back to article Why don't people secure their IoT gadgets? 'It's not my problem'

Canonical, maker of Ubuntu Linux and its Internet of Things variant, has discovered the obvious – that people cannot be trusted to secure their connected devices. Thibaut Rouffineau, evangelist for Ubuntu Core and the Internet of Things, admitted late last week that developers and IoT device makers know people seldom update …

  1. Youngone Silver badge
    Black Helicopters

    Probably true

    There are also the people who don't realise they might need to update their internet connected stuff.

    Most people look at me like I've been drinking when I point out to them that their smart phone is a computer.

    That their internet connected toothbrush is one too never occurs to them.

  2. Badger Murphy

    Worse than diminishing returns

    These devices offer the promise of a technology-aided utopia, in which life is made simpler by devices that predict what we want and do it, and where many trifling chores are simply done on our behalf.

    The part that nobody in that industry wants to talk about is that these devices do something tiny and barely worth automating, and in exchange, demand constant updates, fiddling, troubleshooting, and often failure to even complete the task at all.

    It is a problem in need of a solution masquerading as a solution in need of a problem.

  3. Yes Me Silver badge

    Toothbrush defects

    If I sell an electric toothbrush with defective insulation, I am presumably liable under pretty much any country's consumer protection laws. We don't expect the owner of an electric toothbrush to fix the insulation - we expect the maker or seller to recall it and replace it.

    Why should it be different if I sell an Internet toothbrush with defective security? It's actually easier, since no physical recall is needed.

    DVRs update themselves - why not toothbrushes?

    1. Brian Miller

      Re: Toothbrush defects

      The problem is people don't understand that what they bought is the server-grade hardware of yesteryear, stuffed into a toothbrush, a toy bear, or a toy doll. Sure, it would be good if while getting the CE or UL rating the same agency passed it for basic security checks, too.

      For my IoT web camera, I have to sequentially upgrade it for each patch to the current version. I can't skip a patch on it, or it won't recognize the next set of firmware. No, it doesn't check in at the manufacturer's site and just do the right thing. It has more than enough memory and storage, but they just didn't bother with that.

      No, Ma and Pa Kent aren't going to go all BOFH on any of their devices. It came in a package, it has blinky lights, and it mysteriously connects to the phone and/or the computer. Electricity is mysterious and magical, let alone an ARM chip the size of my little fingernail that puts a Cray-1 to shame.

      On the other hand, that IoT thing is being used by my boss, and it doesn't have good security...

  4. tfewster
    Facepalm

    True, but if they buy a car, they have to fuel, tax and maintain it. Even an electric toothbrush needs charging and the heads changing. How can you NOT realise that complicated stuff needs more maintenance?

    1. oldtaku Silver badge

      They're not selling it as 'more complicated stuff', they're selling it as 'this thing will make your life so much easier!'

      Giving the toothbrush a charge and occasional new head, which are very simple and straightforward processes, is not the same as spending 12 hours trying to get your f#@$ing 'smart' camera's firmware updated through its arcane process which inevitably will not work behind a firewall so you have to put it directly on the net where it will be instantly pwned before you can even get the upgrade finished... And the person who's supposed to do this thinks their ISP is 'the internet' and can barely manage email.

    2. Anonymous Coward
      Anonymous Coward

      People bring car to scheduled maintenance when they are told to do so, to be performed by professionals. Very few are now able to perform it (if it is even possible today with all the electronics). Fuel is like putting the toothpaste on the brush.

      And anyway, you need a driving license to get a car, which also should still imply a little explanation of how a car works, and what to check for maintenance. And cars are designed to be used by people who are not engineers.

      For security issues car makers have been forced to recalls to fix issue, not just to publish an update on an obscure section of a web site you usually reach after many clicks and questions ("Is your model 0190901920121 or 0190902920121? What is the hardware version? Please find the S/N on the sticker on the back, now that you affixed it to the wall, and thrown away the box"), while avoiding all the marketing stuff that attempts to sell something more.

      I can't also touch my heater - the rules here is I have to designate an approved professional for its maintenance - I can change only "user" parameters like the temperature of warm water, or the time it turns on or off.

      1. John Brown (no body) Silver badge

        "And anyway, you need a driving license to get a car, which also should still imply a little explanation of how a car works"

        IIRC, and it's a long time since I did my driving test, but the theory and practical parts of the test both include things like changing a wheel and knowing how to check and top up the various fluids nowadays too. I'm sure some of our less mature readers can correct me if I'm wrong :-)

        Back when I did my test, those things were not included because it was more or less expected and assumed that you'd know or learn about stuff like that anyway.

    3. iansmithedi

      Most people don't maintain their cars; they give it to a garage to do it for them when the garage or car tells them it's due. A gas boiler in a house may get an annual service visit. Internet-connected appliances need to sort theselves out, one way or another. Even Windows 10 does its updates itself at night now.

      1. John Brown (no body) Silver badge

        "Even Windows 10 does its updates itself at night now"

        And even with many, many years of experience, MS have not been able to handle that very well either. Two fairly major cock-ups on their part in the last two months alone!

  5. oldtaku Silver badge
    Unhappy

    And consumers shouldn't be expected to

    I'm with the consumers here. They're buying an appliance, and appliances are supposed to 'just work' with some minimal cleaning. If Phillips sells you a complete sack of s@#$ of a lightbulb it's not your job to fix it, it's theirs.

    Of course I know Phillips doesn't give a damn either, and I don't need Google knowing who's in what room at what times and what they're saying, so I don't have any of this stuff in the house.

    1. Anonymous Coward
      Anonymous Coward

      @oldtaku - Re: And consumers shouldn't be expected to

      The devil hides behind what you call "minimal".

      Anyway, nobody is in the business of providing software upgrades, paid or free of charge. They will either sell you a piece of hardware or a service or both. Software upgrades are simply not profitable.

      1. oldtaku Silver badge

        Re: @oldtaku - And consumers shouldn't be expected to

        Well, think of your own appliances. 'minimal' means you clean it as needed, drop it on the charger if needed and very very occasionally you pop out the standard replaceable part and replace it with another standard replaceable part. It's as streamlined as possible.

        But whatever minimal is, a several hour ordeal that requires repeated google searches is not it.

      2. Vector

        Re: @oldtaku - And consumers shouldn't be expected to

        "... nobody is in the business of providing software upgrades..."

        Make them responsible for the damage their lack of concern for securing the devices they put out causes and you might find that bottom line changing drastically.

        1. Charles 9

          Re: @oldtaku - And consumers shouldn't be expected to

          Or they'll just move where such onerous regulations don't exist.

          Or they'll just play fly-by-night and vanish and reappear whack-a-mole style if the regulators loom.

    2. Anonymous Coward
      Anonymous Coward

      "appliances are supposed to 'just work' with some minimal cleaning."

      IoT is a problem masquerading as a solution instead of just being a solution....

  6. Anonymous Coward
    Anonymous Coward

    Consumers HAVE learned!!!

    That updates break things, companies can't be trusted to update stuff.

    Phone updates slow down the phone or requite 3gb of space (iOS)... the idea in our industry that users have not learned is nonsense, they know full well that if they start fiddling with that stuff they will be confused the the toy wont work any more.

    The IT industry as a whole (but particularly MS and Apple + Android phone manufacturers), is to blame for the attitude of users to security.

    1. Richard Parkin

      Re: Consumers HAVE learned!!!

      Sometimes firmware updates deliberately break things. Updates to cameras have stopped the use of third party batteries, updates to printers prevent the use of third party ink cartridges. If it's working for you don't update it.

      1. John Brown (no body) Silver badge

        Re: Consumers HAVE learned!!!

        "If it's working for you don't update it."

        The problem with that method of updating is that you don't always know what the update fixes. You might think your device is working but maybe the fix is for a glaring security hole. Any idea what the last lot of MS updates "fixed"? The average user is NOT going to spend half and hour or more digging around the MS website in the hope that there might be a some hints or vague clues.

  7. martinusher Silver badge

    The problem's in the architecture

    IoT things seem to be autonomous little thingies that have a full stack so they can partake in the kinds of web based protocols that script programmers love to use. This is not only gross technological overkill but it opens up all sorts of computability issues, security being just one of them. One headache that's bothered me over the years is that programmers assuming infinite resources, don't listen (or think!) and then bitch and moan about inadequate hardware when they run out of resources. (This explains why we have to use a decent sized supercomputer to read email or post stuff to ElReg.) This disconnect with the real world is also responsible for ongoing security SNAFUS but as with the 'its running like warm pitch' problem its never the designer's problem, its always the fault of the user or the hardware (or both).

    If you're going to put a device out on the Internet then it needs to be hardened. Since its a pain to continually test and upgrade such devices they should act as firewalls to local devices as well as aggregating data and policing communications. Expecting users to love you for pushing updates on them all the time is a way to alienate customers (and expecting users to update their devices on a schedule is just plain stupid -- they're not called 'users' for nothing -- they're not 'enthusiasts'!).

    1. Christian Berger

      Re: The problem's in the architecture

      Yes, I still believe that this might have something to do with immature programmers. They try to design giant and complex "castles in the sky", but then are unable to implement them properly.

      However making product that are supposed to "just work" is responsible for many of those security problems. That is for example the why webcams try to instruct your router to open port forwarding for them.

    2. Anonymous Coward
      Anonymous Coward

      Re: The problem's in the architecture

      It's also one of the bad side-effects of open source availability. NB: I'm not saying open source is bad, this side effect only is. Many good things may have bad side effects (just think about beer!)

      Companies believe it's cheaper and quicker to get something free, without customizing it properly removing what is not needed and adding what is but not yet available (it's expensive and complex), and hire cheap developers who know little and have grown up with the simplest programming models and techniques. So they build house of cards piling up pre-made stuff that looks to deliver what they need with the minimal effort, without being able to understand all the implications. Cheap (and unskilled) developers have also enough problems to make something work, they have no time nor skills to make it work *properly*.

      1. Charles 9

        Re: The problem's in the architecture

        They don't care because they'll have you money by then and can vanish.

  8. Anonymous South African Coward Bronze badge

    Skynet Rising?

    1. allthecoolshortnamesweretaken

      Skynet was highly intelligent, so I'd say nope. IdIoTnet, more like... doesn't mean IdIoTnet won't kill us, though. No such thing as foolproof, nothing more dangerous than a resourceful idiot.

  9. Destroy All Monsters Silver badge
    Holmes

    It's a fscking Gremlin!

    You better feed it every day new patches before 00:00, or you will bear the consequences.

    There are already enough problems to solve in a low-tech house and a normal life.

    Why not buy a golden retriever instead?

    1. allthecoolshortnamesweretaken

      Re: It's a fscking Gremlin!

      Good luck with keeping your IoT toothbrush, kettle, coffe machine etc. dry.

      Nope, we're doomed.

  10. Mage Silver badge
    Flame

    IoT

    Ability to have it automatically updated is actually another vulnerability vector.

    Irrelevant to the article, but the SMPSU dramatically reduces the life & reliability of gadgets that once had no electronics or only a linear PSU, or decent capacitors. Traditional electricity meters last for ever, the Irish Electricity people (ESB) are having to replace 17,000 Electronics based meters. They over charge before failing. The maker knew there was a failing capacitor, but said nothing till asked.

    Your 50,000 hrs IoT LED lamps may die at 1,000 to 5,000 hours due to PSU failure, delivering people from its IoT DDos or whatever.

    Tube based fluorescent lamps used to occasionally need tube or starter replaced. Now they use a Radio Interference producing SMPSU as electronic ballast instead of a last forever iron cored choke that gave no RFI.

    We are going backwards. Function and Reliability sacrificed to "pretty" and "cost reduction".

    Most gadgets and new software now will not make life easier, but frustrate you.

    1. oldtaku Silver badge

      Re: IoT

      'Ability to have it automatically updated is actually another vulnerability vector.'

      Completely agree, and it always will be a theoretical attack vector, but right *now* it's mostly because IoS manufacturers haven't given a single sh@# about security and/or how upgrades should work.

  11. clocKwize

    Non-tech people don't understand the implications. They want a "smart" X because the marketing hype makes it sound awesome and that it'll make their life easier.

    The marketing doesn't tell them it will require them to keep on top of updates if they like keeping their personal information personal. That'd be bad marketing, people will think "damn, I don't really want more things to worry about, and I don't want to spend more time administering my smart cat flap, because if I spend *any* time doing that, it basically negates its usefulness".

    If your smart cat flap stops a neighbouring kitty getting in your house, thats awesome. Its one less thing to worry about, and will save you potentially an hour in the next 5 years. But if you have to spend half an hour updating it once every 3 months because someone worked out how to use it as a backdoor in to your network, whats the point?

  12. SImon Hobson Bronze badge

    Is this what we can look forward to ?

    http://www.geekculture.com/joyoftech/joyarchives/2340.html

  13. Cuddles

    Could be worse

    The problem with complaining that people treat Internet of Tat crap as regular products that don't need updates instead of the same way they treat computers, is that the way they treat computers is even worse. Not installing updates might leave you with security holes, but deliberately installing a bunch of taskbars and ransomware guarantees them. The average consumer simply doesn't have the training or understanding to keep their IT kit secure, so it's hardly reasonable to blame them for not doing so. It's no different from something like cars; in theory it's the owner's responsibility to keep it safe, but in practice that actually means they have to take it to someone competent from time to time. The difference with IoT stuff is that it's connected to that (supposedly) competent person 24/7 anyway, so there should be no need for the nominal owner to ever need to do anything themselves.

  14. AndrewDu

    Why, in the name of all that's holy, would anyone in their right mind ever, EVER need an internet-connected toothbrush?

    1. SilverCommentard
      Facepalm

      Because the vendor will give you a web site that allows you to review your brushing history and effectiveness, make recommendations for your brushing techniques, and, coincidentally, bombard you with ads for dental hygiene products based on the highly personal data that you have foolish agreed to share with them. Oh, and there's also an app which will use ridiculous permissions to rape your phone of any useful data to further monetise you (and everyone in your Contacts). Sorry, am I too cynical?

      1. Doctor Syntax Silver badge

        "Sorry, am I too cynical?"

        Too cynical? There's no such thing.

    2. Mage Silver badge

      Why,need an internet-connected toothbrush?

      So that when phone / skype / door bell rings, the bot can announce "based on past performance, the person you seek will be available in $time_left minutes", allegedly true story.

  15. Anonymous Coward
    Anonymous Coward

    Vendors are to be blamed too

    "Why such disinterest? According to Rouffineau, almost two thirds of respondents felt that keeping software updated – their security – was not their responsibility."

    Well, duh. This is not something exclusive to consumers by the way. Have you ever tried to track down spam or break in attempts on your servers? I have. And I have warned many ISP's and data centers alike that something was "totally not right". With all the required logs to show them exactly what was going on.

    The result? Well, nothing of course. At that time (I was still young) I couldn't understand and also eventually gave up my tracking efforts. At later times I finally started to realize the obvious: although it might have been an affected machine, it was still a paying customer. Dun, dun duuun.

    But vendors...

    How many times have we read already that some things stopped working after a Windows update? Now, Windows is something people can usually fix themselves, but what do you do when your cool "Internet gizmo" stops responding?

    Or what to think about games which get updates which change the entire nature of the game?

    I think that those reasons should be taken into consideration as well.

  16. Anonymous Coward
    Anonymous Coward

    because consumers are gullible idiots

    Lets face it the general consumer is, on the whole, a gullible idiot. They are persuaded by the fast talking salesman and the flashy marketing that want/need a gizmo and then expect it to "just work".

    They don't expect to know anything about their television other than which button switches it on and which on changes channel.

    Why would they expect their smart-whatsit to be anything other than plug and play - because that is what they are sold. Why would they expect their smart-TV to be sending their viewing records to the manufacturer or it be possible to spy on them using their games console camera/mic etc etc.

    Also, anyone who things that the general public are computer savvy just because they can switch on a PC and use Word or use a farcebook (sic) app on their smart phone must also believe in life on Mars and the Moon is made from cheese.

    1. Charles 9
      Alert

      Re: because consumers are gullible idiots

      "Also, anyone who things that the general public are computer savvy just because they can switch on a PC and use Word or use a farcebook (sic) app on their smart phone must also believe in life on Mars and the Moon is made from cheese."

      Isn't Mars where...you know...the MARTIANS come from?

      And BTW, there IS a product out there called literally "Moon Cheese" (INMTU).

      IOW, don't encourage them.

  17. WinHatter
    WTF?

    Who needs a bluetooth connected toothbrush ...

    ... anyway ???

    The worst part with those ID-IoTs ; they, at times, force you to go through the manufacturer's website for administration tasks.

    I made the mistake of buying a WiFi enabled thermostat (Honeywell) but to use it I need to register this sheeet with Honeywell and go through their hosted website to have access to me sodding thermostat. And I paid extra !!! Stupid me.

    WTF !!!

    So pending the cracking of the set of commands that will allow me to use the thermostat in a local manner I am not using that IoT.

    The device can be hacked ... but the manufacturer can be hacked too divulging a wealth of information on when to visit your house.

  18. Paul Uszak

    So In summary...

    ... it it better? Considering all the problems of connected devices, and all the advantages, are we better off? Consider this in the wider context. It provides jobs and entertainment. Some smart stuff is actually life saving / life enhancing for the disabled. And it helps the terrorists. Some smart stuff also kills terrorists. So...

    [Personally, I don't think that we are holistically better off with the IoT but I'm getting old and grumpy.]

  19. Nimby
    Devil

    Users = Idiots

    I hate to be the bearer of more obvious news, but users are idiots and idiots should not be in charge of securing ANYTHING. (Not all users, of course. But more than enough to give the world significant problems.) I have known several people who had their car run out of gas as if there weren't a gauge AND warning light. (Good thing we don't have flying cars yet!) I even knew one woman who I heard her car coming from blocks away one day, and got her to stop. She complained the car kept wanting to stall, so she had to keep riding hard on the gas pedal. I popped the hood, checked the oil, NONE. Just whiffs of smoke. Didn't she have a temperature gauge? "Who looks at those things." Didn't a warning light go on? "Well yeah, but the car still drives just fine." (Obviously not.) When was the last time she had it in for an oil change? "That costs money, and the car runs great without it." (Really great, clearly. And the cost of a new car compared to the cost of an oil change?) I pulled a couple quarts of oil out of my trunk (because I always keep more than just a spare tire in there), got her car running without risk of engine seizure, and told her in no uncertain terms to get her oil changed at least, but better, see a mechanic. No idea if she ever did. THESE ARE USERS! Not every user is an enthusiast. Some can't even tie their shoes or count to 10. Would we even WANT these users to be responsible for the security of an army of botnettable devices? Defaults MUST be automatic. Only enthusiasts smart enough to uncheck a checkbox that they can find on their own after logging in on their own should be ALLOWED to take security into their own hands. It's a simple intelligence test that if you cannot pass, then you should NOT be allowed to interfere with the AUTOMATIC security. Because users = idiots.

    1. Charles 9

      Re: Users = Idiots

      Users = Idiots is the reason Microsoft and the like are taking over so much of people's computers, because they OBVIOUSLY can't do it themselves and can't trust anyone else to do that.

      Do you really want that kind of world? Or is it a matter that we don't have a choice anymore?

      What does the market do when the customers demand unicorns and jump at the first horse with a horn glued on they spot?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like