Ubuntu Survey Discovers 'Consumers Are Terrible' About Updating Their IoT Devices

Core evangelist Thibaut Rouffineau writes about the results of Ubuntu's survey of 2000 consumers about their Internet of Things devices: This survey revealed that, worryingly, only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices... Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.

Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.
They'll be publishing their complete findings in a new paper in January.

Smart Devices

[sunderland56]

If these IoT devices are so smart, why can't they update themselves?

I'm not sure about most consumers - even geeky ones - but a normal list of fun-things-to-do-this-weekend doesn't usually include updating the software on my refrigerator and stove.

Re:Smart Devices

[epyT-R]

I have a better idea: how about having no 'smart' functionality that requires updating? No security issues whatsoever.

Make updating easier

[MoarSauce123]

How many motherboards, routers, webcams, and other devices did I go through that stopped working after applying a firmware update following the instructions given by the manufacturer? I stopped counting. Worse even, once updated all configurations are reset to factory default and I had to either restore the settings if there was a means to back them up or redo everything from scratch. Who the f*ck has time for this? If manufacturers would make updating easy and failsafe the number of folks applying the upgrades would be much higher.

Re:Make updating easier

[BigBuckHunter]

How many motherboards, routers, webcams, and other devices did I go through that stopped working after applying a firmware update following the instructions given by the manufacturer?

Even worse, after bricking a device and requesting support, you're asked the insulting question, "What issue were you trying to resolve by updating the firmware?", as if you've been doing something wrong and tampering with the device causing it to fail.

Any not-horrible tech vendors out there that you would recommend?

Re:Duh

[Luthair]

Unfortunately manufacturers have previously abused the power of automatic updates to remove features or to shove 'features' down users throats. And of course many other manufacturers don't even bother to issue updates anyway. Unfortunately I don't think well see any change to these problems without legislation.

Is it so hard to bake in a chron job?

[wierd_w]

Seriously, what the fuck!?

Blaming ignorant users for not being technowizards? Yes, *WE* know how to update an embedded linux device, but your average person does not even know it runs embedded linux, let alone how to manage such a device manually.

WHAT THE FUCK. No-- just embed a reasonable package management suite into the firmware that does digitial signature checking, and a chron job to look for updates every week.

This whole problem is a non-problem when handled properly.

The real issue is that some corporate retard wanted to be a miser on the flash chips because he could get teensy weensie ones really cheap, and so essential functionality gets scrapped with a "blame the end user" scapegoat attached.

Re:Duh

[Alain+Williams]

In fact the device maker should be by law forced to supply updates for it for 3-5 years for any device they make that connect to the internet for security reasons.

3-5 years is far too short. How often do you replace your: fridge, room light fittings, central heating system, ... ? For many this will be when they break, which for most of those things is 10-30 years. That is how long they should provide security updates for; with a source code escrow system that puts it all into the public domain if the manufacturer goes bust. Unfortunately many IoT manufacturers are only interested in a quick sale; once the next model is out the previous one receives no attention at all. The same is with 'phone manufacturers.

In addition: if the IoT device relies on some manufacturer provided cloud service they should be forced to keep that running for 10-30 years as well.

Main reasons.

[DrYak]

Main reason number 1 :

"automatic security updates" isn't such an attracting key point to put on a box to get more consumer.
But "this devices has 2x more pixels than the competition and you can control it from a smartphone app" is.

(And a corollary: A gizmo that gets updated regularily will get fixed and new feature for a longer time.
This require work from the company (paying devs)
This means fewer units sold to replace obsolete models)

Main reason number 2 :

Just wait until hackers find way to spoof update source, and use it as a way to install their shit on your IoT gadget
(e.g.: that's a vulnerability that's been found on Philips Smart LED light bulbs).

Making auto-updates work correctly is HARD.
- It require advanced knowledge in cryptography
- You're at risk of TIVO-ising the gizmo if you do it wrong
- This requires that the company that makes the broken gizmo that needs a firmware upgrade be still around tomorrow. That might be the case with Microsoft, but that's hardly the case with countless asian maker of cheap no-name stuff.

 

Re:Main reasons.

[Gavagai80]

"automatic security updates" isn't such an attracting key point to put on a box to get more consumer.
But "this devices has 2x more pixels than the competition and you can control it from a smartphone app" is.

Perhaps the bigger problem is that a device that gets hacked and stops operating correctly in a few years is good for encouraging frequent purchases of newer models.

Re:Duh

[Dutch+Gun]

Yeah, I also suspect we're going to need legislation that demands automatic security updates for a reasonable lifetime of these devices. It's not viable to only provide updates for, say, the warranted period, because these are devices that may last for a decade or two, and if they have a security flaw, they can be used to actively harm others. The market won't self-correct for this issue, because it's a safety issue that's not readily apparent to the user, nor does it actively harm that user, instead collectively harming others.

I have a feeling manufactures would be a lot more careful with security and less eager to jump on the IoT bandwagon if they knew they were signing up for a *very* long support tail. Instead, they're treating these tiny internet-connected computers like any other disposable hardware, and that model is proving to be insufficient when the internet and security issues are thrown into the mix.

Smartphone manufactures took a few years and a couple of really nasty security flaws (and subsequent bad press) to get dragged to that conclusion as well. Well, some are starting to get it, while others still think they can "sell and forget".

The problem is developers and new features

[BlueCoder]

People are tired of "their" devices changing and needing to relearn how to use them over and over again.

Software needs to be engineered such as the UI experience never changes but you can update the underlying security.

Separate the UI from the underlying tech!

No more new features unless someone wants/needs them.

Stop the marketing eye candy.

Keep it simple stupid.