Apr 23, 2017You can't walk into an electronics shop without seeing all of those nice and shiny Internet of Things devices. Control your lights, vacuum your floor, open the door, set your room temperature and many more goodies are just crying for you to take them home. In your home, they will be plugged into your Wi-Fi, Bluetooth or fixed network just like… wait a minute! What about the Internet of Old Things that you already have in your home? Your printer is connected to your network. Perhaps you have some disk storage for photo and video backup. Your set-top box. Broadband modem (of course). Wi-Fi repeater. Smart TV. Bluetooth speakers. And many more, potentially.
When Was the Last Time You Updated the Firmware of Your Old Things?
These devices all run some sort of Linux or microcontroller that can execute code. How safe is this code? You probably don't know. The real question is, does the manufacturer know? Most embedded software has been traditionally written by hardware companies that had to do it for their product to be useful. It was a cost center, not a revenue generator for them. So, any cost savings were greatly appreciated. These manufacturers sell their devices to a wholesaler or retailer and forget all about them. At most, you might find a firmware update on some obscure part of their website, which only the most techie of us would know how to install correctly.
What Are Your Risks?
The first risk is ransomware coming in. Your whole family history of photos and movies could become encrypted. Either you would have to pay some criminal in Bitcoins, or you could kiss them goodbye.
Another risk is criminals looking at what you do. If they could control your broadband modem or Wi-Fi router, then they could play a middle man. You'd think you were connecting to Facebook, Google, PayPal and your bank, but you would really be connecting to a copy of these websites and all your credentials would be stolen. They could even steal money from your account.
What if botnets were to come in and use your living room as their own micro data center? All of a sudden, your house would be part of the "dark web." You could be part of a distributed denial of service (DDoS) attack that would bring down a company, vital services or government website.
That electronic door lock or smart light might be remote-controlled by hackers. They could switch the light on or off tens of thousands of times per second, and thus provoke a fire and burn your house down.
Thieves will no longer walk with a crowbar to your house, but instead carry a laptop and a scanner to open your door lock and steal all your belongings. This is something that we have already seen with cars' remote locks.
This threat is so important that governments around the world are beginning to look very seriously at this area, including the U.S. Department of Justice, which has recently joined other agencies in evaluating IoT technology for national security risks.
Protecting the Internet of Things
What can be done to protect the future of IoT devices from all of these risks? Hardware manufacturers will need to change their software attitude. They will need to understand that they have a liability in case their software insecurity provokes your house to burn down. They will need to invest in supporting software years after they have sold you a device. And this software will need to be patched every time a critical security issue is discovered.
Unfortunately, profit margins on your IoT devices don't pay for ongoing software maintenance contracts. So how can you do this? We believe you need to separate hardware, hardware low-level software (a.k.a. the kernel), the operating system and software into independent components to allow the process to be automated and as pain-free as possible.
In our own initiative, known as Ubuntu Core, we update the operating system automatically—and for free—because it is important to make the process easy for businesses. The manufacturer updates the kernel or outsources this work to others. The biggest change is software. Software for devices has become apps that you can download or buy via app stores, similar to your mobile phone. The difference is that any company would be able to run their own app store if they wanted to. This means manufacturers will have an ongoing revenue share from app developers and, as such, will make sure your kernel is always up to date.
You need to use the best security technologies to make sure apps are constrained and contained. So, if an app were hostile to other apps and the device, or just badly written, then the operating system would make sure the app couldn't harm anything. Apps are guilty until proven innocent. Additionally, software updates have received a major upgrade. You can update a kernel, the operating system and any app—but if the update fails, then you can simply roll back to the previous working state. This allows manufacturers to try new things and, if they fail, roll them back.
Current devices often have a push-and-pray strategy. The manufacturer pushes an update and prays your device will boot again afterwards. If they make a mistake, then your device could break, sometimes beyond repair. This is the reason why you want to make sure that your next-generation devices are app-enabled and have transactional rollback capability. You will be able to decide which software will run on it, and failed updates will be able to be rolled back.
The App-enabled World of the Internet of New Things
The future of the IoT is a world of devices in which manufacturers will make app-enabled devices just like your smartphone. You will define which apps you run on them. Each family will pick a different combination. Making different smart devices talk to one another will be all about installing the right app on each device.
So, in the future, your Bluetooth speakers will tell you that a very rare Pokémon Go has been spotted just around the corner of your street, years after you bought the speaker, and you will be easily able to find out when your device has last been upgraded. If you are technically skilled, you might start thinking about creating your own smart device app.
Maarten Ectors is the VP of IoT at Canonical, the company behind the award-winning, open-source, app-enabled Ubuntu Core. Maarten invented the concept of the "run your own device" app store.
