Ubuntu Survey Discovers 'Consumers Are Terrible' About Updating Their IoT Devices

Core evangelist Thibaut Rouffineau writes about the results of Ubuntu's survey of 2000 consumers about their Internet of Things devices: This survey revealed that, worryingly, only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices... Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.

Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.
They'll be publishing their complete findings in a new paper in January.

Customers, you had one job! /s

[mimino]

Allright, a device that is like a home appliance will not be treated as something in need of updating, ever. I think those 31% will never re-update the devices after that first time.

Re:

[MouseR]

If you have to spend your time upgrading all your IoT devices, it becomes a chore that is a turn-off for people. Not just their lighting system.

Since before IoT was a thing, my house was rigged with 3 AirPort Express and TV. The TV updates itself (it's essentially just a dumbed-down iPhone) most of the times but the AirPort Express stations (service sound system and network extenders for legacy hardware without WiFi) are always a pain to deal with. One of them, currently flashing yellow, probably has a pend

Re:

[MayeulC]

It's only serving a photo screensaver on a Luxo Mac anyway.

That's precisely what's dangerous here, and the reason why we have those IoT botnets bringing the net to its knees. No one feels the need to update their photo screensavers, especially if they are just sitting in a corner.

Either those devices should remain off the Internet (LAN or completely disconnected), or have automatic updates/remote health monitoring by the company.

An other thing to note, however, is that most companies don't care (for long) about your product once they got you to buy it. Espec

Smart Devices

[sunderland56]

If these IoT devices are so smart, why can't they update themselves?

I'm not sure about most consumers - even geeky ones - but a normal list of fun-things-to-do-this-weekend doesn't usually include updating the software on my refrigerator and stove.

Re:

[CaptainDork]

Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.

I agree.

Consumers want to be out of the process.

If I was a manufacturer, I'd be jumping all over this with the tag line:

"Maintenance-free."

Re:

[grep -v '.*' *]

If I was a manufacturer, I'd be jumping all over this with the tag line: "Maintenance-free."

Sounds like they can add that check mark to their boxes right now without dong anything at all.

Re:

[CaptainDork]

Actually, it sounds like they can't.

Re:

[Opportunist]

That will sell.

As soon as customers buying a fridge or a stove even know about this being an issue.

Re:

[CaptainDork]

Yahoo! consumers know, right?

Main reasons.

[DrYak]

Main reason number 1 :

"automatic security updates" isn't such an attracting key point to put on a box to get more consumer.
But "this devices has 2x more pixels than the competition and you can control it from a smartphone app" is.

(And a corollary: A gizmo that gets updated regularily will get fixed and new feature for a longer time.
This require work from the company (paying devs)
This means fewer units sold to replace obsolete models)

Main reason number 2 :

Just wait until hackers find way to spoof update source, and use it as a way to install their shit on your IoT gadget
(e.g.: that's a vulnerability that's been found on Philips Smart LED light bulbs).

Making auto-updates work correctly is HARD.
- It require advanced knowledge in cryptography
- You're at risk of TIVO-ising the gizmo if you do it wrong
- This requires that the company that makes the broken gizmo that needs a firmware upgrade be still around tomorrow. That might be the case with Microsoft, but that's hardly the case with countless asian maker of cheap no-name stuff.

 

Re:

[AchilleTalon]

Well, if advertising auto-security updates is not a selling point. Being hacked worldwide once is surely a not buying point for a customer. You don't always need to advertise everything to sell a gizmo. Just make it secure and reliable without giving all the details the customer didn't ask for on how you keep it secure.

Re:

[wvmarle]

It's not a selling point because I for one expect proper security to be standard. My computers update themselves (my Win10 box is doing this fully automatic; my Mint box notifies me when there are updates and then it's just a few clicks to get it done). My current light bulbs, fridge and toaster are secure already and can not be turned into zombies, any newer such devices I simply expect the same even if those are connecting to the Internet.

When I hear about brands getting hacked and turned into zombies, ot

Re:

[Opportunist]

Yes. You. You also know that TCP isn't the Chinese equivalent of the NSA. For how many people out there do you think this is true, too?

Most people out there do not even know this is an issue. They don't expect security to be standard, they don't even imagine that this could be something to even consider. Yes, the new fridge connects to the internet, but they don't make the connection "fridge + internet = security problem". And if you bring up the topic, all they do is shrug and say "But why should I care th

Re:

[wvmarle]

Well, a possible solution would be to not allow software updates at all. Have the OS of the fridge/TV/whatever baked into the chip somehow (physically baked, or write-once EPROM or whatever). With no possibility of having the thing run new software there is no way for any attacker to take over the device.

I'm probably missing something here, though.

Re:

[Lt.Hawkins]

That just means they don't need to persist across "reboots" (and how often do you unplug your fridge?)

The devices would still have a CPU and RAM, which is all a hacker needs to take control. And if the machine never gets patched, its easy to reinfect if the power ever does get cycled.

Production costs

[DrYak]

Have the OS of the fridge/TV/whatever baked into the chip somehow (physically baked, or write-once EPROM or whatever).

Just as a side-note, for information:
EPROM : erase-able programmable read-only memory. (and EEPROM are electrically-erasable - as opposed to other methods like UV light).
(so you would need to drop the first E).

I'm probably missing something here, though.

There are 2 different problem:

TL;DR: exploitable bugs permanently burning into ROM ; lower cost of production allowing last-minute firmware changes.

I.
- yes, if the firmware is in a non-re-programmable ROM, an attacker could not permanently install a backdoor on your smart-LED-lightbulb.
- but if the sm

Re:Main reasons.

[Gavagai80]

"automatic security updates" isn't such an attracting key point to put on a box to get more consumer.
But "this devices has 2x more pixels than the competition and you can control it from a smartphone app" is.

Perhaps the bigger problem is that a device that gets hacked and stops operating correctly in a few years is good for encouraging frequent purchases of newer models.

Re:

[WalrusSlayer]

Just wait until hackers find way to spoof update source, and use it as a way to install their shit on your IoT gadget (e.g.: that's a vulnerability that's been found on Philips Smart LED light bulbs).

This.

While auto-updates circumvent one problem, it introduces another attack vector. And a failure mode. (yay! none of the lights turn on because auto-update bricked them) Not to mention the "appliance" suddenly becoming unresponsive at exactly the wrong time while it decides to update itself on its schedule, not yours.

This just all get back to the fact that internet connectivity is being taken too far, and by people who's skillset (embedded devs) usually has no overlap with a security skillset. Been the

Re:

[thsths]

> Making auto-updates work correctly is HARD.
> - It require advanced knowledge in cryptography

I think making a proper IoT device is hard, and it also requires knowledge in cryptography.

Re:

[Opportunist]

> Making auto-updates work correctly is HARD.
> - It require advanced knowledge in cryptography

I think making a proper IoT device is hard, and it also requires knowledge in cryptography.

Logically your statements demand that making auto-updates work correctly equals making a proper IoT device.

Re:

[smallfries]

What is the advanced crypto for?

1. Check a known IP for updates.
2. If a new one is found download it.
3. Verify the signature against the public key stored in the device.

This only requires public-key crypto (from a standard library) and a basic signature scheme from a standard. Why is anything advanced required?

So many things

[DrYak]

Yup. It's a simple 3 point plan.

You just have no idea how many things could go wrong in a such seemingly simple plan.

If even Microsoft and Sony can't manage to get crypto right to protect their game consoles,
you can bet that small noname fly-by-night chinese constructors are going to completely b0rk their work.

Just of the top of my head :
- fixed IP and/or address : can be spoofed, or control of the domain name could be lost.
- "if a new is found download it" : nearly every single word of this sentence has a

Re:

[AmiMoJo]

There needs to be a standard for IoT security, and testing. Like UL or radio emissions testing that is mandatory on some products. Even if it was only voluntary, a prominent logo on the box would be a good selling point.

Consumers want security. They don't want to get hacked. They just have no idea what security is or how to get it.

Re:

[FrankHaynes]

Required reading for IoT foibles, trials, and tribulations:

https://twitter.com/internetof... [twitter.com]

Re:

[AchilleTalon]

I guess some people here will advocate contrary just like it is evil for Microsoft to force customers to update Windows to keep it secure and current. Just like this bunch of people who refuses to upgrade from Windows 7, 8, 8.1 for no other reason they don't want to be spied on by Microsoft.

Re:

[wvmarle]

I was also surprised by seeing 31% claiming to update their devices "as soon as updates are available". That's an incredibly high number.

First of all: the user has to actively keep track of the availability of updates, somehow. The only possibly updateable device in my home, my router, I never updated the firmware of. It's about a year old. I don't know if there are updates, last time (a week or two) ago I logged in to the device it didn't notify me of there being any updates. To find updates (and know if a

Re:

[thegarbz]

Forcing and setting automatic defaults are two different things.

The update processes and realitie are the problem.

[aussersterne]

They are time-consuming, failure-prone, complex, and require multiple steps. Once you have 15-20 devices, it could easily take you a month of infuriating weekends doing nothing else, assuming an hour fiddling with each device. What joy!

1. Update processes should be fixed so that they rarely fail and require only triggering, not heavy intervention
2. They should be easy to trigger, and the current update status should be easy to check

Re: #2, there should be a small LED-illuminated button somewhere on each dev

Re:

[gordguide]

Stop thinking like a Geek. Your LED scheme is only useful to someone who would update his devices in the first place.

You need to think like a grandmother in rural BumFuck with a 6th grade education.

Light is on, any color: Something is wrong. Push button. Go back to Soap Opera.

Light is off. Nothing is wrong. Go back to Soap Opera.

History says that won't work.

[aussersterne]

[After 20 minutes on hold and/or waiting on live chat]

Q: Hi support, my device doesn't appear on my phone|won't talk properly on my network because happened suddenly|got new phone|got new router|etc.
A: You need to run the latest update, that should fix the problem.
Q: But I can't without my phone.
A: I'll walk you through it. Step 1 in convoluted process X...

If nothing else, put the notification on the phone, but the button on the actual device. At least that way, if something isn't working, support can say:

Re:Smart Devices

[epyT-R]

I have a better idea: how about having no 'smart' functionality that requires updating? No security issues whatsoever.

Re:

[Anne Thwacks]

Mod parent up!

Re:

[serviscope_minor]

I'm not sure about most consumers - even geeky ones - but a normal list of fun-things-to-do-this-weekend doesn't usually include updating the software on my refrigerator and stove.

Yep, and as well as being dreary and almost certainly involving the use of appallingly bad software and websites, there's also the fun surprise over which features are broken afterwards.

Re:

[MMC Monster]

The last time I let my Denon receiver update itself, the update stalled and I spent over an hour between manually downloading patches on a desktop and patching it over USB and several calls to their (admittedly fairly good) customer service phone center.

And, of course I had tried the original update just before the kids wanted to use the TV for a movie night.

Fool me once...

Make updating easier

[MoarSauce123]

How many motherboards, routers, webcams, and other devices did I go through that stopped working after applying a firmware update following the instructions given by the manufacturer? I stopped counting. Worse even, once updated all configurations are reset to factory default and I had to either restore the settings if there was a means to back them up or redo everything from scratch. Who the f*ck has time for this? If manufacturers would make updating easy and failsafe the number of folks applying the upgrades would be much higher.

Re:Make updating easier

[BigBuckHunter]

How many motherboards, routers, webcams, and other devices did I go through that stopped working after applying a firmware update following the instructions given by the manufacturer?

Even worse, after bricking a device and requesting support, you're asked the insulting question, "What issue were you trying to resolve by updating the firmware?", as if you've been doing something wrong and tampering with the device causing it to fail.

Any not-horrible tech vendors out there that you would recommend?

Re:

[SeaFox]

Even worse, after bricking a device and requesting support, you're asked the insulting question, "What issue were you trying to resolve by updating the firmware?", as if you've been doing something wrong and tampering with the device causing it to fail.

Or they might just be following the old saying "If it aint broke, don't fix it".

End users don't generally consider security issues things that need to be fixed. They only know their thingamajig worked fine before you started playing with it, and now it doesn't. Arguably, they're right. The "issue you were trying to fix" was a failure on your company's part to write the device firmware more secure to start with. Remember most of these exploits are things like back doors with hard-coded passwords, hidden teln

Re:

[AchilleTalon]

This is not restricted to IoT devices and firmware updates. I have seen enterprise software with security holes and outdated components the manufacturer just refuses to make current and is asking us to pay for him to update these OSS components its software is relying upon. Even in cases where the OSS components in question are not longer supported by the community for a few years. There is a lot of lazy people out there with this mentality, if it ain't broken don't fix it. When in fact it is broken, it's j

Re:

[techno-vampire]

...you're asked the insulting question, "What issue were you trying to resolve by updating the firmware?"

I spent over seven years doing tech support for an ISP. We didn't have to worry about firmware upgrades, because that was something to be discussed with the OEM, not us. However, if I did, that question would have been routine, because our first step would have to be to restore the status quo ante, and if you were having trouble before, I might have to take it into account in rolling things back. B

Re:

[AmiMoJo]

Q: What issue were you trying to resolve by updating the firmware?
A: Your incompetence.

In the EU your warranty is generally with the shop, not the manufacturer. So when stuff like firmware updates go wrong, you can take it back to the shop. Unfortunately they get around 28 days to fix it in most countries, but at least it saves you calling the manufacturer and answering stupid questions like this.

Re:

[epyT-R]

or, what if manufacturers:

1. bothered to write secure code
or
2. just stopped adding pointless overengineered functionality that reduces reliability, security, and privacy. There's no need for my fridge and toaster to have ip addresses.

Then updates wouldn't be so critical.

Re:

[Holi]

In 20+ years of working on computers, I don't think I have ever once bricked a device while updating firmware. And you've lost count? Maybe you shouldn't be touching stuff like that so much.

Self-updating must become the future

[Dutch Gun]

Future IoT devices (especially consumer devices) should really be self-updating. It's possible with proper encryption to do this safely and securely. Anything that connects to the internet is bound to have exploitable flaws discovered sooner or later, and anything that can't self-patch will never be patched, statistically speaking. I didn't need a study to confirm this (although it's good to have it confirmed). It's blindingly obvious from historical anecdotes and experience. I recall Steve Gibson refe

No it shouldn't!

[johannesg]

Your PC is an IoT device, yet when Microsoft makes auto-updates mandatory you are all screaming bloody murder. I cathegorically DO NOT WANT manufacturers to be able to see what I'm doing, or change functionality after I bought the device (because I have no guarantees whatsoever they will not remove half of the features I wanted and needed, as Sony did with the PS3 'other OS' option), or even outright disable the device (like what happened with that Samsung phone).

I can only hope that devices that are not, i

Customer Survey Discovers iOT Device Are Useless

[elcor]

And Shouldn't Exist In The First Place.

Re: Customer Survey Discovers iOT Device Are Usele

[fferreres]

If it weren't so true. I avoid IoT unless I trully needed. It's not that I don't believe in automation and control. It's just that Internet per se is 't the right choice and I don't want an orchestra of things that anderstand little or nothing of what I want or need.

Is it so hard to bake in a chron job?

[wierd_w]

Seriously, what the fuck!?

Blaming ignorant users for not being technowizards? Yes, *WE* know how to update an embedded linux device, but your average person does not even know it runs embedded linux, let alone how to manage such a device manually.

WHAT THE FUCK. No-- just embed a reasonable package management suite into the firmware that does digitial signature checking, and a chron job to look for updates every week.

This whole problem is a non-problem when handled properly.

The real issue is that some corporate retard wanted to be a miser on the flash chips because he could get teensy weensie ones really cheap, and so essential functionality gets scrapped with a "blame the end user" scapegoat attached.

Re:

[wierd_w]

Or, like most people, I set it and forget it.

I too can infer things about yourself, AC, such as-- you are an insufferable asshole that nobody likes, that likes to make inferences about people and threat them like facts. But that would be hypocritical of me. ;P

Re:

[wierd_w]

cron, malapropism of chronos, god of time.

I remember the association with chronos and time (eg, it is "chronometer" not "cronometer") and thus keep spelling it chron, which, IMO, is how it SHOULD be spelled.

But, because the author decided it needed to be spelled wrong, I do indeed get that error message, I get angry, I make a simple invocation redirect in /usr/bin, and I go on with my life.

Re:

[Anne Thwacks]

In the 70's, when cron was written, the name needed TWO words of memory to hold it. Chron would have needed three! If your machine had only 32k words, and the OS needed 8k, this was an expensive waste.

Some people forget that machines used to be word addressed, not byte, and when memory cost $1 per BIT, saving memory was a big deal. Others forget that if you call your latest piece of software "cat", any attempt to obtain support is impossible because you will be overwhelmed by cat videos. Well, in 1978, c

Re:

[fisted]

I make a simple invocation redirect in /usr/bin

"chron", "invocation redirect", .... doing it in /usr/bin.

Maybe stop pretending to be familiar with unixlike OS.

Re:

[wierd_w]

sudo ln -s /usr/bin/chron /usr/sbin/cron

Oh noes! I know how to use a symbolic link! The horror! Now when I type 'chron', it invokes 'cron', and I dont get mad!

But it makes other nerds angry that I would do it! I feel so ashamed! It's in the user bin folder, instead of the user shared bin folder! How horrible! Nevermind that BOTH are in the fucking path statement, and it wouldnt matter which one I put it in.

In other words, go fuck yourself idiot.

Eye-Oh-Tee is the new

[turkeydance]

icebox. constant updating (reloading) by only one vendor with the foreboding obsolescence due to the neighbor's refrigerator.

How about having a hub?

[Kjella]

I can't really imagine my house becoming very "smart" with every light bulb doing its own thing. I'd rather pair it with a hub so I could manage all my devices from there. That way the devices themselves would be more shielded and it would be the central point to update everything from. Kinda like active directory/domain administrator but for my IoT network instead of Windows PCs.

Re:

[silas_moeckel]

They have just that it's called hub. Properly implemented home automation uses them, Zwave, zigbee, Bluetooth even wifi.

A standard that does not let you do whatever the manufacture wants means they can not spy on you. Thus why they avoid using them.

Windows 10

[duke_cheetah2003]

And this is why Microsoft went the route of forced updates. There simple is no other way to get muggles to update their crap unless you force the matter.

Re:

[rubycodez]

because Microsoft would never force an update that removes functionality or cripples my system

(that's sarcasm, they've done both to me and various employers of mine repeatedly)

Re:

[thegarbz]

Forcing and setting defaults are two different things.

Re:

[duke_cheetah2003]

In the Linux world there is the option to automatically download and install security updates. No user intervention required.

Your statement is flawed. An option requires user intervention to enable.

Microsoft used to allow this with Windows, but eventually began abusing it by including Telemetry related updates so the masses started turning off Automatic Updates.

I can guarantee you are completely wrong here. Not about the abuse part, Microsoft clearly collects information from Windows machines. But you even say the word telemetry to the average muggle, they're going to give you a blank stare. People turned off automatic updates because an update interrupted them at some point and they went 'this is stupid and annoying. i'm turning it off.'

I bet a lot of other automatic update disablings co

Re:

[Anne Thwacks]

Another big open sore in my opinion is pirated Widnows copies which Microsoft has decided don't qualify for updates,

And Microsoft are completely hopeless at knowing which are the legit copies (or were when Win7 was released - I have not used Windows since).

Its not just MS. My Samsung phone keeps saying "update security policy". There is no obvious means of knowing whether this message came from Samsung, my carrier, or hackers.ru. Nor is there any way to tell whether the "update" is for the purpose of de

In other news

[FrankHaynes]

"IoT manufacturers are terrible" about building security, usability, and reliability into their products as a fundamental design goal.

But sure, let's blame the customers. Assholes.

Because IoT has no value to consumers

[Attila Dimedici]

This is because almost no one buys a device BECAUSE it connects to the Internet. The IoT provides little to no value to the consumer, why would they pay attention to when the device needs updating. For that matter, in the normal course of using these devices, how would the end user even know that it needed updating?

Re:

[account_deleted]

Comment removed based on user account deletion

I wonder

[CanadianMacFan]

How many of the people that are suggesting that the devices automatically download updates were the ones complaining that Microsoft forced updates to be automatically installed onto their systems?

Warranty

[Spamalope]

In my experience, if the manufacturer releases a firmware update that bricks some hardware revisions often they will not warranty repair it. Years ago one of the early Lexmark scanner+laser to make a copier devices shipped with a network stack bug that was a show stopper for us. ($3k+, T63x series printer as a base) Lexmark support wanted me to firmware update before returning it. I read the 'I agree' text with the update, which said bricking the device wasn't covered. I asked support if bricking the device was a risk, and kept a copy of the chat log - which was great because the update bricked the printer. When I called support back, they refused warranty replacement until I showed chat log copies. -sigh-

A friend had a similar experience with an Eyefi (wireless SD card). That's before you get to vendors that do feature or performance takeaway with the update.

And vendors are terrible about SQA-ing updates.

[dpbsmith]

The other side of the coin is that I am very dilatory about installing any kind of update to anything because a) experience shows that the chance of an update breaking something in a serious way is something like 10-20%, b) the problem may not be obvious in the first five minutes or the first week of operation.

My wife's PC has now been rendered unbootable TWICE by Microsoft pushing through bad updates. I personally will not install a Mac OS update until I've taken the time to do a local backup to a hard dri

Re:

[Ol Olsoc]

My wife's PC has now been rendered unbootable TWICE by Microsoft pushing through bad updates. I personally will not install a Mac OS update until I've taken the time to do a local backup to a hard drive, a remote backup to a cloud backup service, and waited two weeks to see if Apple retracts and re-releases the update, and read Macintouch for user reports to see what kinds of problems people are having.

How many times has Apple screwed you up with an update? I always wait a while, but seems like for the level of trouble you go to every update has broken something.

The software industry has got to figure out a way to make sure that updates are one or two orders of magnitude safer and more reliable to install than they are today.

I'm not so certain they want to make them safe. If I were to design an attack vector for the internet, the present Internet of Things is the perfect model. Create things that the least knowledgable among us, the people who re obsessed with and never look up form their smartphones can be more easily enticed for this kind of future http://www.worrel [worrell.com]

In other news

[Ol Olsoc]

Poop stinks.

The sky is blue.

Grandma loves you.

The internet of things is a terrible idea.

Seriousfreakingly?

People avoid updating their computers, so they're surely going to update their refrigerator or the bottle that tells them when to drink water? "Honey did you remember to update the toilet?" said no one ever.

Re:

[mmell]

I update my toilet, immediately after flushing the cache. It prevents buffer-overflow attacks!

Recycle

[Princeofcups]

As a 30 year IT veteran, I have never updated a consumer device, by definition. If we are talking about enterprise devices, then we probably have a maintenance contract with a vendor that performs updates for us. But a consumer device? Should just work, and when it gets old, throw it out and get a new one.

Re:

[mmell]

Does that include routers? I've got a none-too-old DLink router which hasn't received an update in two years, although I do check periodically.

It's not all my fault.

Not always the consumer's fault

[Solandri]

I built and installed a network-based security camera system at my office. Security cameras are one of the IoT devices which frequently seem to be in the news as having security flaws, so I figured I should check for firmware updates. One rolled out and I installed it on one camera.

It reduced the camera's operating resolution from 2048x1536 to 1920x1080. The whole reason I had bought that particular camera was for the 4:3 aspect ratio - that combined with the lens' focal length provided the exact cove

The problem is developers and new features

[BlueCoder]

People are tired of "their" devices changing and needing to relearn how to use them over and over again.

Software needs to be engineered such as the UI experience never changes but you can update the underlying security.

Separate the UI from the underlying tech!

No more new features unless someone wants/needs them.

Stop the marketing eye candy.

Keep it simple stupid.

Re:

[BlueCoder]

P.S. Similarly people are discouraged when software stops having features that we originally purchased. Stop disabling what I already paid for. I don't care about stupid laws and lawsuits. Once the product is released you can't take it back. If you screwed up then YOU screwed up and will have to suffer YOUR OWN consequences.

Maintenance for security isn't a NEW release of software; it's maintenance.

And this whole Samsung thing where they are disabling the devices remotely is a point of cause. If customers d

Re:

[account_deleted]

Comment removed based on user account deletion

31%

[irrational_design]

That is an astonishingly high number in my opinion. Unbelievable I'd even say.

Consumers are right

[Sarusa]

Updating the fucking lightbulb because the thing Phillips sold you is a piece of shit is not the job of the customer. They bought an appliance that's just supposed to work.

I don't buy any of them because I know Internet of Shit companies have completely blown it there and in every other way and it's going to get a lot worse before it gets better.

Pardon the strong language, not trolling, this is just such an obvious, predictable, very predicted cluster that I have Strong Feelings.

That is because they are consumer

[aepervius]

Consumer are not system administrator. Consumer expect some device categories to work out of the box, without having to update them, and most IOT devices belong to those categories. Why should a consumer "update" his fridge ? Such device , if on internet, should do it itself automatically , and fail gracefully if the update fail (go back to previous version). It will take about 20 to 40 years for the perceptions to changes, as the older generations dies out, and the younger is used to update everything. Me

I already knew that.

[RumGunner]

I also know that you are out of milk.

99% of IoT devices think they are important

[holophrastic]

I'm not updating my fridge. I'm not updating my router. I'm not updating my toothbrush. I'm not updating my toilet. Aside from real security items -- and by that I mean the security of my blood coarsing through my arteries (and some specific veins) I'm not creating more work for myself. It's that simple.

My car gets semi-annual maintenance service because it can kill me in a heartbeat if it breaks. Elevators, furnaces, hot-water tanks, swimming pools, attics; these are the kinds of things that can caus

Re:Duh

[Luthair]

Unfortunately manufacturers have previously abused the power of automatic updates to remove features or to shove 'features' down users throats. And of course many other manufacturers don't even bother to issue updates anyway. Unfortunately I don't think well see any change to these problems without legislation.

Re:Duh

[Dutch Gun]

Yeah, I also suspect we're going to need legislation that demands automatic security updates for a reasonable lifetime of these devices. It's not viable to only provide updates for, say, the warranted period, because these are devices that may last for a decade or two, and if they have a security flaw, they can be used to actively harm others. The market won't self-correct for this issue, because it's a safety issue that's not readily apparent to the user, nor does it actively harm that user, instead collectively harming others.

I have a feeling manufactures would be a lot more careful with security and less eager to jump on the IoT bandwagon if they knew they were signing up for a *very* long support tail. Instead, they're treating these tiny internet-connected computers like any other disposable hardware, and that model is proving to be insufficient when the internet and security issues are thrown into the mix.

Smartphone manufactures took a few years and a couple of really nasty security flaws (and subsequent bad press) to get dragged to that conclusion as well. Well, some are starting to get it, while others still think they can "sell and forget".

Re:

[skids]

This probably isn't why most users do not update.

But you are right, bundling security updates with other behavioral changes risks turning off users to updates.

Re:Duh

[Alain Williams]

In fact the device maker should be by law forced to supply updates for it for 3-5 years for any device they make that connect to the internet for security reasons.

3-5 years is far too short. How often do you replace your: fridge, room light fittings, central heating system, ... ? For many this will be when they break, which for most of those things is 10-30 years. That is how long they should provide security updates for; with a source code escrow system that puts it all into the public domain if the manufacturer goes bust. Unfortunately many IoT manufacturers are only interested in a quick sale; once the next model is out the previous one receives no attention at all. The same is with 'phone manufacturers.

In addition: if the IoT device relies on some manufacturer provided cloud service they should be forced to keep that running for 10-30 years as well.

Re:

[Anonymous Coward]

30 years? Bahahahahaha

Just like phones and tablets ushered in a new era in computing where extensive surveillance and limits on user freedom were commonplace and accepted (and from some corners even encouraged), IoT crap will be the start of a new paradigm where it's normal to replace your refrigerator every 3 years because it no longer has enough RAM to remember how much milk you have.

Re:

[Opportunist]

Convincing people to throw out a fridge every other year like they do now with their phone is sure going to be a hard sell. Those things tend to be heavy...

Re:

[Gavagai80]

Unfortunately the code going to the public domain isn't going to get more than 0.01% of users updated, and the life expediencies of most of these companies are far below 30 years.

Re:

[thegarbz]

When your old stuff finally breaks you'll realise that 5 years is not such a short time in the modern world.

Fridges, TVs, appliances, thermostats, I'm budgeting to replace those every 5 years in the brave new world of super cheap (reads: unreliable garbage) appliances.

Re:

[Opportunist]

They are not only interested in that quick sale, they are also very interested in your IoT toy becoming obsolete as soon as possible, preferably right after warranty is over.

You're supposed to buy a new one, not cling to that one 'til ever bit falls off!

Re:

[Opportunist]

Why? The customer does very obviously not give half a shit about it, so what's the problem? I dare to bet that at least half of the people buying that crap don't even know that there COULD be a security problem.

Re:

[wierd_w]

The hardware isn't the problem, the problem is the insistence on monolithic update packages, instead of implementing a writable flash filesystem and adding a package manager.

OpenWRT fixes that on supported routers. Gives you JFFS for nonvolatile storage, and opkg for package management. Includes chron. Automated self-updating from the repo is as easy as a chron job away.

The real problem is that the IoT makers want to sell throw-away devices, and people like you are willing to throw the devices away. Give

Re:

[ZenShadow]

Package-based granular updates won't solve this problem; it'll make it worse, just in different ways.

#1: Building baked images is no more difficult for a software developer than using a package manager. In many ways, it's easier: they can guarantee that all of the components are exactly the version that they're supposed to be, instead of hoping that someone didn't randomly update the package repository with an incompatible version of some library. Not to mention having to deal with the vagaries of softw

Re:

[wierd_w]

I am neither Mr Hype, nor his secretary Ms Hyperbole, but I can answer your question Mr Coward.

First and foremost, the attack surface starts at your front door. Namely, your internet router.

Most consumer level devices of this nature have back doors baked into them. Just google it. It will astound you. Such back doors give would-be hackers access to the routing tables, and thus the isolation between your private and public network areas. That allows them to directly portscan you right from your own router, a

Re:

[n3r0.m4dski11z]

"Please Mr Hype and Ms Hyperbole - explain it like I am five - what is the quantifiable risk that somebody will bust through my firewall and attack my IOT device that generally does not communicate out side of my network."

Ah i bet your the sort to not run a virus scanner either because "i dont get viruses".

Scenario #1: Shit happens. Someone on your network gets rooted somehow (trivial in the windows world) and now scripts on that PC run 100 exploits, one of which is to search the local network for bathroom

Re:

[Anne Thwacks]

unless the industry is nuked from high orbit. (Its the only way to be sure).

FTFY

Re:

[rubycodez]

Indeed, most of the problems are due to high IQ morons reinventing the wheel instead of using provably correct code (only doable in certain languages). Provably correct code is a problem solved decades ago. The remainder of the problem has to do with encryption strength.

Re:

[toonces33]

My attitude is that lot of these appliances didn't need to be on the internet on the first place. So while there might be a need for firmware updates for one reason or another, you shouldn't need to be constantly checking for updates just because of malware.

Re:

[rubycodez]

You are an idiot if you blindly load all of Microsoft's updates. Put your name here so smarter IT departments won't hire a moron like you that would render systems useless for work

Re:

[mmell]

Uh, most enterprises I've dealt with use some form of WSUS to provide exactly the kind of control you're referring to - because they are running servers which will leave a lot of employees sitting around getting paid to do nothing if a server goes down. They also have people trained to keep an eye on the whole update process to ensure that nothing bad happens, as well as to ensure that employee desktops are updated.

Microsoft shoves updates down the throats of end-user (consumer) desktops because Joe Sixpa

Re:

[johannesg]

You are an idiot if you blindly load all of Microsoft's updates. Put your name here so smarter IT departments won't hire a moron like you that would render systems useless for work

I'm always wondering if people like you actually talk like that in real life too, and if you do, how often you get smacked in the face. Really, is it so difficult to at least be polite?