The absence of regulation is what has resulted in the innovation of software we see today. But as hardware and software merge, as the shelf life of software becomes the shelf life of hardware, we are going to need a number of guarantees to ensure that the benefits keep outweighing the risks.
People buy a new oven or refrigerator every 10 years, a new car every 20 years maybe. And these are all run by software, old software, with bugs. And that is “fine” (mind the quotes), to the extent that someone takes responsibility for the system or solution as a whole, the collection of all these parts with a single brand name on the box that is legally responsible. Now think IoT. Thousands of individual vendors who sit mostly abroad, offshore code development with for the most part a lack of teams, unity or any other form of structure or legal jurisdiction for that matter. Low to no profit margins for technology sold by the lowest bidder where neither the buyer nor the seller have any interest in security.
The chip-maker of the device says they just sell chips, the manufacturer says they just implemented the chips and put them on the board, the software makers build the software for maybe hundreds of chips, ignoring some of the extra features and weaknesses that come with certain components. The product ships and problems are found at a later stage either through design errors or implementation errors while implementing a piece of software that has vulnerabilities. And this is where we are today.
Not a single snowflake feels responsible for the avalanche.
So, five things we would like to see as part of a basic set of guarantees when purchasing some of these products in the future, have been suggested by researchers from F-Secure:
Guaranteed life expectancy
When IoT vendors say they offer “life time support,” it is not your life, or the product’s life. It is the life of the company. We saw this with Revolv last year. Guaranteeing a certain number of years of product focus, updates, community support e.g. forums, as well as guaranteeing that the device will work is paramount. This means tracking the life cycle of the technology inside the devices, ensuring whatever cloud services are being used will still be there and cannot be interrupted or hijacked afterwards
Privacy and data handling transparency
Inform the consumer where the data is being saved to i.e. physical country, how long the data will be there as well as what data is being saved and to what level of detail. Give the consumer the option to remove all data produced by the device if you can prove ownership of the device. I have no problems waiving some of my rights when telling the IoT vendor and potentially the world I like to make something that needs the pizza setting of my IoT oven Sunday morning, but inform me first. Will my data go to a European cloud or a US cloud and what laws can be enforced upon my data and the correlation based on my data
To the extent possible, inform the consumer about what technology is being used with regards to e.g. open source software and licensed software. Food manufacturers have to ensure the correct labeling of their product as far as ingredients go. Why not technology for the individual parts or software components, at least to some extent so that consumers can make informed choices about what it is they can and want to use
Security feature transparency
Is the product allowing management through a cloud service with two-factor authentication? Or only Bluetooth, Wifi? Will it detect your neighbor trying to log on to your device? Can someone break into my device remotely? What kind of features the device has will hopefully in the future start influencing the buying behavior of the consumer. If you want all devices to only use the cloud for remote control then that should be a choice that can be made by looking at the box
A more difficult one but an important one. For IoT that is more sensitive or even vital, a shut down process should be explored to be able to shut down the device when it has exceeded its life or has been declared end of life. When reliance becomes dependence then planning is required in order to ensure that the benefits and added value of the product can be sustained. This is easier with pace makers and other devices that receive a lot of care and tracking. But for other devices that are basically enable-and-forget, this implies being able to signal its remaining lifetime to the owner and thus implies knowing who the owner is.
This last part might be a more difficult issue as it has been tried with for example tying domain names to people for the purpose of reporting abuse cases. Not only that, this would mean another potential privacy problem if the information is leaked. This is a sensitive topic but more discussion is needed to see how devices can be categorized and what the possibilities are. This can also lead to abuse from the vendor side. Printer and printer ink cartridge vendors were very quick in jumping on the planned obsolescence track being very quick in flagging printer ink cartridges as empty, forcing the customer to buy more. More discourse on this subject is needed from all sides: designers, vendors, suppliers and consumers.