Smart and secure: choosing IoT devices which shouldn’t compromise your home 2

In the first article in this series, I gave six groups of questions which you should ask about a smart device before inviting it to connect to your network. I now move on the consider those in more practical detail.

Operating systems for smart devices

One of the first sections in the specification of any smart device should be details of its operating system, as this gives good general indications of its likely security issues and potential problems.

Which operating system does it run?

The operating systems which you are most likely to come across in smart devices are Linux, Android, various real-time OS, and Windows Embedded, in that order of frequency.

Linux is by far the most common operating system used by smart devices, and may come in several different forms, such as Embedded Linux, µCLinux, or Snappy Ubuntu. Far from being a single, coherent operating system, Linux is a sprawling tree of derivative products, and it can be remarkably difficult to know how old and how secure any given release of one of these derivatives is. Even discovering the version of the Linux kernel which it uses (current is 4.2) may not be much help.

Most smart devices which use Linux as an operating system use quite old versions of the kernel, and an unspecified range of additional software which could contain known vulnerabilities. This is because the processor-firmware-OS heart of many smart devices is built in volume by a different supplier; that heart may well have been developed more than a couple of years ago, and its software frozen then.

For example, the current Nest Learning Thermostat runs an operating system based on Linux 2.6.37, and other smart devices may be based on Linux 2.4 or earlier. Nest provides complete details of all the Linux and other open source components which it uses, which is very helpful indeed.

For the hobbyist, Linux can be wonderful; for consumer devices whose robustness in the face of attack could be critical, Linux is a bit of a mess.

Android is also free and open source, and is based in the Linux kernel. At least it was originally intended for embedded systems such as cameras, and is now mainly targetted at mobile phones, tablets, and smart devices. It thus supports application sandboxes and other schemes which should make it less vulnerable to intrusion and hacking. However, as with Linux more generally, the version shipping with current smart devices may be two or more years old, and have multiple known vulnerabilities.

Originally, small microprocessor-based systems such as those used in smart devices did not run a general-purpose OS, but a real-time operating system. These have gradually fallen out of favour because they are such a minority pursuit. Those which could still be used include FreeRTOS and QNX. When properly implemented, these can be superb, but they can also be badly botched and vulnerable.

Windows Embedded operating systems are almost as complex as Linux variants, and stretch back to Windows CE (1996). Currently they are not popular with smart device vendors, even though 95% of the world’s ATM systems currently run Windows Embedded. Microsoft intends changing that, and is aiming to capture many different smart devices in the future. They thus remain an unknown quantity, although their track record, for instance with Windows CE, is not encouraging.

At present the only smart device running Apple’s iOS is the Apple TV, together with iPhones and iPads which typically function as controllers of smart devices. The Apple TV is central to Apple’s HomeKit integration framework which may become a major standard in the future. However at present no smart devices as such run iOS.

Are security and other updates pushed out to it, and how?

Even though the base operating system may be quite old, vendors should have applied patches to it and its major tools, particularly those involved with networking and security. Many of these will also be open source, and from time to time will have vulnerabilities discovered in them.

The ability for a smart device to update its operating system is therefore an essential feature, and an essential part of its support is for the vendor to push such updates out in a timely fashion.

In most cases, this should be straightforward, as the device will connect periodically to the support servers, which can check which version of its software is running, and download and install any updates which are available. When this happens, you should ideally be notified of the update. Unfortunately most vendors consider that they should not concern the user with such information. Vendors who do not share such information should be avoided, as should those who are slow in addressing and fixing software issues of any kind.

How long will that OS be supported?

Unless you fancy having to replace all your domestic smart devices every two or three years, it is important that they enjoy longer software support. There can be no doubt that Linux and recent Android releases should still be supportable in five or more years, although older versions of Android are getting to be more difficult.

More vulnerable are the less popular real-time operating systems, and Windows Embedded. Windows CE 1 lasted less than a year, Windows CE 2 less than three years, and this year has seen the launch of Windows 10 for embedded systems and IoT. Hopefully Microsoft will not abandon this latest iteration for some years to come.

Once you have obtained clear answers concerning the operating system which a smart device runs, its updating and support, you should move on to consider its networking and communications, the subject of the next article in this series.