Am I missing something here? The custom linux kernel part isn't interesting at all - in fact, Microsoft has pretty much admitted they can't scale down Windows.
What's interesting to me here is Microsoft is building an IoT solution that allows manufacturers to delegate security to Microsoft instead of having to roll their own.
"Don't roll your own security" has been the marching drum of an entire sector of IoT companies working within the connectivity "slice of the pie."
The general mindset has been that iot has a couple slices: the "thing" (air conditioner vibration sensor), how that thing is connected (Ethernet plugged directly into a smart vibration sensor, or vibration sensor plugged into a connected data-recording device), the transmission/storage of that data (cloud solution? Servers on site? Internet y/n?), Analysis of that data (Microsoft IoT platform? Rolled solution? Now defunct Autodesk iot platform?), and finally the acting upon data collected (chief engineer scheduling repairs/maintenance, project manager ordering new motors, whatever).
So many companies have tried "rolling their own" because they got it working on a raspberry pi or Arduino in a week, then find out their connectivity is not secure at scale (let alone that the solution can't scale at all).
Let specialists specialize. No reason not to let big daddy Microsoft handle the messy bits.
Disclosure, I work at electric imp, thus considering myself firmly in the "secure connection and transmission" slice of the pie.
Disclosure 2, we're partnered with Microsoft for their new IoT push, lol.
Let specialists specialize. No reason not to let
big daddy Microsoft handle the messy bits.
If you're planning to make a product that will last 20 years - a residential thermostat, for example - using a third-party service as the foundation of your product seems naïve to me.
I mean, Microsoft or AWS is at least better than a startup, in that they're less likely to go bankrupt - but even Windows XP, one of most long-lived products out there, was only supported for 12 years even with 'extended support'.
Not to mention the fact whoever provides the cloud services will likely be looking to make recurring revenue over those 20 years.
If you go with partners, though, swapping them out may not be too painful. I mean, working on twenty year old cold is always painful, but at least for some of my demo devices, when Autodesk's iot platform was retired, I swapped it to Microsoft's pretty easily. It's just data.
...and even then, you're not secure forever. So many times the best security practices have been shown to be insufficient. In fact, I wonder what the scoreboard actually would read, 'roll your own' vs 'best practice'? Maybe not all that different.
I like your idea of a scoreboard. I'm gonna float this at the office. Then again, we're not keen to talk about the fact that nobody has found a flaw in our security model because it'll just invite a ddos, which, yea, I guess that counts as a flaw?
As for forever, hence why companies like Microsoft and EI have models for "continual update" on connected devices The idea being that the security upgrades never stop.
Yet that update channel is a door for other attacks. Either its perfectly secure, in which case you need to use that security for your whole app! Or its not, and its vulnerable too. And terribly dangerous, because when broken it may allow complete compromise of the entire device.
I agree with you that this creates a new attack vector. I understand Microsoft is doing some research in the area of IoT device security. This paper describes an interesting approach [1]. It seems there is an eye towards compromised devices (from the fourth page):
"Highly secure devices have renewable security. A device with renewable security can update to a more
secure state automatically even after the device has been compromised. Security threats evolve and
attackers discover new attack vectors. To counter emerging threats, device security must be renewed
regularly. In extreme cases, when compartments and layers of a device are compromised by zero-day
exploits, lower layers must rebuild and renew the security of higher levels of the system. Remote
attestation and rollback protections guarantee that once renewed, a device cannot be reverted to a
known vulnerable state. A device without renewable security is a crisis waiting to happen."
n.b.: MSFT employee, not associated with above work
e: hmm, I realized that the IoT linux offering is actually paired with the MediaTek chip announcement. I guess this is the product incarnation of the technology from the paper?
I do frontend so I don't have intimate knowledge with our device onboard security, but I do know at the very least any update must have the correct key, access to which is remarkably controlled.
The "ensure device updates are not malicious" question gets asked at least once a month here. It only gets stronger.
You are asking exactly the right questions, though. These are the sort of holes we find in customer home rolled solutions. Another one is factory enrollment vulnerabilities - how do you guarantee that factories don't walk out with your code, stick some malicious stuff on it, then install it on the device before shipping it?
Windows runs on IoT devices, Raspberry Pi's... essentially, there aren't many mainstream hardware platforms Windows can't run on. And .NET Core runs on all of them, too.
This is not about Windows technical capability - which is effectively every bit as good as Linux in this space. This is about, "OK, developers, you'd rather have Linux than Windows on your IoT device? Cool. Now get connected to Azure for that IoT data, we'll help you keep that device secure and up-to-date." It's about market share for Azure.
What's interesting to me here is Microsoft is building an IoT solution that allows manufacturers to delegate security to Microsoft instead of having to roll their own.