Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Networking Ubuntu Botnet Security Stats

Ubuntu Survey Discovers 'Consumers Are Terrible' About Updating Their IoT Devices (ubuntu.com) 181

Core evangelist Thibaut Rouffineau writes about the results of Ubuntu's survey of 2000 consumers about their Internet of Things devices: This survey revealed that, worryingly, only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices... Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.

Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.

They'll be publishing their complete findings in a new paper in January.
This discussion has been archived. No new comments can be posted.

Ubuntu Survey Discovers 'Consumers Are Terrible' About Updating Their IoT Devices

Comments Filter:
  • Allright, a device that is like a home appliance will not be treated as something in need of updating, ever. I think those 31% will never re-update the devices after that first time.

    • by MouseR ( 3264 )

      If you have to spend your time upgrading all your IoT devices, it becomes a chore that is a turn-off for people. Not just their lighting system.

      Since before IoT was a thing, my house was rigged with 3 AirPort Express and TV. The TV updates itself (it's essentially just a dumbed-down iPhone) most of the times but the AirPort Express stations (service sound system and network extenders for legacy hardware without WiFi) are always a pain to deal with. One of them, currently flashing yellow, probably has a pend

      • It's only serving a photo screensaver on a Luxo Mac anyway.

        That's precisely what's dangerous here, and the reason why we have those IoT botnets bringing the net to its knees. No one feels the need to update their photo screensavers, especially if they are just sitting in a corner.

        Either those devices should remain off the Internet (LAN or completely disconnected), or have automatic updates/remote health monitoring by the company.

        An other thing to note, however, is that most companies don't care (for long) about your product once they got you to buy it. Espec

  • Smart Devices (Score:5, Insightful)

    by sunderland56 ( 621843 ) on Sunday December 18, 2016 @06:39PM (#53510499)

    If these IoT devices are so smart, why can't they update themselves?

    I'm not sure about most consumers - even geeky ones - but a normal list of fun-things-to-do-this-weekend doesn't usually include updating the software on my refrigerator and stove.

    • Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.

      I agree.

      Consumers want to be out of the process.

      If I was a manufacturer, I'd be jumping all over this with the tag line:

      "Maintenance-free."

    • Main reasons. (Score:4, Insightful)

      by DrYak ( 748999 ) on Sunday December 18, 2016 @07:02PM (#53510629) Homepage

      Main reason number 1 :

      "automatic security updates" isn't such an attracting key point to put on a box to get more consumer.
      But "this devices has 2x more pixels than the competition and you can control it from a smartphone app" is.

      (And a corollary: A gizmo that gets updated regularily will get fixed and new feature for a longer time.
      This require work from the company (paying devs)
      This means fewer units sold to replace obsolete models)

      Main reason number 2 :

      Just wait until hackers find way to spoof update source, and use it as a way to install their shit on your IoT gadget
      (e.g.: that's a vulnerability that's been found on Philips Smart LED light bulbs).

      Making auto-updates work correctly is HARD.
      - It require advanced knowledge in cryptography
      - You're at risk of TIVO-ising the gizmo if you do it wrong
      - This requires that the company that makes the broken gizmo that needs a firmware upgrade be still around tomorrow. That might be the case with Microsoft, but that's hardly the case with countless asian maker of cheap no-name stuff.

       

      • Well, if advertising auto-security updates is not a selling point. Being hacked worldwide once is surely a not buying point for a customer. You don't always need to advertise everything to sell a gizmo. Just make it secure and reliable without giving all the details the customer didn't ask for on how you keep it secure.
        • It's not a selling point because I for one expect proper security to be standard. My computers update themselves (my Win10 box is doing this fully automatic; my Mint box notifies me when there are updates and then it's just a few clicks to get it done). My current light bulbs, fridge and toaster are secure already and can not be turned into zombies, any newer such devices I simply expect the same even if those are connecting to the Internet.

          When I hear about brands getting hacked and turned into zombies, ot

          • Yes. You. You also know that TCP isn't the Chinese equivalent of the NSA. For how many people out there do you think this is true, too?

            Most people out there do not even know this is an issue. They don't expect security to be standard, they don't even imagine that this could be something to even consider. Yes, the new fridge connects to the internet, but they don't make the connection "fridge + internet = security problem". And if you bring up the topic, all they do is shrug and say "But why should I care th

            • Well, a possible solution would be to not allow software updates at all. Have the OS of the fridge/TV/whatever baked into the chip somehow (physically baked, or write-once EPROM or whatever). With no possibility of having the thing run new software there is no way for any attacker to take over the device.

              I'm probably missing something here, though.

              • That just means they don't need to persist across "reboots" (and how often do you unplug your fridge?)

                The devices would still have a CPU and RAM, which is all a hacker needs to take control. And if the machine never gets patched, its easy to reinfect if the power ever does get cycled.

              • Have the OS of the fridge/TV/whatever baked into the chip somehow (physically baked, or write-once EPROM or whatever).

                Just as a side-note, for information:
                EPROM : erase-able programmable read-only memory. (and EEPROM are electrically-erasable - as opposed to other methods like UV light).
                (so you would need to drop the first E).

                I'm probably missing something here, though.

                There are 2 different problem:

                TL;DR: exploitable bugs permanently burning into ROM ; lower cost of production allowing last-minute firmware changes.

                I.
                - yes, if the firmware is in a non-re-programmable ROM, an attacker could not permanently install a backdoor on your smart-LED-lightbulb.
                - but if the sm

      • Re:Main reasons. (Score:4, Insightful)

        by Gavagai80 ( 1275204 ) on Sunday December 18, 2016 @09:08PM (#53511179) Homepage

        "automatic security updates" isn't such an attracting key point to put on a box to get more consumer.
        But "this devices has 2x more pixels than the competition and you can control it from a smartphone app" is.

        Perhaps the bigger problem is that a device that gets hacked and stops operating correctly in a few years is good for encouraging frequent purchases of newer models.

      • Just wait until hackers find way to spoof update source, and use it as a way to install their shit on your IoT gadget (e.g.: that's a vulnerability that's been found on Philips Smart LED light bulbs).

        This.

        While auto-updates circumvent one problem, it introduces another attack vector. And a failure mode. (yay! none of the lights turn on because auto-update bricked them) Not to mention the "appliance" suddenly becoming unresponsive at exactly the wrong time while it decides to update itself on its schedule, not yours.

        This just all get back to the fact that internet connectivity is being taken too far, and by people who's skillset (embedded devs) usually has no overlap with a security skillset. Been the

      • by thsths ( 31372 )

        > Making auto-updates work correctly is HARD.
        > - It require advanced knowledge in cryptography

        I think making a proper IoT device is hard, and it also requires knowledge in cryptography.

        • > Making auto-updates work correctly is HARD.
          > - It require advanced knowledge in cryptography

          I think making a proper IoT device is hard, and it also requires knowledge in cryptography.

          Logically your statements demand that making auto-updates work correctly equals making a proper IoT device.

      • What is the advanced crypto for?

        1. Check a known IP for updates.
        2. If a new one is found download it.
        3. Verify the signature against the public key stored in the device.

        This only requires public-key crypto (from a standard library) and a basic signature scheme from a standard. Why is anything advanced required?

        • Yup. It's a simple 3 point plan.

          You just have no idea how many things could go wrong in a such seemingly simple plan.

          If even Microsoft and Sony can't manage to get crypto right to protect their game consoles,
          you can bet that small noname fly-by-night chinese constructors are going to completely b0rk their work.

          Just of the top of my head :
          - fixed IP and/or address : can be spoofed, or control of the domain name could be lost.
          - "if a new is found download it" : nearly every single word of this sentence has a

      • by AmiMoJo ( 196126 )

        There needs to be a standard for IoT security, and testing. Like UL or radio emissions testing that is mandatory on some products. Even if it was only voluntary, a prominent logo on the box would be a good selling point.

        Consumers want security. They don't want to get hacked. They just have no idea what security is or how to get it.

    • Required reading for IoT foibles, trials, and tribulations:

      https://twitter.com/internetof... [twitter.com]

    • I guess some people here will advocate contrary just like it is evil for Microsoft to force customers to update Windows to keep it secure and current. Just like this bunch of people who refuses to upgrade from Windows 7, 8, 8.1 for no other reason they don't want to be spied on by Microsoft.
    • I was also surprised by seeing 31% claiming to update their devices "as soon as updates are available". That's an incredibly high number.

      First of all: the user has to actively keep track of the availability of updates, somehow. The only possibly updateable device in my home, my router, I never updated the firmware of. It's about a year old. I don't know if there are updates, last time (a week or two) ago I logged in to the device it didn't notify me of there being any updates. To find updates (and know if a

    • They are time-consuming, failure-prone, complex, and require multiple steps. Once you have 15-20 devices, it could easily take you a month of infuriating weekends doing nothing else, assuming an hour fiddling with each device. What joy!

      1. Update processes should be fixed so that they rarely fail and require only triggering, not heavy intervention
      2. They should be easy to trigger, and the current update status should be easy to check

      Re: #2, there should be a small LED-illuminated button somewhere on each dev

      • Stop thinking like a Geek. Your LED scheme is only useful to someone who would update his devices in the first place.

        You need to think like a grandmother in rural BumFuck with a 6th grade education.

        Light is on, any color: Something is wrong. Push button. Go back to Soap Opera.

        Light is off. Nothing is wrong. Go back to Soap Opera.

    • Re:Smart Devices (Score:4, Insightful)

      by epyT-R ( 613989 ) on Sunday December 18, 2016 @11:40PM (#53511767)

      I have a better idea: how about having no 'smart' functionality that requires updating? No security issues whatsoever.

    • I'm not sure about most consumers - even geeky ones - but a normal list of fun-things-to-do-this-weekend doesn't usually include updating the software on my refrigerator and stove.

      Yep, and as well as being dreary and almost certainly involving the use of appallingly bad software and websites, there's also the fun surprise over which features are broken afterwards.

    • The last time I let my Denon receiver update itself, the update stalled and I spent over an hour between manually downloading patches on a desktop and patching it over USB and several calls to their (admittedly fairly good) customer service phone center.

      And, of course I had tried the original update just before the kids wanted to use the TV for a movie night.

      Fool me once...

  • by MoarSauce123 ( 3641185 ) on Sunday December 18, 2016 @06:44PM (#53510525)
    How many motherboards, routers, webcams, and other devices did I go through that stopped working after applying a firmware update following the instructions given by the manufacturer? I stopped counting. Worse even, once updated all configurations are reset to factory default and I had to either restore the settings if there was a means to back them up or redo everything from scratch. Who the f*ck has time for this? If manufacturers would make updating easy and failsafe the number of folks applying the upgrades would be much higher.
    • by BigBuckHunter ( 722855 ) on Sunday December 18, 2016 @06:55PM (#53510581)

      How many motherboards, routers, webcams, and other devices did I go through that stopped working after applying a firmware update following the instructions given by the manufacturer?

      Even worse, after bricking a device and requesting support, you're asked the insulting question, "What issue were you trying to resolve by updating the firmware?", as if you've been doing something wrong and tampering with the device causing it to fail.

      Any not-horrible tech vendors out there that you would recommend?

      • by SeaFox ( 739806 )

        Even worse, after bricking a device and requesting support, you're asked the insulting question, "What issue were you trying to resolve by updating the firmware?", as if you've been doing something wrong and tampering with the device causing it to fail.

        Or they might just be following the old saying "If it aint broke, don't fix it".

        End users don't generally consider security issues things that need to be fixed. They only know their thingamajig worked fine before you started playing with it, and now it doesn't. Arguably, they're right. The "issue you were trying to fix" was a failure on your company's part to write the device firmware more secure to start with. Remember most of these exploits are things like back doors with hard-coded passwords, hidden teln

        • This is not restricted to IoT devices and firmware updates. I have seen enterprise software with security holes and outdated components the manufacturer just refuses to make current and is asking us to pay for him to update these OSS components its software is relying upon. Even in cases where the OSS components in question are not longer supported by the community for a few years. There is a lot of lazy people out there with this mentality, if it ain't broken don't fix it. When in fact it is broken, it's j
      • ...you're asked the insulting question, "What issue were you trying to resolve by updating the firmware?"

        I spent over seven years doing tech support for an ISP. We didn't have to worry about firmware upgrades, because that was something to be discussed with the OEM, not us. However, if I did, that question would have been routine, because our first step would have to be to restore the status quo ante, and if you were having trouble before, I might have to take it into account in rolling things back. B
      • by AmiMoJo ( 196126 )

        Q: What issue were you trying to resolve by updating the firmware?
        A: Your incompetence.

        In the EU your warranty is generally with the shop, not the manufacturer. So when stuff like firmware updates go wrong, you can take it back to the shop. Unfortunately they get around 28 days to fix it in most countries, but at least it saves you calling the manufacturer and answering stupid questions like this.

    • by epyT-R ( 613989 )

      or, what if manufacturers:

      1. bothered to write secure code
      or
      2. just stopped adding pointless overengineered functionality that reduces reliability, security, and privacy. There's no need for my fridge and toaster to have ip addresses.

      Then updates wouldn't be so critical.

    • by Holi ( 250190 )
      In 20+ years of working on computers, I don't think I have ever once bricked a device while updating firmware. And you've lost count? Maybe you shouldn't be touching stuff like that so much.
  • Future IoT devices (especially consumer devices) should really be self-updating. It's possible with proper encryption to do this safely and securely. Anything that connects to the internet is bound to have exploitable flaws discovered sooner or later, and anything that can't self-patch will never be patched, statistically speaking. I didn't need a study to confirm this (although it's good to have it confirmed). It's blindingly obvious from historical anecdotes and experience. I recall Steve Gibson refe

    • Your PC is an IoT device, yet when Microsoft makes auto-updates mandatory you are all screaming bloody murder. I cathegorically DO NOT WANT manufacturers to be able to see what I'm doing, or change functionality after I bought the device (because I have no guarantees whatsoever they will not remove half of the features I wanted and needed, as Sony did with the PS3 'other OS' option), or even outright disable the device (like what happened with that Samsung phone).

      I can only hope that devices that are not, i

  • And Shouldn't Exist In The First Place.
  • by wierd_w ( 1375923 ) on Sunday December 18, 2016 @06:56PM (#53510587)

    Seriously, what the fuck!?

    Blaming ignorant users for not being technowizards? Yes, *WE* know how to update an embedded linux device, but your average person does not even know it runs embedded linux, let alone how to manage such a device manually.

    WHAT THE FUCK. No-- just embed a reasonable package management suite into the firmware that does digitial signature checking, and a chron job to look for updates every week.

    This whole problem is a non-problem when handled properly.

    The real issue is that some corporate retard wanted to be a miser on the flash chips because he could get teensy weensie ones really cheap, and so essential functionality gets scrapped with a "blame the end user" scapegoat attached.

  • icebox. constant updating (reloading) by only one vendor with the foreboding obsolescence due to the neighbor's refrigerator.
  • I can't really imagine my house becoming very "smart" with every light bulb doing its own thing. I'd rather pair it with a hub so I could manage all my devices from there. That way the devices themselves would be more shielded and it would be the central point to update everything from. Kinda like active directory/domain administrator but for my IoT network instead of Windows PCs.

    • They have just that it's called hub. Properly implemented home automation uses them, Zwave, zigbee, Bluetooth even wifi.

      A standard that does not let you do whatever the manufacture wants means they can not spy on you. Thus why they avoid using them.

  • by duke_cheetah2003 ( 862933 ) on Sunday December 18, 2016 @07:14PM (#53510677) Homepage

    And this is why Microsoft went the route of forced updates. There simple is no other way to get muggles to update their crap unless you force the matter.

    • because Microsoft would never force an update that removes functionality or cripples my system

      (that's sarcasm, they've done both to me and various employers of mine repeatedly)

    • Forcing and setting defaults are two different things.

  • "IoT manufacturers are terrible" about building security, usability, and reliability into their products as a fundamental design goal.

    But sure, let's blame the customers. Assholes.

  • This is because almost no one buys a device BECAUSE it connects to the Internet. The IoT provides little to no value to the consumer, why would they pay attention to when the device needs updating. For that matter, in the normal course of using these devices, how would the end user even know that it needed updating?
  • Comment removed based on user account deletion
  • How many of the people that are suggesting that the devices automatically download updates were the ones complaining that Microsoft forced updates to be automatically installed onto their systems?

  • by Spamalope ( 91802 ) on Sunday December 18, 2016 @08:15PM (#53510953)
    In my experience, if the manufacturer releases a firmware update that bricks some hardware revisions often they will not warranty repair it. Years ago one of the early Lexmark scanner+laser to make a copier devices shipped with a network stack bug that was a show stopper for us. ($3k+, T63x series printer as a base) Lexmark support wanted me to firmware update before returning it. I read the 'I agree' text with the update, which said bricking the device wasn't covered. I asked support if bricking the device was a risk, and kept a copy of the chat log - which was great because the update bricked the printer. When I called support back, they refused warranty replacement until I showed chat log copies. -sigh-

    A friend had a similar experience with an Eyefi (wireless SD card). That's before you get to vendors that do feature or performance takeaway with the update.
  • The other side of the coin is that I am very dilatory about installing any kind of update to anything because a) experience shows that the chance of an update breaking something in a serious way is something like 10-20%, b) the problem may not be obvious in the first five minutes or the first week of operation.

    My wife's PC has now been rendered unbootable TWICE by Microsoft pushing through bad updates. I personally will not install a Mac OS update until I've taken the time to do a local backup to a hard dri

    • My wife's PC has now been rendered unbootable TWICE by Microsoft pushing through bad updates. I personally will not install a Mac OS update until I've taken the time to do a local backup to a hard drive, a remote backup to a cloud backup service, and waited two weeks to see if Apple retracts and re-releases the update, and read Macintouch for user reports to see what kinds of problems people are having.

      How many times has Apple screwed you up with an update? I always wait a while, but seems like for the level of trouble you go to every update has broken something.

      The software industry has got to figure out a way to make sure that updates are one or two orders of magnitude safer and more reliable to install than they are today.

      I'm not so certain they want to make them safe. If I were to design an attack vector for the internet, the present Internet of Things is the perfect model. Create things that the least knowledgable among us, the people who re obsessed with and never look up form their smartphones can be more easily enticed for this kind of future http://www.worrel [worrell.com]

  • Poop stinks.

    The sky is blue.

    Grandma loves you.

    The internet of things is a terrible idea.

    Seriousfreakingly?

    People avoid updating their computers, so they're surely going to update their refrigerator or the bottle that tells them when to drink water? "Honey did you remember to update the toilet?" said no one ever.

  • As a 30 year IT veteran, I have never updated a consumer device, by definition. If we are talking about enterprise devices, then we probably have a maintenance contract with a vendor that performs updates for us. But a consumer device? Should just work, and when it gets old, throw it out and get a new one.

  • I built and installed a network-based security camera system at my office. Security cameras are one of the IoT devices which frequently seem to be in the news as having security flaws, so I figured I should check for firmware updates. One rolled out and I installed it on one camera.

    It reduced the camera's operating resolution from 2048x1536 to 1920x1080. The whole reason I had bought that particular camera was for the 4:3 aspect ratio - that combined with the lens' focal length provided the exact cove
  • by BlueCoder ( 223005 ) on Sunday December 18, 2016 @10:44PM (#53511609)

    People are tired of "their" devices changing and needing to relearn how to use them over and over again.

    Software needs to be engineered such as the UI experience never changes but you can update the underlying security.

    Separate the UI from the underlying tech!

    No more new features unless someone wants/needs them.

    Stop the marketing eye candy.

    Keep it simple stupid.

    • P.S. Similarly people are discouraged when software stops having features that we originally purchased. Stop disabling what I already paid for. I don't care about stupid laws and lawsuits. Once the product is released you can't take it back. If you screwed up then YOU screwed up and will have to suffer YOUR OWN consequences.

      Maintenance for security isn't a NEW release of software; it's maintenance.

      And this whole Samsung thing where they are disabling the devices remotely is a point of cause. If customers d

  • Comment removed based on user account deletion
  • That is an astonishingly high number in my opinion. Unbelievable I'd even say.

  • Updating the fucking lightbulb because the thing Phillips sold you is a piece of shit is not the job of the customer. They bought an appliance that's just supposed to work.

    I don't buy any of them because I know Internet of Shit companies have completely blown it there and in every other way and it's going to get a lot worse before it gets better.

    Pardon the strong language, not trolling, this is just such an obvious, predictable, very predicted cluster that I have Strong Feelings.

  • Consumer are not system administrator. Consumer expect some device categories to work out of the box, without having to update them, and most IOT devices belong to those categories. Why should a consumer "update" his fridge ? Such device , if on internet, should do it itself automatically , and fail gracefully if the update fail (go back to previous version). It will take about 20 to 40 years for the perceptions to changes, as the older generations dies out, and the younger is used to update everything. Me
  • I also know that you are out of milk.

  • I'm not updating my fridge. I'm not updating my router. I'm not updating my toothbrush. I'm not updating my toilet. Aside from real security items -- and by that I mean the security of my blood coarsing through my arteries (and some specific veins) I'm not creating more work for myself. It's that simple.

    My car gets semi-annual maintenance service because it can kill me in a heartbeat if it breaks. Elevators, furnaces, hot-water tanks, swimming pools, attics; these are the kinds of things that can caus

news: gotcha

Working...