February 3, 2016
Photo Credit: PicJumbo
The “Internet of Things” is a real thing these days, with everything from toothbrushes to refrigerators now connected to wifi networks and spewing forth data to so many locations it’s hard to track. But a few disturbing trends in the IoT world definitely should give us all pause for thought.
First, many of these IoT devices are severely locked down. They can’t be upgraded, updated, or patched easily, and sometimes not at all by the end-user. Granted, end-users are famous for not keeping digital things updated to begin with, but not even having the option is a disturbing turn of events. When devices cannot be updated/reconfigured by the end-user, it both leads to issues during the product’s support lifetime and after as well.
During the active support lifetime of the device, the end user cannot ensure the updates work properly, roll back updates that didn’t work and/or create new issues, and control what information is kept and sent by the device itself. Manufacturers have many reasons for doing this, such as assuring a steady stream of information that they can market to others, for example. None of these reasons should be taken as valid for endangering the security of a home network, however. Malicious code that infects your connected refrigerator and cannot be removed until the manufacturer sends out an update is just not an acceptable situation.
After the lifetime of the product, even more problems arise. Manufacturers abandon products all the time, leaving these products without any updates at all going forward, and just as many people who would like to see if they can break in and wreak havoc. Thankfully many products continue to live on well past that point, taken over by community efforts and open-source projects to extend the lifetime of the codebase well beyond the lifetime of the 1st-party support. Locking down these devices so they can only ever be changed by the 1st-party developers can make continued community support impossible, blocking this ongoing benefit.
Secondly, locking down these devices also means that end-users become unable to see what communication is going on between those devices and the world at large. Data leakage will occur, and not being able to limit the data available to leak is a dangerous thing.
I’m not saying that all IoT devices need to be totally open and open-sourced. What I do believe, however, is that the consumer should have the right and the ability to say what will go where, and when it happens. This can be done with end-user accessible settings and controls, with the ability to apply patches and roll them back on demand, and the ability to keep unknown software off of them to begin with. Even Apple, famous for their closed ecosystem, does give users the ability to shut off things they’d prefer not to use. Yes, it will mean changing how we typically interact with these kinds of devices, but making them IoT has already done that; so it won’t exactly be a whole new paradigm. Support vendors who give the end-user enough control to keep themselves safe, and reject vendors that insist on locking out everyone without good reason.
Keep that in mind, when next you consider an internet connected fridge.