Slashdot Mirror
Ubuntu Survey Discovers 'Consumers Are Terrible' About Updating Their IoT Devices (ubuntu.com)
Core evangelist Thibaut Rouffineau writes about the results of Ubuntu's survey of 2000 consumers about their Internet of Things devices:
This survey revealed that, worryingly, only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices... Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.
Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.
They'll be publishing their complete findings in a new paper in January.
Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.
They'll be publishing their complete findings in a new paper in January.
Allright, a device that is like a home appliance will not be treated as something in need of updating, ever. I think those 31% will never re-update the devices after that first time.
If these IoT devices are so smart, why can't they update themselves?
I'm not sure about most consumers - even geeky ones - but a normal list of fun-things-to-do-this-weekend doesn't usually include updating the software on my refrigerator and stove.
How many motherboards, routers, webcams, and other devices did I go through that stopped working after applying a firmware update following the instructions given by the manufacturer? I stopped counting. Worse even, once updated all configurations are reset to factory default and I had to either restore the settings if there was a means to back them up or redo everything from scratch. Who the f*ck has time for this? If manufacturers would make updating easy and failsafe the number of folks applying the upgrades would be much higher.
Unfortunately manufacturers have previously abused the power of automatic updates to remove features or to shove 'features' down users throats. And of course many other manufacturers don't even bother to issue updates anyway. Unfortunately I don't think well see any change to these problems without legislation.
And Shouldn't Exist In The First Place.
Seriously, what the fuck!?
Blaming ignorant users for not being technowizards? Yes, *WE* know how to update an embedded linux device, but your average person does not even know it runs embedded linux, let alone how to manage such a device manually.
WHAT THE FUCK. No-- just embed a reasonable package management suite into the firmware that does digitial signature checking, and a chron job to look for updates every week.
This whole problem is a non-problem when handled properly.
The real issue is that some corporate retard wanted to be a miser on the flash chips because he could get teensy weensie ones really cheap, and so essential functionality gets scrapped with a "blame the end user" scapegoat attached.
In fact the device maker should be by law forced to supply updates for it for 3-5 years for any device they make that connect to the internet for security reasons.
3-5 years is far too short. How often do you replace your: fridge, room light fittings, central heating system, ... ? For many this will be when they break, which for most of those things is 10-30 years. That is how long they should provide security updates for; with a source code escrow system that puts it all into the public domain if the manufacturer goes bust. Unfortunately many IoT manufacturers are only interested in a quick sale; once the next model is out the previous one receives no attention at all. The same is with 'phone manufacturers.
In addition: if the IoT device relies on some manufacturer provided cloud service they should be forced to keep that running for 10-30 years as well.
Main reason number 1 :
"automatic security updates" isn't such an attracting key point to put on a box to get more consumer.
But "this devices has 2x more pixels than the competition and you can control it from a smartphone app" is.
(And a corollary: A gizmo that gets updated regularily will get fixed and new feature for a longer time.
This require work from the company (paying devs)
This means fewer units sold to replace obsolete models)
Main reason number 2 :
Just wait until hackers find way to spoof update source, and use it as a way to install their shit on your IoT gadget
(e.g.: that's a vulnerability that's been found on Philips Smart LED light bulbs).
Making auto-updates work correctly is HARD.
- It require advanced knowledge in cryptography
- You're at risk of TIVO-ising the gizmo if you do it wrong
- This requires that the company that makes the broken gizmo that needs a firmware upgrade be still around tomorrow. That might be the case with Microsoft, but that's hardly the case with countless asian maker of cheap no-name stuff.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Yeah, I also suspect we're going to need legislation that demands automatic security updates for a reasonable lifetime of these devices. It's not viable to only provide updates for, say, the warranted period, because these are devices that may last for a decade or two, and if they have a security flaw, they can be used to actively harm others. The market won't self-correct for this issue, because it's a safety issue that's not readily apparent to the user, nor does it actively harm that user, instead collectively harming others.
I have a feeling manufactures would be a lot more careful with security and less eager to jump on the IoT bandwagon if they knew they were signing up for a *very* long support tail. Instead, they're treating these tiny internet-connected computers like any other disposable hardware, and that model is proving to be insufficient when the internet and security issues are thrown into the mix.
Smartphone manufactures took a few years and a couple of really nasty security flaws (and subsequent bad press) to get dragged to that conclusion as well. Well, some are starting to get it, while others still think they can "sell and forget".
Irony: Agile development has too much intertia to be abandoned now.
And this is why Microsoft went the route of forced updates. There simple is no other way to get muggles to update their crap unless you force the matter.
The hardware isn't the problem, the problem is the insistence on monolithic update packages, instead of implementing a writable flash filesystem and adding a package manager.
OpenWRT fixes that on supported routers. Gives you JFFS for nonvolatile storage, and opkg for package management. Includes chron. Automated self-updating from the repo is as easy as a chron job away.
The real problem is that the IoT makers want to sell throw-away devices, and people like you are willing to throw the devices away. Give them bigger flash modules, and a better boot loader, and the problem becomes MUCH more tractable for the exact same hardware otherwise.
But no, selling the devices for 0.50$ more so they can have a 16mb flash instead of an 8mb one (or smaller!), and thus be able to have such updates without abusing the fuck out of cramfs and being reliant on monolithic firmware update blobs is just out of the question. Instead, people should drop another 75$ every year for the new model!
30 years? Bahahahahaha
Just like phones and tablets ushered in a new era in computing where extensive surveillance and limits on user freedom were commonplace and accepted (and from some corners even encouraged), IoT crap will be the start of a new paradigm where it's normal to replace your refrigerator every 3 years because it no longer has enough RAM to remember how much milk you have.
I am neither Mr Hype, nor his secretary Ms Hyperbole, but I can answer your question Mr Coward.
First and foremost, the attack surface starts at your front door. Namely, your internet router.
Most consumer level devices of this nature have back doors baked into them. Just google it. It will astound you. Such back doors give would-be hackers access to the routing tables, and thus the isolation between your private and public network areas. That allows them to directly portscan you right from your own router, and to deliver payloads to your IoT devices using the same point of intrusion.
Why would they go after your IoT cameras, bathroom scales, refrigerators, smart thermostats, and other other bullshit smart devices? All those devices tend to have laughable security implementations, and any single one could be a route to automated re-pwning of your router should you decide to 1) reboot it, 2) replace it 3) attempt to secure it some other way. This is because they are already behind your firewall, and thus "trusted" in your private network.
In my experience, if the manufacturer releases a firmware update that bricks some hardware revisions often they will not warranty repair it. Years ago one of the early Lexmark scanner+laser to make a copier devices shipped with a network stack bug that was a show stopper for us. ($3k+, T63x series printer as a base) Lexmark support wanted me to firmware update before returning it. I read the 'I agree' text with the update, which said bricking the device wasn't covered. I asked support if bricking the device was a risk, and kept a copy of the chat log - which was great because the update bricked the printer. When I called support back, they refused warranty replacement until I showed chat log copies. -sigh-
A friend had a similar experience with an Eyefi (wireless SD card). That's before you get to vendors that do feature or performance takeaway with the update.
They are time-consuming, failure-prone, complex, and require multiple steps. Once you have 15-20 devices, it could easily take you a month of infuriating weekends doing nothing else, assuming an hour fiddling with each device. What joy!
1. Update processes should be fixed so that they rarely fail and require only triggering, not heavy intervention
2. They should be easy to trigger, and the current update status should be easy to check
Re: #2, there should be a small LED-illuminated button somewhere on each device.
If the button is not illuminated, there are no updates available; device is current.
If the button is glowing green, it indicates that a non-critical update is available.
If the button is glowing yellow, it indicates that a security-critical update is available.
Consumers press the button to run the update.
While updating, the button will flash (either green or yellow) to indicate that an update is in progress and the device is offline.
Once the update is complete, the illumination goes off again.
If the update fails, the button glows red to show failure and that factory service is required.
If someone could walk through their house once a month and glance at each device to see whether an update is available, then press a button to run it, I suspect you'd see a lot more updating going on.
Another path to take is fully automatic updates, but this creates the problem for both consumer and remote support of figuring out whether a device has failed due to manufacturing defect, is offline for other issues, or is offline due to an update failure.
If the consumer is able to time the update for their own convenience, and can observe the result as it occurs and a status after the fact, they can phone in and say that they ran the update and it failed (glowing red) and support can address appropriately. Since consumer was given control over the timing of the update, they can be sure to run it when a failure or offline time won't cause critical problems for them in their living environment.
Of course all of this presumes that updates are available, which has historically not been something that manufacturers care about very much. That can only be fixed through legislation and public spending (i.e. company must provide updates for ten years and is liable for security issues; if company goes out of business, security updates must be funded publicly if total installation size is greater than some number N). This is a much harder problem to solve, as such legislation would be next to impossible to pass.
Of course all of this is a pipe dream, it's much more likely that instead we end up with a world of insecure devices and "hack insurance" that we have to pay for every month for IoT use that addresses homeowner loss and liability issues upon demonstrated security compromise. That's easy to implement and pass and has a ready-made lobby (insurance/financials), and doesn't require social responsibility on the part of companies or the public.
STOP . AMERICA . NOW
Microsoft shoves updates down the throats of end-user (consumer) desktops because Joe Sixpack doesn't have a clue which hole to stick an update in or even why he should. That's one of the reasons botnets are moving rapidly to internet appliances (from MS-Win systems) - those who know how still manage their updates, the guys at Bubba's Bait and Software Shop can learn how too, or they can just let someone who knows a lot more about it than they do handle it for them. Either way, someone is patching systems. Left to their own devices (pun intented), the average consumer doesn't care about patching.
I'm somewhat guilty of this - I may take assiduous care of my workplace desktop (and my issued laptop), but I really don't feel like concentrating when I'm at home listening to MP3's and posting on Slashdot.
People are tired of "their" devices changing and needing to relearn how to use them over and over again.
Software needs to be engineered such as the UI experience never changes but you can update the underlying security.
Separate the UI from the underlying tech!
No more new features unless someone wants/needs them.
Stop the marketing eye candy.
Keep it simple stupid.
Your PC is an IoT device, yet when Microsoft makes auto-updates mandatory you are all screaming bloody murder. I cathegorically DO NOT WANT manufacturers to be able to see what I'm doing, or change functionality after I bought the device (because I have no guarantees whatsoever they will not remove half of the features I wanted and needed, as Sony did with the PS3 'other OS' option), or even outright disable the device (like what happened with that Samsung phone).
I can only hope that devices that are not, in fact, connected to the internet will remain available for sale. "Your fridge was unable to download security updates and has therefore been disabled" is not a message I _ever_ want to see in my life.
Convincing people to throw out a fridge every other year like they do now with their phone is sure going to be a hard sell. Those things tend to be heavy...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.