We’ve talked about the Internet of things (IoT) at length on this blog, usually from the perspective of consumer-oriented cybersecurity. From malware to shopping advice, we’ve covered all the ways IoT devices can be harmful to consumers. But while we’ve discussed this issue, we haven’t really gone over how and why the IoT industry is the way it is. In this post, we’re going to give you a detailed understanding of the decisions and forces that drive the lifecycle of many consumer IoT products and how these impact you.
Growing pains of an industry
Although we tend to speak critically of IoT devices due to the security threats they can pose to consumers, it’s important to point out that the Internet of Things, as a concept, is not inherently flawed. There are myriad reasons to want to put devices online. Being able to monitor and alter the state of devices remotely or automatically can be extremely beneficial. Imagine you forgot to lock the door, turn off the lights or left the stove on, or perhaps you want to be able to monitor your home’s energy use to save money. On an industrial scale, entire “smart cities” promise greater efficiencies and better quality of life for citizens. What if your car could receive real-time notifications from other vehicles or from the road itself to avoid cluttered intersections? Everything from energy usage and transportation to healthcare can be improved with the data and control IoT technologies provide.
Of course, there are two sides to every coin, and when it comes to consumer devices, in many regards we’re experiencing dystopian consequences of the hyper-connectivity required to maintain IoT systems. Why? There are likely many reasons, but one that stands out is that the IoT market is young and many companies haven’t developed a long-term business model tailored to the industry. The issue is that IoT devices are neither hardware or software – they are a complex combination of both. Unfortunately, failing to appreciate the unique status of these devices can cause problems. Some of the flaws we’ve covered in major IoT cybersecurity stories, like those detailing the Mirai and BrickerBot or other botnets, are the result of developers treating these devices as mostly hardware. Many developers have neglected to build the tools and infrastructure typically needed to manage the operating systems of these devices well. As a result, these devices have terrible security settings and might not always receive updates – something that is considered critical for “traditional” Internet-enabled devices, like computers and smartphones. This can sometimes happen because Internet connectivity is treated as an afterthought, and in some cases, the device manufacturer isn’t even the one developing the software, so there’s a lack of cohesion when it comes to developing a product’s hardware and software.
Product abandonment is rampant
Another common problem with consumer IoT devices is that companies can and will abandon products wholesale, sometimes with little fanfare, and leave consumers completely in the dark about the security or functionality of their smart products. This issue is related to the one mentioned above, but it stems from treating IoT devices as if they were just software. Abandoned and unsupported software is not uncommon, and it even has a name – abandonware. But the abandonment of software, at least compared to the abandonment of IoT devices, is more of an inconvenience than a major issue. Most consumers understand that at some point, Windows 10 or their current version of iOS (iPhone) will be obsolete, and they can thus prepare for it. The same can’t be said for toys, appliances and other smart devices. Physical objects like door locks and toys have a type of longevity which makes it unfair to treat them in the same manner as software and computers.
Another point worth noting is that for most commercial tech companies, their software has an established lifecycle. For example, Microsoft guarantees that each of its operating systems is supported for several years, and it even concurrently supports older versions (e.g., Windows 7) with current versions. With the IoT industry being so young, though, companies are coming in and out of existence quickly, leaving little assurance that any devices bought today will be kept up to date or even remain functioning tomorrow. This kind of environment can encourage some companies to think short term, placing the financial burdens of cybersecurity on the back burner while leaving consumers with no guarantees about their device’s long-term stability.
The risks of set-and-forget IoT design
All of these different pressures can combine to create unique scenarios for consumers. For instance, there could be ambiguity regarding the conditions under which your device receives security updates. In other cases, companies might reserve the right to go back on customer guarantees should their business model or company’s financial status change.
While there are many examples of these playing out, the company CloudPets illustrates an important, albeit extreme scenario. When the company was solvent and functioning, its smart toys were plagued with severe vulnerabilities; however, sometime in 2017, the company quietly went out of business. As of this year, not only do CloudPets toys retain their Bluetooth-enabled features, but the toys still communicate with the CloudPets domain, which, as of last month, was publicly available for purchase – which means the domain could easily be hijacked to collect whatever data the toys are designed to transmit.
Additionally, up until recently, some retailers still carried CloudPets toys. With no one around to fix these toys’ existing flaws or prevent hackers from exploiting new ones, families remain at risk if they’ve purchased any products from this company. What’s worse, there seems to have been absolutely no communication about this to CloudPets’ customers, some of whom will probably keep these toys until wear and tear affects them, oblivious to the potential dangers the unsupported toy presents.
What the future of IoT holds
It’s easy to be disappointed that the Internet of things tends to fall short of its promises, but it’s an issue that people within the industry are working on. Although there are many solutions to the problem, some are more popular than others. One common solution is to get developers to pay for the harm caused by poorly secured devices. Much like companies caught polluting having to pay fines, the idea here is similar, hitting the business where it hurts the most to (hopefully) teach it a lesson about neglecting cybersecurity. Another related idea is to have companies pay into a fund that is disbursed to tech nonprofits like Mozilla, who will then maintain some level of service and security for products that are abandoned.
Some others see consumer education or even consumer penalties as a means of enforcing IoT security. The argument is that, just as producers have a responsibility to make secure products, consumers have a responsibility to buy products that are secure and to maintain some minimum level of security for their devices. However, it’s worth pointing out that consumers are not always going to be able to tell which products are secure from the outset, as evidenced by the CloudPets story we detailed above, so the onus is still very much on the industry to regulate.
Finally, many technology experts point out that having open-source or at least industry-set practices and standards – like the ones used to maintain Wi-Fi technology – could go a long way in making sure IoT devices are designed with established security protections and standardized features.
It’s not clear which of these proposals will win out in the long run, or if something better will crop up, but it’s obvious that something has to be done to address the issues of the maturing IoT industry. Hopefully, with more time, consumer groups, regulatory agencies and companies will come to an understanding that turns IoT from a cybersecurity nightmare to a standardized, trustworthy industry.
For more information about the Internet of things and managing your own cybersecurity, keep reading our technology blog.