Ubuntu Survey Discovers 'Consumers Are Terrible' About Updating Their IoT Devices

Core evangelist Thibaut Rouffineau writes about the results of Ubuntu's survey of 2000 consumers about their Internet of Things devices: This survey revealed that, worryingly, only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices... Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.

Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.
They'll be publishing their complete findings in a new paper in January.

Smart Devices

[sunderland56]

If these IoT devices are so smart, why can't they update themselves?

I'm not sure about most consumers - even geeky ones - but a normal list of fun-things-to-do-this-weekend doesn't usually include updating the software on my refrigerator and stove.

Re:Smart Devices

[epyT-R]

I have a better idea: how about having no 'smart' functionality that requires updating? No security issues whatsoever.

Make updating easier

[MoarSauce123]

How many motherboards, routers, webcams, and other devices did I go through that stopped working after applying a firmware update following the instructions given by the manufacturer? I stopped counting. Worse even, once updated all configurations are reset to factory default and I had to either restore the settings if there was a means to back them up or redo everything from scratch. Who the f*ck has time for this? If manufacturers would make updating easy and failsafe the number of folks applying the upgrades would be much higher.

Re:Make updating easier

[BigBuckHunter]

How many motherboards, routers, webcams, and other devices did I go through that stopped working after applying a firmware update following the instructions given by the manufacturer?

Even worse, after bricking a device and requesting support, you're asked the insulting question, "What issue were you trying to resolve by updating the firmware?", as if you've been doing something wrong and tampering with the device causing it to fail.

Any not-horrible tech vendors out there that you would recommend?

Re:Duh

[Alain+Williams]

In fact the device maker should be by law forced to supply updates for it for 3-5 years for any device they make that connect to the internet for security reasons.

3-5 years is far too short. How often do you replace your: fridge, room light fittings, central heating system, ... ? For many this will be when they break, which for most of those things is 10-30 years. That is how long they should provide security updates for; with a source code escrow system that puts it all into the public domain if the manufacturer goes bust. Unfortunately many IoT manufacturers are only interested in a quick sale; once the next model is out the previous one receives no attention at all. The same is with 'phone manufacturers.

In addition: if the IoT device relies on some manufacturer provided cloud service they should be forced to keep that running for 10-30 years as well.

Main reasons.

[DrYak]

Main reason number 1 :

"automatic security updates" isn't such an attracting key point to put on a box to get more consumer.
But "this devices has 2x more pixels than the competition and you can control it from a smartphone app" is.

(And a corollary: A gizmo that gets updated regularily will get fixed and new feature for a longer time.
This require work from the company (paying devs)
This means fewer units sold to replace obsolete models)

Main reason number 2 :

Just wait until hackers find way to spoof update source, and use it as a way to install their shit on your IoT gadget
(e.g.: that's a vulnerability that's been found on Philips Smart LED light bulbs).

Making auto-updates work correctly is HARD.
- It require advanced knowledge in cryptography
- You're at risk of TIVO-ising the gizmo if you do it wrong
- This requires that the company that makes the broken gizmo that needs a firmware upgrade be still around tomorrow. That might be the case with Microsoft, but that's hardly the case with countless asian maker of cheap no-name stuff.

 

Re:Main reasons.

[Gavagai80]

"automatic security updates" isn't such an attracting key point to put on a box to get more consumer.
But "this devices has 2x more pixels than the competition and you can control it from a smartphone app" is.

Perhaps the bigger problem is that a device that gets hacked and stops operating correctly in a few years is good for encouraging frequent purchases of newer models.

Re:Duh

30 years? Bahahahahaha

Just like phones and tablets ushered in a new era in computing where extensive surveillance and limits on user freedom were commonplace and accepted (and from some corners even encouraged), IoT crap will be the start of a new paradigm where it's normal to replace your refrigerator every 3 years because it no longer has enough RAM to remember how much milk you have.

The problem is developers and new features

[BlueCoder]

People are tired of "their" devices changing and needing to relearn how to use them over and over again.

Software needs to be engineered such as the UI experience never changes but you can update the underlying security.

Separate the UI from the underlying tech!

No more new features unless someone wants/needs them.

Stop the marketing eye candy.

Keep it simple stupid.