MWC: Future Heartbleed and Shellshock bugs will plague IoT devices, warns Canonical

Security is a key issue for the IoT claims Canonical

BARCELONA: Critical security bugs on a par with the Shellshock and Heartbleed vulnerabilities will inevitably appear in the near future, according to Ubuntu maker Canonical.

Maarten Ectors, Canonical’s vice president of next-generation networks and proximity cloud, told V3 that the nature of software development means that security will hamper the growth of the Internet of Things (IoT).

“Have you heard of any big technology that hasn’t been hacked lately? There are always going to be bugs like Shellshock and Heartbleed,” he said, speaking at Mobile World Congress (MWC).

Heartbleed is a flaw in the OpenSSL implementation of the Transport Layer Security protocol used by open source web servers such as Apache and Nginx, which host around 66 percent of all sites.

Shellshock is a bug in the Bash code used in numerous Unix-based or Unix-like operating systems, including Linux and Mac OS X, that could be exploited by hackers to target critical infrastructure systems, for example.

Ectors highlighted the bugs’ existence as evidence that most companies’ security patching processes are not fast enough.

“Whenever we see Shellshock or Heartbleed-style bugs we find that for a long time [devices like] your server or router will be vulnerable because the company behind them doesn’t update them or, if they do, people don’t upgrade,” he said.

“For us when dealing with connected devices what’s important is improving security for the millions of new devices that are connecting to the internet, and making sure people get the patches they need immediately.”

Ectors highlighted the potential exploitation of vulnerable applications as another danger.

“Apps can have a disastrous effect. People can accidentally add bad code or have outright malicious code added in. We need to assume the worst,” he said.

“We’ve found that if you really know how Linux works you can destroy things from the inside with bad apps.”

Ectors’ comments follow research from McAfee, part of Intel Security, showing that several popular applications still do not include critical patches addressing the Heartbleed flaw.

He said that Canonical has already begun taking measures to rectify the app and patching security problems for its Ubuntu Core IoT platform.

“For most people, we think security is more important than having a slightly slower performance. What we’ve done for Ubuntu Core is build a secure containment around apps. So an app cannot do anything it likes,” he said.

“We’re also doing things like making it so the operating system will run in a read-only mode when running an app. We’ve also worked to make it upgradable. We automatically push the updates to smaller users, so the moment a patch comes out they will have it.

“If you are looking at industrial or corporate installations we’ll run tests and liaise with the company to let them make their own informed decision.”

Ectors’ concerns come during a heated debate about the importance of security in the competing IoT standards currently being used by developers.

He said that Ubuntu will not back any one IoT standard and will instead continue to support developers as an open platform.

“We want to enable the developers to choose which standard should win. We don’t have a company agenda here. All 25 standards are out there and the developers will pick the best one they think should win,” he said.

Canonical is one of many firms bemoaning current cyber security levels. Google began offering grants worth up to $3,000 to investigate suspected security flaws as a part of an “experimental” initiative in February.

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

3 March 2015 | 12:22 pm – Source: v3.co.uk

[ad_2]

Leave a Reply

Your email address will not be published.