David Mytton is the CEO at UK IT systems management company Server Density.
What do you own that is connected to the internet? Your phone and your laptop, of course. But what about your TV? Your lightbulbs? Your door lock? Your kettle? Your baby monitor? Your fan?
More and more devices are being sold as “smart” and “connected” – able to be switched on whilst you’re out of the house; options for sharing control with your family, fancy stats and graphs to see how its operating. It is no longer unusual to have to give a new gadget your WiFi details.
Whilst it is very convenient to be able to use apps to manage all your devices, with more things connecting to the “internet of things” (IoT), the security risk also increases.
In 2016, one of the largest-ever attacks was launched by a UK citizen who had built a network of insecure devices (a botnet). These were then used to send huge volumes of traffic to Deutsch Telekom, ultimately knocking 900,000 customers offline. Another example from last year was a security issue in a baby monitor which allowed strangers to view live video and even speak to children, all because of a bug in the software.
No software is a hundred per cent secure and there will always be bugs. The problem is that they are not being fixed because there is no incentive to issue updates. With the exception of the largest manufacturers such as Apple and Microsoft, once you buy a product, it’s probably never going to be updated again. You’re buying it “as-is”, despite the fact that software develops at a rapid pace, bugs are fixed and security flaws are found. Any fixes will be slow to arrive, or probably won’t ever be released.
And why should they? You pay once, and the manufacturer has made their profit. Spending time improving and updating the software is only an additional cost. Unless there is a subscription model or the vendor is large enough to be able to justify the overhead of maintaining older versions for reputation reasons, there is a simple market failure to keep products securely updated post-purchase.
As the recent Wannacry attack on the NHS has shown, outdated software is already a problem. The market hasn’t been able to solve it, so now is the time for government regulation to step in and force the issue.
Just as with electrical and product safety certifications, there needs to be a standard which is enforced for the software elements of all internet connected consumer products before they can be sold.
This is not a simple problem, and there are many questions to consider. How fast should updates be released? Does it apply to regular software bugs or just to security? How is a security issue defined? How long should updates be provided before a product is “end of life”? Should updates be made automatic and forced, or does the consumer get some control? How strict should the requirements be and what is the risk of discouraging innovation as a result? Who does the testing and what needs to be demonstrated during certification? How is it enforced?
On August 1, a draft bill was introduced into the US Senate to mandate exactly these kind of requirements. It is specifically scoped only to products supplied to the US Government, but a similar bill in the UK should go further and cover all consumer products.
The failure of companies to address this problem has gone on too long. Government must now set (and enforce) minimum software safety requirements.