Slashdot Mirror
Ubuntu Survey Discovers 'Consumers Are Terrible' About Updating Their IoT Devices (ubuntu.com)
Core evangelist Thibaut Rouffineau writes about the results of Ubuntu's survey of 2000 consumers about their Internet of Things devices:
This survey revealed that, worryingly, only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices... Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.
Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.
They'll be publishing their complete findings in a new paper in January.
Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.
They'll be publishing their complete findings in a new paper in January.
In fact the device maker should be by law forced to supply updates for it for 3-5 years for any device they make that connect to the internet for security reasons.
3-5 years is far too short. How often do you replace your: fridge, room light fittings, central heating system, ... ? For many this will be when they break, which for most of those things is 10-30 years. That is how long they should provide security updates for; with a source code escrow system that puts it all into the public domain if the manufacturer goes bust. Unfortunately many IoT manufacturers are only interested in a quick sale; once the next model is out the previous one receives no attention at all. The same is with 'phone manufacturers.
In addition: if the IoT device relies on some manufacturer provided cloud service they should be forced to keep that running for 10-30 years as well.