Is Customer Premises Equipment an IoT Solution?
Containers may hold the key to securing devices.
The Internet has a problem. Actually, it has hundreds of millions – soon to be billions – of problems, all which fall under the label the Internet Of Things (IoT). IoT devices range from ultra-low-power wearable electronics to the control systems for nuclear power plants. And in at least some cases, virtualization may be the solution to a whole lot of problems.
A number of IoT devices are notorious for having horrific-to-nonexistent security. Personal and small business broadband routers, for example. Security cameras. Literally anything involving home automation, ever.
With the adoption of IPv6, however, these devices are frequently directly connected to the Internet, with a publicly-addressable IP address. A large part of the notoriously bad security is that these devices are rarely updated.
Even if the vendor publishes updates, the devices are frequently owned – or at least locked down by – third-party vendors such as carriers and Internet service providers. As evidenced by the alarmingly poor history of Android phones, carriers are in no rush to support devices once in the hands of the customer.
Customers, for their part, don't update devices either. Those few that know such a thing is required and that it doesn't happen automatically rightly fear performing such a task, as updates to embedded devices have a nasty history of either bricking the device; or, at the very least, resetting all of its configurations to defaults.
For the explosion of the IoT into the tens of billions of units range to result in anything other than absolute catastrophe, a great many things need to change. Fortunately, the technology to solve these problems already exists.
Contain Your Problems
For all but the most anemic devices, the solution is actually pretty simple. Directly installed on the device's metal should be a lightweight hypervisor with the ability to carve up the device storage into multiple virtual drives.
Solutions from individual vendors can be packaged into virtual machines (VMs), with the VM running containers for individual applications. Each container should have two storage points: the application itself and the user data/settings.
Individual applications could thus be refreshed as easily as erasing the existing container's application storage and attaching a more up-to-date one. Backing up user data also becomes fairly simple, without having to mess around with backing up the whole device, or looking in numerous nooks and crannies. Just back up the relevant data/settings containers and the container catalogue.
The beauty of this is the underlying operating system -- pretty much always a Linux of BSD distro -- can be set to automatically update itself, resolving pesky bugs without vendor intervention being required. By choosing a stable enterprise Linux with a long-term service branch, devices can have reasonable lifetimes without putting a undue maintenance burden on developers coding the vendor apps that live in the aforementioned containers.
Sharing the Pain
One might wonder why a hypervisor is needed at all in this scenario. Strictly, it isn't. For some devices which will always be solely the provenance of a single vendor, containers are a great way to start attacking the IoT problem. The reality is that IoT devices are unlikely to stay single-vendor for long.
Powerful computers are cheap. Today's home broadband router, for example, can cheerfully run a hypervisor and three or four operating systems. These could contain the ISP-supplied firewall and connectivity interface, a third-party security suite, a cloud backup gateway and maybe some third-party IP television or IP telephony software that the ISP has partnered with to enable their "triple play" offerings.
Virtual Customer Premises Equipment to the Rescue?
Variations on this theme already exist today, and companies like Intel are investing heavily in the virtualization of Customer Premises Equipment (vCPE). The really fun parts start happening when the vCPE is actually just a stubby proxy application on the physical hardware that farms out the heavy lifting to a public cloud-based solution. Again, all easily doable with vCPE.
The ultimate goal is to have to put fewer devices into the homes and businesses of customers, but still be able to offer a wide range of different solutions that we can be convinced to subscribe to; and hopefully done a manner that makes updating and securing the applications, their operating systems and even their hypervisors simple and non-disruptive.
If we're really lucky, it will even make moving our vCPE data, settings and applications from device to device as easy as moving workloads from virtual cluster to virtual cluster in the datacenter. The tech exists. The use case exists. The big question: who will be the first to bring it to the mass market?
Trevor Pott is a full-time nerd from Edmonton, Alberta, Canada. He splits his time between systems administration, technology writing, and consulting. As a consultant he helps Silicon Valley startups better understand systems administrators and how to sell to them.