No, Linux isn't always best for IoT

Ask a connected device developer which operating system they prefer and most -- about three-quarters to be exact -- will reply with Linux. The open-source system is far and away the king of the Internet of Things (IoT) thanks to its flexibility and support for various architectures.

But there’s a problem. Simple, single-function devices like smart thermostats or connected bird feeders often don’t require the robust processing power of Linux. Loading these devices with multi-tasking capabilities can be inefficient and potentially risky. Recent reports of backdoor vulnerabilities in Linux, for example, raise concerns about its attack surface and open-source origins.

This matters since experts predict a major IoT growth spurt over the next five years. Driven by 5G adoption, infrastructure investment, and AI-native applications, the market for connected devices worldwide is set to double to almost $1 trillion. As devices only grow in the modern smart home and office, developers should keep in mind there’s an operating ecosystem beyond Linux.

The problem with Linux

Now don’t get me wrong. Linux is a great operating system (I’ve personally been on board since version 0.9x of the kernel) and there’s a reason why it dominates in this space. There’s something to be said for its architecture, compatibility, affordability, accessibility, and many other features. But, and it’s a big but, this doesn’t mean it’s suited for every connected device.

This is down to three major reasons. First, today’s devices are increasingly simple. We’re now connecting everything from baby monitors and doorbells to vacuum cleaners and even ovens. Most of these devices perform single or basic functions, making a full-featured operating system like Linux unnecessary. Ironically, this approach would have been impractical a decade ago due to resource limitations. Now, Linux is the OS go-to despite often being overkill.

Second, there’s the lingering question of cybersecurity. Linux recently experienced a major incident when a remote code execution vulnerability was discovered in XZ Utils, a widely used compression library. As I recently wrote, if left undetected, this flaw threatened to allow attackers to bypass authentication and gain full system access. More alarmingly, the backdoor was introduced by a long-time, trusted collaborator, raising concerns over whether the sprawling nature of Linux and its subsystems has become so vast that malicious code can be injected without detection.

Third, real-time operating systems (RTOS) have matured significantly in recent years, particularly in internet protocol support. With robust IP stacks like lwIP and security suites such as mbedTLS, RTOS now allows developers to implement secure web servers and meet industry standards for encryption and networking on resource-constrained devices.

The potential of RTOS

For device developers seeking a lean, focused alternative, RTOS players like Zephyr, FreeRTOS, and ThreadX are gaining traction. These market leaders compile applications directly into the OS, minimizing overhead and attack surfaces compared to dynamically loaded programs in Linux.

This architecture makes RTOS ideal for time-sensitive applications requiring low latency and deterministic performance, like industrial automation or medical devices. Since code runs with minimal abstraction layers, RTOS can deliver mission-critical responsiveness unachievable with general-purpose builds.

Moreover, RTOS benefits developers optimizing for constrained hardware. The small footprint and targeted functionality mean responsive devices can run on minimal memory and processing power. As embedded systems become increasingly specialized, the efficiencies of RTOS position it as an attractive solution over the often overly robust nature of Linux. With maturing tooling, middleware, and cloud integration, the RTOS renaissance empowers developers to build secure, scalable products tailored to their precise requirements.

What developers should do now

My request to developers is simple: deeply consider your device’s needs and resource constraints before defaulting to Linux. This is easy to determine by asking two key questions: How many concurrent tasks will the device run? And how much memory do those processes require? Armed with these answers, you can objectively evaluate if an OS or RTOS is right for you.

The RTOS renaissance offers developers powerful options for building secure, responsive IoT systems optimized for the realities of today’s embedded hardware. While Linux retains its versatility for complex applications, don’t overlook the real-time performance, attack surface reduction, and efficiencies of RTOS, especially as more devices come online with specialized functions.

Expand your operating system horizons and make evaluated decisions for each project’s unique needs. You can do this by considering factors like processing power, memory constraints, determinism requirements, and long-term goals. An open-minded and unbiased assessment may reveal RTOS as the superior choice for delivering a secure, high-performance embedded device tailored to its intended use case. It’s an IoT debate worth having.

Carsten Rhod Gregersen is CEO and Founder of Nabto.