Blog: Internet Of Things
Is IoT ever really yours?
When we buy a product, we generally assume that it’s ours and that we own it, right?
The question of ownership gets quite interesting when we look at music – you might remember the alleged 2012 spat between Bruce Willis and Apple over ownership of iTunes purchases.
It gets even more interesting when we look at smart products; the Internet of Things.
Most of our interest in IoT is in its security. Key to maintaining security is providing updates to fix security issues. Far too many early IoT vendors didn’t plan for this and built smart product that simply wasn’t capable of being updated securely by the user. As a result, when security issues were reported, there was little choice but to end of life a product.
However, the media is full of stories of IoT outages caused by cloud hosting provider failures. Every few weeks we see a large datacentre go down and people lose control of their heating or whatever.
But it’s not just the hosting providers going down that causes problems: it’s not uncommon for cloud platforms to go down. You might recall pets going hungry when Petnet’s platform provider stopped working properly. There were issues for nearly a week – had you relied on the feeder whilst away for a few nights, you may have come back to a rather emaciated pet!
It would be a brave pet owner who continued to rely on a smart feeder after that outage.
Other outage issues relate to product updates. Only recently we had Roomba smart vacuum cleaners go rogue as a result of an update. But at least they continued to work, if inefficiently. It’s a whole lot worse when an update bricks a product. If you’re lucky, there will be a workaround to fix it, otherwise you could be waiting for a replacement
Hacks & botnets
There are numerous examples of cheap and/or poorly secured smart products being exploited to join botnets. Possibly the first was Mirai, which exploited multiple brands of white-labelled CCTV DVRs from a Chinese vendor. IoT devices make for great botnets – there are lots of them, often available on the internet via their cloud platforms, often vulnerable by default with back door accounts.
Whilst the intention of the botnet herders is to launch DDoS attacks against others, those who follow will use the same vulnerabilities to pivot remotely on to your home network, maybe stealing your data or your CCTV footage along the way. BrickerBot took this one step further – actively destroying the code on the DVR, so that it would no longer operate.
Vulnerabilities in some smart devices can be so bad that the product is pretty much junk on arrival. Often we will find smart products that barely functions. Even worse, some also open the consumer to exploitation. These devices would be better off in the trash.
IoT attracts innovators. Getting product to market first will put pressure on funding. Delays in development will increase that. It’s not uncommon for cashflow pressures to result in the vendor going bankrupt. A shame for the vendor, but even more so for the many early-adopting consumers that will have connected product that no longer connects.
The road to market is littered with prototypes of smart products that just about made it, then failed.
I have some sympathy for vendors who collapse financially, but less for vendors who arbitrarily End-Of-Life a smart product. One of the key requirements of coming IoT regulation is that vendors state how long a product will be supported for. Very often, the connected platform is a free service, so generates no revenue for the vendor past the initial product sale.
Less responsible vendors have terminated the platform, or arbitrarily started charging consumers for it. Google faced action from the FTC over ending support for the Resolv smart device in favour of Google Nest.
Sonos had some bad press when the announced the ending of support for some of their oldest smart speakers. After an outcry from users and media, the end-of-life process became much slower, with security updates and bugfixes continuing.
The more cynical side of me wonders if there’s a perverse incentive for some vendors to actively end-of-life product, forcing the user to buy brand new tech…
Unconnected connected product
In some cases, smart product doesn’t actually need to be connected in order to provide at least some value. My wi-fi tea kettle continues to work, even though I can no longer make it boil remotely. No great loss there…
However, many smart products have little to no functionality when their connectivity isn’t present. It becomes expensive smart plastic trash.
Maybe you can still use a connected cup as a cup if it no longer functions; it’s going to be a very expensive unconnected cup though!
Many RF protocols are well established and unlikely to disappear in the short term. Wi-Fi, Bluetooth, Zigbee and Z-Wave have been around for a long time and are likely to be with us well in to the future. There are others that are less well established and may or may not have a future. I’m thinking of some of the long range, low power offerings that appear to solve some of the battery life issues with some types of smart products.
All too often, users assume that the data their device generates is theirs. All too often, users find out later that it’s not. Take Ring, for example, giving law enforcement access to video from users doorbells. Yes, the intention was to reduce crime, but users should be asked for explicit consent.
Excessive data collection is also a major problem: your data should be yours surely? Particularly so if you are paying for the product and service. We’ve seen numerous products collected telemetry data which the vendors have no need to gather. I can see a case for gathering use data for product improvement, but why does a smart coffee cup send your exact GPS position back to the manufacturer?
Neither the product or your data is truly yours.
You never truly own IoT. You might own the physical product, but you are usually at the mercy of the vendor who provides the connectivity to make it smart. If any of the components in the chain of connectivity fail, your device can be useless and valueless.