Here’s why I think we’ll pay for security for all our connected consumer devices as a service…
You may, by now, have heard of the latest software “bug” named GHOST that has been found lurking in our internet servers for years.
This type of software bug is a cyber security nightmare and can potentially allow somebody to remotely take over any computer running it. This time, the problem is in a core software component existing in the majority of systems running the Linux operating system. It joins other recently discovered security vulnerability celebrities like HEARTBLEED or POODLE. It certainly won’t be the last.
Internet servers have been frantically exorcised of GHOST over the last week and this will continue for months to come. But what about other devices running this software – particularly the ones that are generally hidden but form part of our lives? Would we want somebody outside to be able to remotely control or destroy these?
You may not have an internet-connected washing machine yet, but connected electronic devices are rapidly dominating our lives, usually for the better. Your TV, set-top box, audio system, internet router, automotive entertainment system, mobile devices, smart electricity meter and many more devices are likely to be running Linux or similar software. And this trend is only going to continue.
Servers, PCs and laptops have been subject to attack for many years and so get updated on almost a daily basis due to these types of problems. They also run sophisticated anti-malware and anti-virus software. How often does your other, not so visible, devices get an update? Once every 6 months, 12 months, never…?
We know the attention of the attackers is now moving to these types of devices and the similar ones that control our industry, power, water, transport and telecommunications. Our domestic equipment can carry private information of value to criminals or can be used to carry out attacks on other systems. For example, the Lizard Squad advertises a service to bring down websites and services and is using hacked domestic internet routers (and our bandwidth) that we pay for to do it.
In our rush to a connected world, it seems like manufacturers either do not understand the implications of an attack to us as consumers and also their business, or else ignore the threat and hope it doesn’t happen to them. In the low profit margin and rapid development cycles of the consumer electronics market, it’s easy to see how it could be easy to try to ignore something that many consumers don’t understand or consider at the point of purchase. Security costs both money and time.
Even when the more enlightened brands produce products that are secure (and fortunately this is an increasing trend), it’s often only secure at the point when first released to the market or for a limited time period afterwards. Software is progressively attacked, so our devices need to be progressively updated. And that’s just not how we’re used to paying for our devices.
We also have different expectations for how our devices operate. We don’t want our washing machines or network routers to crash whereas we often expect our PC software to. This results in the need for lengthy periods of product testing, which makes releasing very regular software updates difficult. Some devices (e.g. medical) also require certification, which is time consuming and expensive. From a business point of view, who is also going to pay for this work once a product is sold? Would we, as consumers, really pay double the price or more to ensure this happens?
My predictions for the future
If we care about our domestic security and privacy, we’ll have to start paying recurring subscriptions to keep our devices secure. Security as a service - similar to our PC anti-virus software subscription. For devices connected to a utility (e.g. internet router or smart meter) this can be included in our regular utility bill. For other devices we’ll either need to purchase a subscription or maybe even lease the product.
This could open up new business opportunities as companies compete to win a place as guardians of your device security, for a regular fee.
Electronics manufacturers and certification bodies will also have to do their part. More investment will have to be made into rapid automated testing and the risk and impact of each software update will have to be understood much better. Industrial, automotive and medical certification of products will also have to change to allow more rapid incremental updates. Products will have to be developed with security designed in and include constant, active monitoring to defend against attacks.
Maybe then we’ll be able to exorcise the memory of this Wild West period of insecurity and move to a fully connected life.
MathEmbedded works with electronics manufacturers to design and produce more secure new products and analyse and fix security and performance issues in existing products.