​Linux founder Torvalds on the Internet of Things: Security plays second fiddle

For the first time, Linus Torvalds speaks at an embedded Linux conference: "Many changes have been invisible. Even I don't see all the uses of Linux."
Written by Steven Vaughan-Nichols, Senior Contributing Editor

SAN DIEGO -- For the first time, Linus Torvalds has spoken at an embedded Linux conference, the Linux Foundation's 2016 Embedded Linux Conference & OpenIoT Summit.

It's not that embedded Linux hasn't been important before. Your DVRs and Wi-Fi routers almost certainly run Linux. What has changed is that the Internet of Things (IoT) is transforming embedded Linux from being a topic only programmers could love to one everyone will be using soon.


Intel's Dirk Hohndel and Linux's own Linus Torvalds talk about Linux and the Internet of Things.


This development caught Torvald, Linux's founder, by surprise -- 15 years ago. "I never see the entire chain running Linux. Twenty five years ago I started Linux wanting a workstation. From that to a server wasn't a surprise. There was no single point where I was surprised, but 15 years ago I started seeing these odd, embedded systems. The first one that really caught my eye was a gas pump running Linux."

Today, Torvalds continued, "Many changes have been invisible. Even I don't see all the uses of Linux."

Of course, Linux isn't the right operating system for all embedded devices. After all, the Linux kernel keeps growing. Therefore, Torvalds said, "If you're doing something really tiny, like sensors, you don't need Linux."

But that still leaves a lot of room for big embedded Linux devices. In particular, Torvalds sees Linux playing a large role in the IoT because "you also need smart devices. The stupid devices talk different standards. Maybe you won't see Linux on the leaf nodes, but you'll see Linux in the hubs."

Personally, Torvalds added, "I'm never been very interested in very small OSs. I liked working with hardware. But, if it doesn't have a memory management unit, I don't find it that interesting."

One problem Linux has in embedded and IoT is that vendors release products as quickly as six weeks apart between editions. This means there's no feedback to Torvalds or the Linux kernel community. Another is that, as security experts such as Bruce Schneier have noted, IoT devices are unpatchable.

Torvalds, who has always taken a pragmatic view of security, isn't too worried, "I don't worry about it because there's not a lot I can do. Yes, devices are often unpatchable. We need to make sure unpatchable doesn't happen."

Besides, Torvalds continued, "Job one is to get the job done. In a new industry things will get done without security. Security plays second fiddle. It will be slightly distressing if someone hacks into my home furnace and turns up my heat to 95, I'll be bothered."

Torvalds added, "In theory open source can be patched. In practice vendors get in the way." Anyone who follows the gap between Google's Android security patches and when vendors ship the patches--if ever--knows what he's talking about.

Still, Torvalds said, while "not all Linux devices get the love they deserve, in proprietary systems, you're often left with old security holes. For example, the iPhone 4 was released in 2010 but by 2014 Apple was no longer supporting it with operating system and security patches.

One update method that is available for Linux smartphone users -- and Torvalds thinks might work for embedded and IoT embedded Linux devices -- is an alternative operating system from non-vendors. For example, "Cyanogen offers updated Android for older smartphones. Can't this be done with other devices if vendors allow upgrades?"

In general, Torvalds is finding that while the "embedded world has been hard to work with, it's getting better. They've discovered it's cheaper to buy commodity chips even if they're not perfect rather than always making customized hardware. The ARM community, in particular, is getting better, so now the kernel people can keep up with ARM embedded systems. It's not perfect, but we're getting better."

Another problem, Torvalds sees coming is getting IoT devices to talk to each other. He fears that when it comes to smart home hubs, there will be no one ring to rule them all in IoT standards. Instead there will be three or four major IoT communication programs.

Dirk Hohndel, Intel's ‎chief Linux and open-source technologist, observed that, "TCP/IP networking eventually beat the proprietary systems such as token-ring." Torvalds replied, "I'd love there to be one standard, but I don't think we'll see that for IoT connectivity."

Looking ahead, Torvalds said, "I don't know where Linux will be. I'll do the best thing I can do that day. There's never been much planning. Linux grew naturally. I don't make five-year plans. I think they're a fool's errand. I know what's happening in the next merge window. That's part of what makes Linux great." And, Torvalds believes that will also keep Linux the favorite operating system for smart embedded systems and the IoT.

Related Stories:

Editorial standards