The slow but power-sipping LTE Category M technology is coming out in a chip

On Tuesday, Sequans Communications announced what it called the first chip for LTE Category M, a variant of the global mobile standard that is tuned for low-power IoT gear like utility meters, factory sensors and wearables. The chip, called Monarch, will be ready to go into devices when Category M networks go live late this year or in early 2017, the company said.

IoT devices need a different kind of network from what phones and tablets use. No one's firing up those IoT devices to watch HD video or play games, but no one's plugging them in for recharging every night, either. They need slower connections that don't drain the batteries, because they may be out in the field for 10 years.

Upstarts like SigFox, Ingenu and the LoRa Alliance sprung up in recent years to meet these specialized needs with LPWANs (low-power wide-area networks). The opportunity could be huge: Machina Research estimates nearly 1.5 billion connections by 2020.

 3GPP, the international body that brought you LTE, is adapting that standard so it can do some of the same things. This could make it easier for carriers to start bringing new IoT devices online through something as (relatively) simple as a network software upgrade.

The 3GPP let rivals get a head start in this area, but there's still time to make Category M a hit, Machina analyst Godfrey Chua said via email. IoT is in an early stage, and some regions and industries are adopting it only now. But a key test for Category M will be whether it works as well as promised.

"Tech specs are one thing, but another is proving it can perform in the field," he said.

Sequans already has at least one carrier partner, Verizon, for its Category M development. The companies previously worked together on LTE Category 1, an earlier standard for less power-constrained IoT devices like cash machines, point-of-sale terminals and vehicle telematics systems. Verizon has since brought Category 1 devices onto its network.

Sequans' Monarch chip complies with two variants of Category M. The first, Category M1, has an upload speed of 375Kbps (bits per second). Category M2 is even slower and less power-hungry and can upload data at 55Kbps. (These devices will send out more data than they download, so they're slightly faster upstream.)

The M1 standard is nearly done and M2 should be complete by the middle of this year, according to Sequans. M2 has been in the works for some time, previously under the name NarrowBand-IoT.

In addition to meters and wearables, things like health monitors, home-automation gear and asset-tracking devices may use M1 or M2 networks. With power management technology that Sequans builds in, the Monarch chip will allow small devices to last 10 to 15 years on a battery, the company said.

Gemalto, a digital security company, is partnering with Sequans to build IoT device modules with added features around the company's chips. In addition to working on Monarch-based LTE M1/M2 modules, on Tuesday Gemalto announced modules built around Sequans's LTE Category 1 chip. The new Gemalto modules are equipped for fallback to a 2G or 3G network if LTE Category 1 isn't available.

Linux!!! Stop what you're doing and apply this patch

A buffer-overflow vulnerability uncovered Tuesday in the GNU C Library poses a serious threat to countless Linux users.

Dating back to the release of glibc 2.9 in 2008, CVE-2015-7547 is a stack-based buffer overflow bug in the glibc DNS client-side resolver that opens the door to remote code execution when a particular library function is used. Software using the function can be exploited with attacker-controlled domain names, attacker-controlled DNS servers or man-in-the-middle attacks.

Glibc, which was also at the core of the "Ghost" vulnerability found last year, is a C library that defines system calls and other basic functions on Linux systems. Its maintainers had apparently been alerted of the new problem last July, but it's not clear if any remediation effort was launched at that time.

Google and Red Hat independently reported the problem this week and a patch is now available.

"Our initial investigations showed that the issue affected all the versions of glibc since 2.9," Google explained in its Online Security Blog. "You should definitely update if you are on an older version, though. If the vulnerability is detected, machine owners may wish to take steps to mitigate the risk of an attack."

For those unable to patch immediately, Google has found some mitigations that may help prevent exploitation, including limiting response sizes accepted by the DNS resolver locally.

The company does not plan to release its exploit code, but it did release proof-of-concept code to help users determine if they're affected by the issue and verify any mitigations.

"The part that makes this interesting is that DNS is a core infrastructure component, which means that a lot of subsystems and applications could potentially be impacted," said Mark Loveless, a senior security researcher at Duo Security. "The main things listed initially were ssh, curl, wget and similar command-line Linux utilities, but it is possible that other processes could also use the library calls in the exact way needed for exploit."

In theory, other non-Windows systems that use glibc could be affected as well, Loveless added, including other Unix-based operating systems or even operating systems for mobile devices or tablets.

All Linux servers and Web frameworks such as Rails, PHP and Python are likely affected, as are Android apps running glibc, according to a post by Kaspersky Lab.