I’ll preface this by reminding everyone that I’ve been a huge fan/supporter/advocate of Linux since the mid- to late ’90s. That being said…

Embedded Linux has some issues that must be addressed.

Let me set the stage for you.

Recently, a security firm discovered a Linux botnet in the wild that can hit with a 150 Gpps DDoS attack. This botnet spreads via a trojan called XOR and can down websites very, very quickly.

This works through embedded Linux (such as router firmware) and brute forces its way to SSH access of a machine (by exploiting weak passwords–this is another issue all together, but one that rests squarely on users’ shoulders). Once the botnet has SSH access, it downloads the necessary files and then begins to quickly spread by connecting to other machines infected with XOR.

But how? How in the name of Dev Null can Linux, which is is considered the most secure platform on the market, be so… well… insecure? The answer to that remains in the devices spreading the attack.

Embedded Linux.

If you gain shell access to your router (say, any given modern ASUS router) and issue the command uname -r (the command that outputs the running kernel release number), you’ll be shocked to see the results. One ASUS router returned 2.6.22.19. That kernel was released in 2009.

We are currently at the 4.x kernel release and, as you might expect, a ton of improvements and security updates have been added and applied. To make matters worse, that particular kernel isn’t even maintained by Linux developers. In fact, that 2.6.22.19 kernel is only maintained by ASUS.

I can’t stress this enough. Makers of embedded Linux systems must update their kernels to modern (2015 or later) releases. It amazes me that these systems are using such out of date kernels. Even that outstanding DD-WRT firmware is using old kernels (depending on your router’s chipset):

  • Atheros: 2.6.23.17
  • Broadcom k2.4 NEWD: 2.4.37
  • Broadcom k2.4 VINT: 2.4.35
  • Broadcom k2.6: 2.6.24.111

How is this even remotely a good idea? Of course, I get it, there might be special needs for various pieces of hardware, and a modern kernel won’t work. If that’s the case, then it would probably behoove the developers to take the time and reverse engineer a modern kernel to work.

The solution to this problem? Embedded Linux developers need to create built-in systems for updating firmware that are actually reliable. And then they need to focus 100% of their efforts to bring that firmware to modern specifications before shipping the hardware.

Think about it… would anyone in their right mind be willing to run a Linux-based server with a 2.x kernel? No. Not only would they be missing out on all the modern goodness that’s found in the 4.x kernel, they’d be… what? Say it with me:

Vulnerable.

I don’t know about you, but I certainly don’t want to be deploying desktops or servers with Swiss cheese-like security holes. I don’t want that in my desktops, my servers, or my embedded systems. Even the Android Lollipop platform uses kernel 3.14. If a smartphone can adopt a more modern kernel, why is it that a router cannot? Is there some funky mojo going on with that hardware that doesn’t allow for a 3.x kernel? Even if that’s the case, why are router manufacturers using out-of-date hardware for something that should be helping to protect networks (at least home networks) from attacks?

If you are a developer for embedded Linux systems, please have a logical, irrefutable answer as to why six-year-old kernels are being used in your systems. I’m open to the possibility that there is, in fact, a logical reason for this. However, if there isn’t, this problem needs to be solved immediately.

Have you discovered a piece of hardware running an out-of-date kernel? If so, what was the hardware and what kernel release?