Microsoft's New Windows 10 IoT Core Pro Could Spell Trouble For Security

#Windows10 #Security - Microsoft's New Windows 10 IoT Core Pro Could Spell Trouble For Security - Microsoft's Windows 10 IoT Core Pro version is designed to allow OEMS to defer and control updates through Windows Server Update Services (WSUS).

The latest version has just been announced by the company in a blog post, stating that it is introducing a new Windows 10 IoT Core Pro to bring flexibility to their partners and customers. The company hopes that the new Pro version will be able to meet the servicing needs of OEMs and ODMs and that it will help ensure the security and better management of devices.

"Window 10 IoT Core provides an optimized platform for building smaller and low cost industry devices like IoT gateways," wrote Billy Anders, partner director of Program Management at Windows IoT, in a blog post.

Microsoft also announced the commercial availability of Windows 10 IoT Core to all device builders. This would mean that similar to the Pro version, it would also be available to both OEMs and ODMs.

"We are working with our ecosystem partners to provide you, as a developer, with the hardware and software options you need to be successful in this market," said Microsoft.

Launched in August, Windows 10 IoT Core's vanilla version also received a number of tweaks as mentioned in the blog post. These include the new "direct memory access bus' driver" for running native code in order to bring major performance improvements in GPIO; full support for the TX/RX pins of Raspberry Pi 2 owners; and support for WiFi chipsets RTL8188EU and RTL8192EU of Realtek.

What differentiates the IoT Core and the IoT Core Pro version is that the latter features the ability to defer and control updates through the WSUS.

Being able to defer updates can be good if OEMs of connected things decide not to implement them for the purpose of testing them and ensuring that things will not break.

However, the trouble can begin when a thing-maker decides to implement a delay on the updates which will eventually result to a deprivation of fixes on connected things.

OEMs of connected things are known to have a bad track record in terms of implementing patches. Researchers are also saying that third-party drivers that are installed through Windows update pose security risks. Currently, there are over 25,000 potential USB drivers which users can download. This can range from drivers that are duplicates, generic and obsolete.

According to Microsoft, they have included an in-box driver that is designed for the FTDI USB-to-serial chipset "because many devices use that as the interface port for controlling them (for example, Home Automation Systems)."

Microsoft also added support to more Wi-Fi dongles. This includes support to the official Raspberry Pi Wi-Fi dongle and a pair of Realtek Wi-Fi chipsets which are regularly found in several other dongles such as the TP-LINK TL_WN725N. The company said that the added support will allow users to connect their Windows 10 IoT Core device to the Internet a whole lot easier.

Paul Stone, principal consultant of Context Information Security, said that some third-party drivers can have vulnerabilities which can be exploited by hackers.

"We have started to download and investigate some 2,284 third-party drivers," said Stone. "Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the 'searching for Drivers' and 'Windows Update' dialog boxes on their desktops - but these seemingly innocuous windows may be hiding some serious threats."

In the meantime, the Ministry of the Interior IT security office in Berlin said in a draft document that poorly-secured consumer routers can result to mass compromise of users. It expressed how the increased functionality of SOHO routers such as VOIP calls capability and network attached storage will require stronger security measures. When attacked, users can be faced with a number of issues such as being denied of net access, being enslaved into botnets and dealing with premium phone calls that they did not make.

Other current releases of Microsoft include the Windows 10 IoT Enterprise version which had a summer release and the Windows 10 IoT Mobile Enterprise which was released in November 2015.

"We are continuing to evolve our commercial platform ecosystem working closely with key partners and through continued engagement with our OEMs and makers," said Microsoft.

There's no information yet on when Microsoft will finally bring Windows 10 Industry for the company's embedded community. Source: TechnoMeda