Linus Torvalds isn’t worried about IoT security

Devices like smart heaters, smart bulbs and smart refrigerators have direct access to unlimited power supply; they have direct access to the internet. And things can go really bad.

And with IDC predicting that the worldwide IoT market will grow from $655.8 billion in 2014 to $1.7 trillion in 2020, security is becoming a very serious topic.

Bruce Schneier has talked a lot about the security risks of IoT, going so far as to say that IoT is unpatchable. Billions of connected devices are running some older version of Linux that has known exploits. The hardware vendors who sold these units moved on to the next version of the hardware and never bothered to update the OS powering these devices. They have no real incentive to do so. Their revenues come from the sale of new devices, not from updating older ones.

At the ongoing Embedded Linux Conference, that is co-located with OpenIoT Summit, Dirk Hohndel, Chief Linux and Open Source Technologist at Intel asked Linus Torvalds if he is worried about the scenario that there are billions of unpatchable devices out there.

Torvalds replied that he isn’t overly worried about the unpatchable IoT devices that are already in use, saying “I don’t worry about it because there’s not a lot we can do. As you say, it is unpatchable. It’s a fact of life.” He or the Linux community can’t do anything about those devices because it’s all about hardware vendors. But he is concerned about it from a problem solving point of view, “It’s something we should worry about in the sense that we should make sure it doesn’t keep on happening.”

Historically, on the hardware side the big problem was that vendors were rolling out new hardware every six months, leaving the old hardware unpatched. Even if they used Linux they never released drivers or other components so the Linux community could help patch things up. “This is very frustrating to me as a kernel maintainer,” Torvalds said, “because at no point in the embedded world did those people push their improvements back to me, because they didn’t have the time to do that, really, and they didn’t have the time to interact with the kernel community, which A, we are busy people, but B, we have issues like maintainability and quality control that the people who are churning out a new device don’t have.”

The good news is that companies now have business models around IoT through add-on services and apps, which means they can continue to get value out of existing devices.

Another important thing that’s happening in the embedded and IoT space is that instead of churning out custom chips for each device with custom drivers running on them, device makers are finding it cheaper to use chips that are made in billions of units. This also makes it easier for kernel developers to target that hardware and patch holes.

Torvalds thinks that especially the ARM community has started to become so much better. He agrees that this issue still exists “…but we’re in the situation where, by now, as kernel people, we can actually patch up, or at least keep up with some of these hardware improvements, which in the embedded world, has traditionally not been the case.”

That said, security is not, and has never been, Torvalds’ primary concern: “I’m famous for not always agreeing with the security people is that security to me is always secondary. The primary job is always, get the job done. If you don’t get the job done, who cares about security anymore, because that piece of hardware will not be used.”

He is of the opinion that when you have a new industry that comes up with new crazy ideas, they want that functionality, that service, that feature to reach out to customers. Yes, they will get things wrong, but they will improve. When you build a smart bulb you invest time on what exciting things it can do and not spend years in figuring out how it could be exploited by hackers. “Security is always, always, always going to be second, playing second fiddle to functionality,” says Torvalds.

“I think we’re getting to that point where now people are finally looking at [IoT] security, which is really, really good,” Torvalds said. “Will we ever be perfectly secure? No. Is it slightly distressing that there will be billions and billions of devices that are going to be open to security problems? It’s slightly distressing. I have smart appliances in my home. If somebody hacks into my home, and makes my furnace go crazy, and I wake up and it’s 95 degrees, I feel really stupid, but at the same time, many of these devices, it’s not the end of the world.”

Security will always be a cat and mouse game. Some security exploit may not burn your house down but there can be other implications. Noah Harlan, community director/president of AllSeen Alliance gave me this hypothetical example: our smart bulbs have access to unlimited power supply and access to the internet, someone can hack into these bulbs and build a massive bit mining network. The point is you can never think of all the possible scenarios of IoT can or will be exploited. There will always be some guy sitting in his basement plotting, looking for an exploit. It’s a brave new world.