In our past article, we have discussed the flaws affecting an obscure embedded OS, which happens to be one of the most successful operating systems in history, while at the same time remained hidden from most users, VxWorks. We are in the middle of a major shift in computing, as competition for the standard operating system IoT (Internet-of-Things) stars to heat-up. It is Microsoft vs Google this time, as Azure Sphere and Android Things battle there way to become the dominant embedded operating system for the IoT platform. But we have to make a reality check here, the number 1 operating system in IoT devices is VxWorks.
How did the 32-year old operating system made its way to IoTs, which are obviously the products of the new millennium? Well, it all boils down to the SOC (System-on-a-Chip) that is the center piece that makes an electronic device ticks. Also called microcontrollers (microprocessors, but have weaker computing potential compared to a full fledged PC processor), these have VxWorks fresh from the factory. A Real Time Operating System (RTOS) is very much different from a general purpose OS like Linux, Android, Windows or MacOS. It performs much simpler computation, with basic input and output capabilities, usually in a much smaller physical package.
VxWorks has Urgent/11 bug, which was our main topic in the previous article. Unfortunately, the 2-billion devices we have mentioned as affected by it means IoT devices loaded with a VxWorks-embedded SOC/microcontroller are in problematic situation, cybersecurity-wise. Unlike a general purpose computer, a smartphone or even a tablet, there is no easy way to install the version 7 update, which will fix the bugs in the affected models of IoT devices.
This dilemma opens new perspective on how the enterprise and even consumers should treat IoT devices. Even though they are available in the market for at least the last 5-years, they should still be treated as “beta devices”. Early adopters have the uncanny responsibility to face the bugs in the devices, help manufacturers resolve the bugs through reporting and generally becomes the guinea pig of using something before the masses embrace them fully. Windows has existed since 1985, and even with an empire-like level of funding for a company such as Microsoft developing Windows, Redmond still has yet to fix all the problems in releasing updates. In fact, people switching to Linux has one big complain about Windows 10, the quality and quantity of updates that are forcely installed to computers without user permission.
VxWorks being an embedded operating system (casually calls a firmware) is not easy to administer, bad cybersecurity defense posture by default for being obscure for many people, even for experienced system administrators. How can you secure an operating system that you don’t know it is there to begin with? The devices that use it have weak microcontrollers, hence a facility for firmware update is not part of the common specification but rather just an afterthought. What we would like to share with you is the question:
Does the company really needs an IoT device? Never ignore this powerful question, as it can cast a spell whether your company will be a future victim of a data breach or safe from hackers for a foreseeable future. What we recommend is to stay-out of IoT adoption at this point in time, for the sake of cybersecurity, wait for the maturity of these devices. Or at the very least, wait for either Google or Microsoft becoming the dominant operating system vendors for the IoT devices. Whether we like it or not, it is better to pay for a Microsoft or Google support contract instead of communicating with an obscure company like Wind River who is responsible for the VxWorks product.