The Cybersecurity Weakest Link – Linux and IOT

When Linus Torvalds first started developing a free operating system back in 1991 in his spare time, nobody could have guessed what it would lead to.

Linux is not only the backbone of the internet and the Android operating system, it is now expanding into domestic appliances, motor vehicles and pretty much anything else that requires a minimal operating system to run dedicated software. The Internet of Things is very much The Internet of Things Powered by Linux.

But when Chrysler announced a recall of 1.4 million vehicles back in 2016 after a pair of hackers demonstrated a remote hijack of a Jeep’s digital systems, the risks involved with hacking IoT devices were dramatically illustrated.

So what does the rise of Linux and IoT mean for Cybersecurity in the Enterprise? Let’s take a look.

Our Networks Have Changed

Today’s defense solutions and products are mostly talking about Windows-based attacks: it’s the most prevalent operating system in the enterprise, and the majority of sysadmins are tasked with solving the security problems it brings. When people in business say “a computer”, they typically mean a Windows-driven computer.

Over time, however, the staggering popularity of Windows in enterprise IT has weakened. A growing number of DevOps and advanced users are choosing Linux for their workstations. In parallel, the internal and external services a common enterprise is offering have moved away from Windows-based devices to Linux; Ubuntu, SuSE, and RedHat.

Linux Containers (LXC) have become almost a commodity, using zero-trust and highly agile methodologies to spawn up “destroy after use” web services and other applications. Linux containers have broad appeal for enterprises because they make it easier to ensure consistency across environments and multiple deployment targets such as physical servers, virtual machines (VMs), and private or public clouds. However, many Linux container deployments are focused on performance, which often comes at the expense of security.

Beyond that, every device used in the network is now connected to the same networks where all the most valuable assets reside. What used to be a simple fax machine has now become a server. Our switches and routers are moving into the backbone of our most secure networks, bringing along the potential for cyber breaches as they do so.

Malware Authors Heaven

Let’s shift our attention for a second from the defender to the attackers, whose strategy whenever possible is to use minimal effort for maximum impact. In many cases, keeping things simple proves to be enough: when the key to the front door is waiting under the doormat, the thieves don’t care if the window is open.

If you look at your network from the attacker’s perspective, there are enough open doors from IoT devices to penetrate without the hassle of crossing the security mechanisms of the most common operating system. While that does not mean you can relax the effort to secure your Windows devices — there are still some severe weaknesses over there also (social engineering anyone?) — the network breaches involving IOT devices that have been exposed so far are just the tip of the iceberg.

Here are a few notable examples:

  1. Compromising a network just by sending a Fax
    Check Point researchers have revealed details of two critical remote code execution (RCE) vulnerabilities they discovered in the communication protocols used in tens of millions of fax machines globally. A patch is available on HP’s support page.
  2. The Mirai Botnet
    In October 2016, the largest DDoS attack ever was launched on service provider Dyn using an IoT botnet. This led to huge portions of the internet going down, including Twitter, the Guardian, Netflix, Reddit, and CNN. The Mirai botnet caused infected computers to continually search the internet for vulnerable IoT devices like digital cameras and DVR players, and then used known default usernames and passwords to log in and infect them with malware.
  3. 465,000 Abbott pacemakers vulnerable to hacking
    In the summer of 2016, the FDA and Homeland Security issued alerts about vulnerabilities in Abbott pacemakers that required a firmware update to close security holes. The unpatched firmware made it possible for an attacker to drain the pacemaker battery or exfiltrate user medical data. (The firmware was updated a year later.)

Regaining Control

As the variety of IoT devices and inherent vulnerabilities is high, patching can be a tedious and overwhelming task. That said, you cannot protect what you cannot see, so start with the basics: map out what you have and gain visibility into traffic, including the growing blindspot of encrypted traffic. This will allow you to introduce IoT security into your already existing security program.

The next step is to ensure no default authentication is set for any of your devices and to start patching. While patching is no silver bullet, it can discourage any attackers probing your network and send them off to look for easier victims.

On the Linux side, there are enterprise-grade solutions available, some of which are more intrusive than others: they’ll cover your assets at the cost of kernel intrusion. Other Linux-based solutions focus on visibility and monitoring “userland” behavior and processes. This allows you to keep more control, but also can result in easier bypasses for malware.

Hardening IoT and Linux

Even though preparation is the key to addressing IoT and Linux cyber attacks, there is still much else that could be done.

On the IoT side, SentinelOne announced earlier this year the SentinelOne Ranger, a unique capability that allows network administrators to see exactly what is connected to their networks. This visibility allows them to see, understand and take proactive measures to reduce the cybersecurity risk. Further, there is a need for device manufacturers to develop a common set of security mechanisms and standards. Until that time, the best approach is to reduce the attack surface to a bare minimum: retire old devices, patch all devices that are a must, and use vendors who invest in security and enforce authentication wherever possible.

On the Linux side, the situation is somewhat better, as software solutions and the main vendors like RedHat continue to invest in securing the OSs. However, there is no doubt that malware authors will persist in exploring and exploiting weaknesses in the OS and software whenever and wherever they find them.


While defenders need to seal every gap and plug every hole, an attacker just needs one way in. In some cases, that could come from your Linux and IOT. We are in the midst of the IOT revolution, and the speed of change is bringing with it multiple security implications, some of which may be as yet unknown. The enterprise needs to be ready, and it needs to be vigilant.