Sophos Cloud Optix
Contrast and compare these two scenarios:
You buy a thing. Say, it’s a kettle. You make hot water with it, maybe it whistles when it hits the boiling point. That’s about as fancy as it gets. You use the kettle for years, if not decades, until you lose it in a move, damage it, or decide to get a new one.
Now imagine you bought an internet-enabled kettle. It allows you to set the kettle to a boil when you’re away from the kitchen, and monitor the water’s temperature from your phone. Perhaps you can even program it to boil water at certain times of the day.
After just two years of use, the kettle is going strong, but one day you get an email from its manufacturer: the kettle you bought is no longer being serviced or updated, and in a year they will cease to support it. At that time, your kettle will suddenly no longer work, and there’s nothing you can do about it.
While the second case with our kettle is just hypothetical, the idea of an internet-connected device becoming suddenly obsolete is a reality.
Just this year we’ve seen two high-profile situations involving IoT devices hitting sudden obsolescence. The first came when Google acquired the company Revolv, and subsequently shut down all support for the Revolv devices, leaving Revolv owners with $200 bricks.
And much more recently, with Fitbit acquiring the smartwatch Pebble, the Pebble’s warranty has been voided immediately and there are now warnings that “Pebble functionality or service quality may be reduced in the future,” according to Pebble’s CEO.
To be clear, it’s by no means a sure thing that Pebble will follow the IoT Brick Road, but current indications are at least cause for concern.
Can manufacturers be held accountable, and if so, how?
Should we just expect this kind of thing to happen and that the cord will be cut suddenly on the event of an acquisition, upgrade, or plain-ol’ “I don’t feel like updating this any more”-itis?
If a manufacturer decides that fixing its product’s buggy software is too much work, could they (or should they) just suddenly shut down the service entirely?
For early adopters of IoT devices, perhaps this is an acceptable risk: a nuisance, yes, but still part of being at the cutting edge of technology.
But IoT devices are now leaving the realm of the geeky set and are going mainstream: IoT thermostats are everywhere and an increasing number of children’s toys now have some kind of WiFi capability.
What’s going to happen when these devices are no longer just for the more technically literate? While it’s unlikely that lives are being seriously disrupted by a smartwatch shutting down, the stakes are only going to get higher.
As consumers, should we expect that when we buy a perfectly functioning, expensive device – perhaps one that controls our home’s security or temperature, or just one that we don’t expect to need to replace for many years, like a teakettle – could become completely useless with zero warning or recourse?
If we don’t want to accept this as our future, realistically what can we do? In the case of Pebble, the consumer warranty was immediately voided, and the only chance of a refund was if you happened to purchase your watch from a retailer whose return policy was still valid.
But if you simply just want your perfectly usable device to keep on working, there’s not much you can do but hold on to hope that the manufacturer or the new owner – in this case, Fitbit – will continue to support your device.
Even if you are more tech-savvy and could finagle loading custom or open-source software onto your device, there’s the tricky issue of DRM: you may not have the right to make any changes to the software, depending on what your device’s End User License Agreement (EULA) states. (We all read those, right?)
Thankfully, the growing ubiquity is highlighting the deficiencies in IoT devices as they become obsolete or pulled off the market. In the United States alone, the EFF is targeting laws, including the oft-maligned DMCA, that restrict what consumers can and can’t do with IoT devices they own, in hopes that consumers can gain greater flexibility in how devices they purchase can be used, repaired, customized, and updated.
If we can successfully reform these laws, the greater the chances that consumers will no longer get a nasty surprise when a maker hits the kill switch on their device.
The even-bigger problem: no set of standards for IoT security
There is, of course, a much bigger discussion about manufacturer responsibility for the security of what they make, not just for small IoT devices, but also self-driving cars, smartphones and yes, software.
There are no common standards for software or smart devices – although there are of course laws on data protection. That’s not to say people aren’t working on it: UL’s Cybersecurity Assurance Program specifically addresses security practices in consumer devices.
However, there’s no consideration in most of these standards for keeping the consumer protected with regular security updates, or supporting security updates for the entire reasonable lifecycle of a product. A manufacturer certainly shouldn’t be expected to keep a device updated in perpetuity, and sunsetting software versions and devices is a reasonable course of action, but what’s a reasonable timeline?
And perhaps more importantly, what risk can or should the consumer bear? Should we be able to keep using our IoT kettle even if its software is no longer being updated, or would that out-of-date software pose too great a risk to the greater IoT infrastructure? Should IoT device manufacturers better plan for obsolescence by providing a way for these devices to work in some limited, offline capacity once they are no longer updated or supported?
The various industries pumping out new IoT devices are still trying to figure all this out, and there are no clear answers yet.
The burden does fall on the consumer for now, but that means we also have the power to ask the important questions and pressure manufacturers into realizing these issues must be considered.
As the industry catches up with consumer demands, we need to be smart about the devices we support with our money. Otherwise, we run the risk of letting the lowest bidder set priorities for the manufacture and longevity of devices we purchase – and when it comes to our security, we can’t afford to make too many mistakes.
In this internet / IoT era, people don’t expect longevity of products they bought. Just think about our smartphone. How many of us will keep it for more than 3 years? Either the battery is dead or there is a new phone attracted our eye-balls. Okay, how about our car then? People trended to lease than own; so every 3 or 5 years they’ll have a new car.
Talking about manufacturers, looking at our Android smartphones, almost all manufacturers support their devices up to 2 years! I’ve my HTC One (M7) and now I’m looking at the possibility of flashing it with custom ROM.
It’s sad as this generation just satisfy with short term happiness and at-that-moment gratification.
There’s the environmental cost to consider as well – particularly as electronics routinely have toxic and/or rare materials in their construction. To say nothing of the slave labour turning out all these materials – or the virtual slave-labour turning them into this year’s hottest gadget – because we won’t pay much more for a kettle even if it does have an embedded Linux OS with Wi-Fi.
Nice job bringing up a peeve of mine!
IoT would be there in the underground among hackers (the electronics tinkering sort) anyway but the commercialization of cheap (not well thought out or made) and inexpensive devices that may not even need to be connected to a switch are exploding on the scene. Air as a medium means anything in your proximity is also a potential security threat. The lines delineating your “proximity” vary with antenna and transceiver power.
Do you trust all devices connected to all of the computers in your company? Windows does not a firewall make…
Had one of the first of such devices …. the Chumby! They went bust, and now an enthusiastic former employee is supporting the server which makes it work in a reduced mode. It was an open source platform which probably helped.
IOT without OpenSource is a sure way to throw away money.
Any device that ‘relies’ on a distant server to function is crap. It should work just fine without it. The only reason for that reliance is data gathering. It’s worth bearing that in mind when purchasing these things – they are simply trying to create new data gathering channels.
That said, routers are now my favourite IOT devices – you can flash new firmwares and make them do almost anything slowly.
“…the Pebble’s warranty has been voided immediately …”
In many jurisdictions, this is illegal. Many of them will have at least some period of warranty enshrined in law and Fitbit / Pebble are going to be forced to honour those.
In Australia for example, some consumer protections enshrined in law (e.g. fit for purpose, free from manufacturing defects) — i.e. what most would consider covered by warranty — never expire. It doesn’t matter how much time passes. 5 years, 10, 20… if your item breaks due to a manufacturing defect, you’re still entitled to a replacement or refund.
Now, do we consider a manufacturer abandoning an item (leaving it useless) to be a defect? Well, this is going to become a legal grey area. If I wake up one day and my kettle can no longer boil water, I can argue that it’s no longer fit for the purpose for which it was sold. On the grounds of that, I may be able to get a replacement or refund under law.
The whole idea of IoT devices is going to go one of two ways: buy ‘dumb’ products that don’t need an Internet connection. Or governments will be forced to codify some level or protection in law. (E.g. that manufacturers must support their devices for at least 5 years.) Will we see a market-led solution or a government-led solution? We’ll have to wait and see.
“In many jurisdictions, this is illegal. Many of them will have at least some period of warranty enshrined in law…”
That only works if the company behind the waranty is still solvent. I dare say that Fitbit structured the takeover so that they could avoid Pebble’s liablities.
For example, Pebble’s owners could have declared the company bankrupt (Chapter 7), appointed a tame bankruptcy trustee, and immediately sold the key assets to Fitbit, in exchange for just enough cash to cover Pebble’s debts. Fitbit would then hire just the Pebble employees they wanted.
If they had taken that approach then all the Pebble liabilities that fitbit did not want (warranties, employee severance pay & benefits & money owed to kickstarter backers would be left behind in the shell of the bankrupt company. From the point of view of both Fitbit and the senior staff at Pebble it is a perfect solution, as all the liabilities are disposed of, and everyone important keeps their jobs.
Of course, that approach would be bad from the point of view of the staff left behind who get stiffed for the severance pay and benefits owed, and for the community who abruptly loose warranty protection and support.
Great piece on a topic that has consequences reaching far beyond what most folks realize.
Nice work, Maria.
Reminds me of when Tagged bought WeGame and then destroyed it by killing the servers that handled the WeGame client connection.
I suspect jailbreaking an IoT device is perfectly legal, due to a tiny loophole:
Once you replace the software on the device, the company can no longer prove that you ever accepted the license agreement. They can’t use their records, because such records can easily be fabricated; no court would allow them.
This would be true for almost all IoT devices. The exceptions would be where the manufacturer built into the hardware a way to track that the license was agreed to. But, companies that go out of business aren’t likely to have been so far-sighted. Heck, I doubt even Apple has thought that one through.
Besides, if you have the wherewithal to replace the OS and firmware, it’s very likely you could undo it even if the company had been forward-thinking enough.