2016 was the year that the Internet of Things (IoT) finally entered the mainstream consumer domain, with smart thermostats, smart fridges and even smart homes now entering the market for every day consumers to buy. You can’t step foot in an electronics shop without being distracted by all the shiny IoT devices.
But while the IoT may seem like a new and innovative concept, in reality most of us have been living with connected devices for years. Most houses are full of old connected ‘things’ – be they printers on a network, connected disk storage for remote backups, a set top box, a broadband modem, even an old smart TV or Bluetooth speaker system.
All of these things are connected to Wi-Fi or Bluetooth or a fixed network, no different to any new IoT device.
These run some sort of Linux or microcontroller that can execute code. How safe is this code? Most people don’t know. The real question is, does the manufacturer know?
Most embedded software has been traditionally written by hardware companies that only developed their code because they had to in order to make their product useful in the first place.
For most device manufacturers, software development is a cost centre, not a revenue generator. As such, software development will often be pushed to the bottom of the pile in an effort to limit overall costs.
The end result is that most manufacturers are happy to sell their devices to wholesalers or retailers and then forget all about them – they rarely continue to provide long-term support.
At best, consumers may be lucky enough to find an appropriate firmware update in some obscure corner of the manufacturer’s website, which frankly only the most technical consumers will really know how to install.
Is it worth the risk?
So if manufacturers fail to provide updates for their products, or if consumers simply do not understand how those updates should be installed, what are the consequences for the ‘old internet of things’?
The first risk is ransomware coming in, stealing or locking down data and demanding an encrypted Bitcoin fee for its safe return. Another is criminals looking at what you do. If they can control your broadband modem or Wi-Fi router, then they can play the middleman intercepting your private data along the way. You may think that you’re connected to Facebook, Google, or your bank account, but in reality you are being filtered through a localised copy or keylogging platform.
What if botnets come in and use your living room as their own micro data centre? All of a sudden, your house is part of the ‘dark web’. You could be part of a distributed denial of service attack that brings down a company, vital services or government website.
There is also the potential that your electronic door lock or smart light might be remotely controlled by a hacker. Thieves will no longer walk with a crowbar to your house, but instead carry a laptop and a scanner to open your door lock and steal your belongings. This is something that we have already seen in cars’ remote locking systems.
So important is this threat that governments around the world are beginning to look very seriously at this area, including the U.S. Department of Justice which earlier this year joined other international agencies in evaluating IoT technology for national security risks.
Protecting the IoT
What can be done to protect the future of IoT devices from all of these risks? Hardware manufacturers will need to change their software attitude. They need to understand that they hold responsibility for their products, and could be held liable in instances where their poorly-secured software aids in a cyberattack.
Instead of leaving it to consumers, manufacturers will need to invest in supporting software years after they have sold a device. This software will need to be patched every time a critical security issue is discovered.
Unfortunately, profit margins on the average IoT device don’t pay for ongoing software maintenance contracts. As such, how are manufacturers expected to pay for such long-term support without putting themselves out of business?
The only way to solve this issue is in centralising the responsibility for updates. By separating the hardware, the low-level software (a.k.a. the kernel), the operating system and the overlaying software into independent components, both vital software and firmware updates can become increasingly automated This reduces risk and makes the update as pain free as possible for manufactures and consumers.
By requesting digital authentication for all apps and related updates, centralised software helps to ensure that all apps are constrained and contained. If an app is hostile to other apps on the device, or is simply badly written, then the operating system will isolate the app to make sure it can’t harm anything until an appropriate security patch has been delivered. If the update fails, then you can simply rollback to the previous working state, allowing manufacturers to remove updates that do not work as planned.
This is what the future of IoT requires: centralised updates and support for both existing ‘old IoT’ devices and the new generation of smart technologies hitting our shelves.
Sourced from Maarten Ectors, VP of IoT, Canonical