IoT is largely transitioning from hype to implementation with the growth of smart and connected devices spanning across all industries including building automation, energy, healthcare and manufacturing. The automotive industry has given some of the most tangible examples of both the promise and risk of IoT, with Tesla’s ability to deploy over-the-air software updates a prime example of forward-thinking efficiency. On the other side, the Jeep Cherokee hack in July 2015 displayed the urgent need for security to be a top priority for embedded devices as several security lapses made it vulnerable and gave hackers the ability to remotely control the vehicle. One of the security lapses included the firmware update of the head unit (V850) not having the proper authenticity checks.
The growing number of embedded Linux devices coming online can impact the life and health of people, communities, and nations. And given the upward trajectory of security breaches coinciding with the increasing number of connected devices, the team at Mender decided to address this growing need.
Mender is an open source project to make it easier to deploy over-the-air (OTA) software updates for connected Linux devices (Internet of Things). Mender is end-to-end, providing both the backend management server for campaign management for controlled rollouts of software updates and the client on the device that checks for available updates. Both backend and client are licensed under the Apache License, Version 2.0.
Mender recently became a corporate member of the Linux Foundation. Here, we sit down with their team to learn more about their goals and open source commitment.
Linux.com: What does Mender do?
Thomas Ryd, CEO of Mender: our mission is to secure the world’s connected devices. Our team is focusing the project to be an accessible and inexpensive approach to securing their connected devices. Our goal is to build a comprehensive security solution that is not only inexpensive to use, but easy to implement and use. That will naturally drive Mender to be the de facto standard for securing connected Linux devices.
Eystein Stenberg, CTO of Mender: our first application is an over-the-air software updater for embedded Linux and our first production-ready version will focus on an atomic, dual file system approach to ensure robustness — in case of a failed update due to power failure or poor network connectivity, the device will automatically roll back to the previous working state.
Linux.com: How and why is open source important to Mender?
Ralph Nguyen, Head of Community Development: When we initially ventured into this problem, there were very little OTA solutions that were end-to-end open source. There were limits to some end-to-end vendors for their backend, while others were simply incomplete and didn’t have either a backend or client. There are many proprietary software products targeting the automotive industry, but none provided the level of openness we anticipated. And most of the embedded Linux folks we’ve spoken to implemented a homegrown updater. It was quite common that they had a strong distaste for maintaining it! This was a recurring theme that sealed our initial direction with OTA updates.
And the accessibility of our project for embedded Linux developers is important from a larger perspective: security is a major, tangible threat given recent events such as the Mirai botnet DDoS attack and developers shouldn’t be faced with vendor lock-in to address these very real challenges.
Linux.com: Why did Mender join the Linux Foundation?
Ryd: The Linux Foundation supports a diverse and inclusive ecosystem of technologies and is helping to fix the internet’s most critical security problems. We felt it was only natural to join and become a member to solidify our commitment to open source. We hope it will be an arena for learning and collaboration for the Mender project.
Linux.com: What are some of the benefits of collaborative development for such projects and how does such collaboration benefit Mender’s customers or users?
Nguyen: Our team has a background in open source, and we get that the more eyes there are, the security and quality of the code will increase accordingly. A permissive open source license such as ours encourages a thriving open source community which in turn provides a healthy peer review mechanism that closed source or other restrictive licenses simply cannot compete with. We anticipate the Mender project will improve vastly from a thriving, collaborative community which we hope to encourage and support properly.
Linux.com: What interesting or innovative trends are you witnessing and what role does Linux or open source play in them?
Stenberg: The core mechanisms required for almost any IoT deployment, for example within smart home, smart city, smart energy grids, agriculture, manufacturing, and transportation, is to collect data from sensor networks, analyze the data in the cloud and then manage systems based upon it.
A simple use case from the home automation industry is to open your home from your smartphone. It typically requires the states of the locks in your home to be published to the cloud (data collection), the cloud to visualize the overall state to your smartphone, open or locked (analyze) and give you the ability to change the overall state (manage).
The capabilities of the IoT devices vary, it can be a very heterogeneous environment, but they can generally be split into 1) low-energy sensors that run a small RTOS (Real Time Operating System) firmware of tens or hundreds of kilobytes and 2) local gateways that aggregate, control and monitor these sensors, as well as provide internet connectivity.
Linux plays a large and increasingly important role in the more intelligent IoT devices, such as these local gateways. Historically, the majority of device vendors developed their own proprietary operating systems for these devices, but this is changing due to the increasing software complexity. For example, developing a bluetooth or TCP/IP stack, web server or cryptographic toolkit does not add any differentiation to a product, while it does add significant cost. This is an area where the promise of open source collaboration is working very well, as even competitors are coming together to design and implement the best solution for the community.
Cost and scale are two important keywords for the IoT. Embedded development has historically required a lot of customizations and consulting, but in the future we will see off-the-shelf products with very large deployments, both in terms of hardware and software.
Linux.com: Anything else important or upcoming that you’d like to share?
Ryd: We have been working on Mender for two years and it has been a market-driven approach. Our team has engaged with over a hundred embedded Linux developers in various capacities, including many many user tests to ensure we were building a comprehensive solution to address software updates for IoT. What has become clear is the state of the union is downright scary. There have and will forever be bugs in software. Shipping connected products that can impact people’s lives and health not having a secure and reliable way to update software should soon be a thing of the past.