Consumers shouldn't be responsible for IoT device security

As long as the Internet of Things has been a trendy buzzword, security experts have been warning that it poses a danger. Apocalyptic predictions about billions of insecure devices – whether they be cameras, washing machines, thermostats, even cars – being compromised and causing chaos have been circulating for a while now.

Late last year, however, we saw the first example. The Mirai botnot – an estimated 100,000 IoT devices compromised due to factory default or hard-coded passwords – targeted DNS service provider Dyn in a massive DDoS attack and took out large swathes of the internet for a time.

But despite Mirai showing exactly how consequential IoT insecurities can be, little seems to have changed. Security experts are still making dire prophecies, and the issue of how to approach security was still brought up several times during the IoT Tech Expo in London in January.


Fail fast, fail insecurely

“At the back end of last year there was a lot of discussion around IoT Security,” says Thibaut Rouffineau, Head of Devices at Ubuntu. “But there is a total disconnect in the industry between what we're reading in the press and when we talk to various device vendors out there.”

“The attitude from manufacturers hasn't really changed. In general, making money and building a device fast is probably much higher on their priorities than security. “I’m not going to say it's absolutely everyone, but right now the main question a lot of these people have is; “Hey we need to build an IoT device, we need to be first”. And then they just rush, try to get a product out, if it doesn't work they just leave the market afterwards, leaving the devices behind.”

Even if we’re not talking about the Dirty Cows, Pork Explosions, and other well-named vulnerabilities, no one ships perfect code. There’s plenty of unnamed bugs and problems that never see the light of day, but could well be being exploited, but we never hear about it and companies never patch.

“You have this world out there of people and devices that are in a sense, waiting for catastrophe to happen.”

Some manufacturers might argue the cost of security is too great, but Rouffineau argues this is merely “fake savings”; they might roll out a product quickly, but if there’s no way to update the device’s software and patch security issues, the cost of a recall or sending people in to retrofit or manually update the device often costs far more than implementing proper security practice from the beginning of development.



According to a new study from Canonical, the public at large cannot be relied upon to keep their IoT devices updated, and therefore secure. It found 40% of consumers have never consciously performed updates on their devices, while 8% weren’t aware that they could or needed to update. The study of 2,000 people found nearly half didn’t realise the IoT devices in their homes could be used to conduct cyber-attacks.

“The onus cannot be on the user,” says Rouffineau. “There's a whole misconception that we can change people's minds. It won't be possible.”

“The reality is that the manufacturers will have to own, to have the responsibility of updating things remotely.”

While at the minute there’s lots of talk and no shortage of recommendations, repercussions could become more serious for manufacturers if they don’t step up.

“If the industry doesn't really embrace security and start thinking “we're responsible for not only the users, but really the health of the internet”, we’re entering a path where at some point you'll see not just recommendations and white papers, but the kinds of thing the FCC started doing where they started a lawsuit against D-Link for their poor practices around security for their home routers.”


“A DevOps revolution in IoT”

In the device-makers’ defence, he argues that current tools for remote updates are “extremely crude” and prone to failure. He likens the current state of IoT development to that of Linux 20 years ago, where development tools and environments being used for production because there was nothing else around.

“About 90% of the devices that you see out there will be running a version of Linux that's been home cooked, and really is more of a development environment with everything that can be wrong about a development environment.”

“There needs to be a DevOps revolution in IoT to get people to manage their boxes not as something that is fragile and might break if I touch it and therefore I’m not going to touch it anymore to being fully integrated into an IT system and an operations mechanism.”

Ubuntu’s solution around this is Ubuntu Core, a specialised IoT version of the Linux distro that allows users to update the entire software stack, in a way that rolls back to the previously-working version in the event of a failure.

“If every time manufacturers do an update they have a 1% fail and they have to send people onsite they will never do it, which is why many of them never do remote updates today. If they have a mechanism to make sure whatever happens the box will continue to work, then there's a lot more of an incentive for manufacturers to act and to take care of software more than they do today.”


Also read:
IoT industry is in “for a big wakeup call” if security isn’t addressed
The IoT “time bomb” report: 49 security experts share their views
What will be the single biggest security threat of 2017?
How IoT companies can learn from the Mirai malware exploitation


« The CMO Files: Blake Cahill, Philips


C-suite career advice: Ajai Sehgal, The Chemistry Group »
Dan Swinhoe

Dan is a journalist at CSO Online. Previously he was Senior Staff Writer at IDG Connect.

  • twt
  • twt
  • twt
  • Mail


Do you think your smartphone is making you a workaholic?