer is that manufacturers need to, “Pay for good advice and take it.” After all, there a vast difference between a consultant and a salesman. Is your technology contractor acting as a good steward of your property or a snake oil salesman? Does their team have a well crafted and engineered solution, or is it a hobby grade device?

One thing is for certain, “What has been done will be done again; there is nothing new under the sun.” Ecclesiastes 1:9

— Chris Favre, Executive Vice-President, Automation Integrated, LLC, Oklahoma City, www.ai-sys.com

Chris Favre has over 20 years experience in the HVAC/R industry and has developed customized integrated solutions for security, oil & gas, education, healthcare, manufacturing, and multi-site retail industries.