How the Zephyr Project Is Working to Make IoT Secure


Fragmentation has been a big problem for IoT since the beginning. Companies were doing their own workarounds, there were no standardizations, and there was no collaborative platform that everyone could work on together. Various open source projects are working to solve this problem, but many factors contribute to the woes of IoT devices. Anas Nashif, Technical Steering Committee (TSC) Chair of the Zephyr project believes that software licensing can help.

Nashif admits that there are already many open source projects trying to address the domain of embedded devices and microcontrollers. “But none of these projects offered a complete solution in terms of being truly open source or being compatible in terms of having an attractive license that would encourage you actually to use it in your product. Some of these projects are controlled by a single vendor and, as such, don’t have an acceptable governance model that breeds confidence within users,” said Nashif.

The ideal situation is a project with a democratic governance model, released under a permissive license, without a single entity in control; it should be driven by a community. That’s exactly what Zephyr is. It’s an open source project to create a real-time operating system (RTOS) optimized for resource constrained devices, across multiple architectures. Zephyr is a Linux Foundation project that was launched by Intel about two years ago.

“Zephyr is basically an attempt to drive community and developers towards one single IoT and embedded OS in open source that addresses many issues that many of the industrial members have been dealing with over the last few years,” said Nashif, an open source veteran who has been working at Intel for more than 13 years.

It’s not Linux

Zephyr doesn’t use the Linux kernel. Its kernel comes from Wind River’s VxWorks Microkernel Profile for VxWorks. The first version of Zephyr, which was launched some two years ago, came out with a kernel, an IP stack, L2 stack, and few services. Then Intel decided to open source it. They took a saw to it and cleaned the code, then they started talking to industry leaders, especially The Linux Foundation. The project was launched with Intel, NXP, and Synopsis as launch members.

The 1.0 release didn’t focus on a complete solution from day one; the idea was to cover the areas that most people at that time were interested in, especially IoT. The initial release of Zephyr came out with a couple of boards on which it could run, so people could try it out. “The idea was actually to get attention from those facing the same problem in the ecosystem and get them involved in the project,” said Nashif.

At the same time, the Zephyr team wanted to get the attention of the community of hobbyists and makers. “The maker community has started using microcontrollers to automate a lot of things,” said Nashif. This community now does some exciting things with these projects and has become very active.

What about licensing?

Previously,  we mentioned that software licensing played a role in fragmentation of IoT space. “Zephyr was launched under the Apache license. This is very permissive , which means you can take it and do whatever you want,” said Nashif. Doing whatever you want includes keeping pieces of your stack proprietary, something which is not doable with Linux, which is released under GNU GPL v2.

Nashif has been involved with open source work for decades; he worked on Linux for almost 15 years, so he is well aware of the nuances. But he admitted that he has come across many companies who can’t use Linux on their embedded devices or microcontrollers.

Basically, if you are developing something that you can’t disclose, then you can’t use Linux, and you need to go and do your own thing, according to Nashif. “That’s basically what causes fragmentation and people reinvent the wheel over and over again. We are trying to address this with Zephyr,” he said.

Nashif said many people in this space are still skeptical of open source; they don’t want to use open source fearing they will have to release their own code, too, but Zephyr is helping to change that mindset.

When the Mesh Networking Specifications were finalized, Intel was able to offer an implementation of it for Zephyr OS. Many users working in the IoT space were excited to see the implementation as they could easily use Zephyr instead of using their own custom solution. So, now they have started to look at open source more seriously.

“There are few companies who have never done open source before, but after trying Zephyr they have started to contribute back,” said Nashif. “They have learned that not contributing back is like shooting yourself in the foot.”

Who is using Zephyr?

Because Zephyr a fully open source project, it’s difficult to track exactly who is using it in what use cases. However, Nashif said that he was aware of it being used in smart lights, connect home devices, and many other use-cases of mesh networks.

“We were in Germany attending an event and we came across a vendor who was using Zephyr for an inventory management system. People are using it in wearables, smart glasses, and even watches,” said Nashif.

Intel is also using Zephyr in its products. The company recently announced two new open source projects, under The Linux Foundation umbrella: ACRN and Sound Open Firmware project. Nashif said that both of these projects can use Zephyr. The good thing about Zephyr is that it’s not limited to IoT or microcontrollers, it can be used anywhere — even laptops or servers.

Security measures

One of the biggest challenges that Nashif sees for Zephyr is the demand for functional safety,  security, and privacy. There’s been a lot of reporting around vulnerabilities and exploits in the IoT space. “Security shouldn’t be an afterthought. Security must be part of how you develop and run your process,” said Nashif. The Zephyr Project is working on mechanisms to meet these safety and security requirements.

Security is always a mix of hardening the hardware, the OS, and the applications that run on it. Zephyr can’t control hardware level hardening; that comes from the hardware vendors. “What we do, however, is provide the basics and run the process in a way which does not allow,  for example, exploits and bugs to go unnoticed,” said Nashif.

The project has been busy introducing memory protection features to Zephyr, which are been already available in commercial RTOS and environments. “We support threat isolation and memory protection on three major architectures supported by Zephyr,” he said.

No system can be 100 percent secure. Continuous updates to patch holes and fix bugs are needed. Zephyr allows for over the air, machine-to-machine, and over Bluetooth updates. Regardless of the environment it’s used in, there are easy ways to keep Zephyr-powered devices updated.


Zephyr is trying to solve some of the most critical problems facing the IoT and maker community. And, the fully open source project exists under the umbrella of The Linux Foundation so anyone can start using and contributing to it. This may be the answer the IoT community was looking for.

Join us at Open Source Summit + Embedded Linux Conference Europe in Edinburgh, UK on October 22-24, 2018, for 100+ sessions on Linux, cloud, containers, AI, community, and more.