Linux is the operating system of choice for Internet of Things devices. But when it comes to choosing Linux distributions, developers don’t have much say in the matter. Even worse, the version of Linux they launch their IoT solution with is likely to be the same version that will run in production for months, possibly years down the road.
“The hardware manufacturers pay some attention to what’s popular, and that tends to be Ubuntu,” said Christopher Biggs, founder and director, Accelerando Consulting in Australia. “In general, the offerings from hardware manufacturers are not great in that they are probably offering a distribution that’s a couple years old and they might have a kernel that’s out of date. If it develops a flaw, you may never get an update.”
This differs from what developers are accustomed to. “The PC you bought three or four years ago will run the new version of Windows. In the IoT space, that’s not necessarily the case at all, and it might be that if you used a chip built three or four years ago, then you’re stuck with a version of Linux that’s also three- or four-years-old,” said Christian Daudt, senior member technical staff engineer at Cypress Semiconductor Corp.
The problem is that hardware vendors aren’t providing updateable devices. “The low margins and highly competitive environment make this an unacceptable cost for most,” said Biggs.
The cost for companies building an IoT solution with these outdated chips is another thing altogether. “The biggest risk of a device that is not receiving updates is that an exploitable vulnerability is found,” explained Biggs. If there isn’t a vendor fix, “there is no defense for owners of affected devices, short of cutting them off from the internet.”
Another potential problem: “The kernel can be so old, it doesn’t work with the current version of Docker,” said Biggs.
Linux distributions — or the vendor’s release cycle — aren’t typically considerations when developers choose the hardware for an IoT solution. Instead, the hardware choice is driven by factors like the specific use case and amount of memory required to support it. “Hardware can force you into a distribution because the hardware vendors provide the distribution,” explained Andrey Katsman, vice president of engineering at Canary.
What then? “The simple way, the path of least resistance is to stick with [the operating system] the hardware vendor gives you, but you can be stuck with bugs and restrictions. It’s a trade-off calculation between will you spend the time upgrading it yourself or will you pick a different piece of hardware that’s more up to date?” said Daudt.
There is a cost to consider if the organization decides to upgrade the OS itself.