KernelCare Brings Bootless Security Patching to Azure IoT Hub

Organizations deploying multiple connected devices running Linux can now keep them patched with no reboot required on the Azure IoT Hub for the cloud.

Christine Hall

April 2, 2021

4 Min Read
azure iot hub security portal
Microsoft Azure

CloudLinux has partnered with Microsoft and now KernelCare IoT is available for the Azure IoT Hub. The offering, Device Update for IoT Hub, recognizes and fills a critical security gap for Internet of Things devices by letting users to administer security patches to the Linux kernels on-the-fly with no reboot required.

While Microsoft was in the process of building Device Update for Azure IoT Hub – which is still in preview mode – they set to figuring out how to address feedback from their customers about operating systems on IoT devices going unpatched because they couldn't be taken offline to receive the updates. The solution was to approach CloudLinux.

"Over a number of months, we worked with them dev team to dev team," said Jim Jackson, president and chief revenue officer at CloudLinux. "We built a proof of concept, everything worked, and then we became part of the new release Azure just announced."

CloudLinux’s KernelCare service supports several Linux distributions commonly used on IoT devices, including Amazon Linux 2 on EC2 A1, Raspberry Pi, Ubuntu Core, and Yocto Project.

Jackson said the idea for creating the IoT version of KernelCare came from feedback the company received at the security-focused RSA conference in San Francisco in 2019, where the company had a booth to promote both CloudLinux OS, the company's flagship security-focused Linux distribution, and the x86 version of KernelCare.

"We had a number of visitors say, you guys should move this to support Arm technology, because there's a big problem in those kinds of devices not being able to be updated," he said. "We heard that enough that we said 'let's port it to Arm,' and we did. That got us onto like things like Graviton 2 on AWS, which is all Arm based. That was helpful. It also got us into industrial control systems kind of use cases in IoT."

Because IoT deployments tend to be unique and not stamped out of a mold, CloudLinux offers free POC evaluations for enterprise IoT users. Jackson said that this is primarily to help users decide what method they should use to apply the patches.

"KernelCare is really a service versus a product," he said. "We build and deploy patches as the CVEs come out, and you can either elect to have them automatically deployed as they show up or you can stage them, which most of our larger clients do. They pull down the patches, then they do their own test rollouts and use various tools, including our ePortal, to go ahead and deploy broadly after that."

Jackson says that customers like the KernelCare service specifically because it keeps them patched without requiring downtime. Typically, a kernel patch requires a reboot, because the unpatched software is still running in memory.

"Our best use cases are anything that needs to run 24/7 and can't easily be taken out of service to receive updates," Jackson said, and pointed to factory automation, meatpacking facilities, and public utilities as big users. "Anything that is a target, because if someone came and said we've compromised your factory systems and if you don't give us Bitcoin we're going to shut them down, you can't do anything about it."

"A lot of the devices that control those industrial control systems have gone years without updates," he added. "You can imagine the number of CVEs [Common Vulnerabilities and Exposures] that are piled up just waiting."

For the time being, Jackson said, the POC component is such an integral part of the process of getting a new customer trained to use the service that getting started with KernelCare on Azure's IoT Hub isn't going to be as easy as, say, firing up a virtual machine or a Kubernetes cluster on EC2.

"The integration is there, but if an Azure IoT Hub customer decided to use the kernel integration with ADU [Azure Device Update], then we would engage in that POC with the end customer," he said. "The Azure team will obviously be engaged and involved, but it would be our transaction at this point."

"Eventually they may be heading down a path to a full kind of an OEM integration," he added, "but right now we would do the commercial side of it ourselves."

Jackson said that although KernelCare IoT is currently available for AWS's Graviton servers, the service is not yet available on Greengrass, AWS's cloud IoT hub.

About the Author(s)

Christine Hall

Freelance author

Christine Hall has been a journalist since 1971. In 2001 she began writing a weekly consumer computer column and began covering IT full time in 2002, focusing on Linux and open source software. Since 2010 she's published and edited the website FOSS Force. Follow her on Twitter: @BrideOfLinux.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like