Ubuntu Survey Discovers 'Consumers Are Terrible' About Updating Their IoT Devices

Core evangelist Thibaut Rouffineau writes about the results of Ubuntu's survey of 2000 consumers about their Internet of Things devices: This survey revealed that, worryingly, only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices... Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.

Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.
They'll be publishing their complete findings in a new paper in January.

Re:Duh

[Luthair]

Unfortunately manufacturers have previously abused the power of automatic updates to remove features or to shove 'features' down users throats. And of course many other manufacturers don't even bother to issue updates anyway. Unfortunately I don't think well see any change to these problems without legislation.

Is it so hard to bake in a chron job?

[wierd_w]

Seriously, what the fuck!?

Blaming ignorant users for not being technowizards? Yes, *WE* know how to update an embedded linux device, but your average person does not even know it runs embedded linux, let alone how to manage such a device manually.

WHAT THE FUCK. No-- just embed a reasonable package management suite into the firmware that does digitial signature checking, and a chron job to look for updates every week.

This whole problem is a non-problem when handled properly.

The real issue is that some corporate retard wanted to be a miser on the flash chips because he could get teensy weensie ones really cheap, and so essential functionality gets scrapped with a "blame the end user" scapegoat attached.

Re:Duh

[Dutch+Gun]

Yeah, I also suspect we're going to need legislation that demands automatic security updates for a reasonable lifetime of these devices. It's not viable to only provide updates for, say, the warranted period, because these are devices that may last for a decade or two, and if they have a security flaw, they can be used to actively harm others. The market won't self-correct for this issue, because it's a safety issue that's not readily apparent to the user, nor does it actively harm that user, instead collectively harming others.

I have a feeling manufactures would be a lot more careful with security and less eager to jump on the IoT bandwagon if they knew they were signing up for a *very* long support tail. Instead, they're treating these tiny internet-connected computers like any other disposable hardware, and that model is proving to be insufficient when the internet and security issues are thrown into the mix.

Smartphone manufactures took a few years and a couple of really nasty security flaws (and subsequent bad press) to get dragged to that conclusion as well. Well, some are starting to get it, while others still think they can "sell and forget".