SoylentNews is people
SoylentNews
Canonical, maker of Ubuntu Linux and its Internet of Things variant, has discovered the obvious – that people cannot be trusted to secure their connected devices.
Thibaut Rouffineau, evangelist for Ubuntu Core and the Internet of Things, admitted late last week that developers and IoT device makers know people seldom update the firmware of connected devices. But, he argues, they probably don't realize how bad the security situation has become.
The distro maker says it surveyed 2,000 folks about how they dealt with connected devices. It found that less than a third of respondents (31 per cent) installed updates as soon as they were available. Some 40 per cent never knowingly updated their devices.
"In other words, consumers are leaving their devices open to exploits and hacks, from DDoS attacks to invasions of personal privacy or theft of personal data," said Rouffineau.
Why such disinterest? According to Rouffineau, almost two thirds of respondents felt that keeping software updated – their security – was not their responsibility.
(Score: 2, Insightful) by Vokbain on Thursday December 22 2016, @10:02AM
To be honest I'm more concerned about the security of the shitty PVR and TV receiver boxes I get from my provider than I am about my Philips Hue lights and other automation swag.
Apparently they update themselves periodically, but they're still running some version of Windows CE.
Fortunately the Hue app lets me know when it's time to update, but I have no idea what changes are made on the PVR updates, or even when it happens (unless I'm watching at the time and it jacks up my shows).
(Score: 4, Insightful) by MostCynical on Thursday December 22 2016, @10:37AM
Worse is that you have no idea if an update is patching a vulnerability or opening up some new spy/tracking functions, or even just bricking your device ("oops, dodgy code, please return to supplier for replacement, sorry you lost your recordings"; who am I kidding, they are never sorry)
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 4, Interesting) by Zinho on Thursday December 22 2016, @01:14PM
Worse is that you have no idea if an update is patching a vulnerability or opening up some new spy/tracking functions, or even just bricking your device ("oops, dodgy code, please return to supplier for replacement, sorry you lost your recordings"; who am I kidding, they are never sorry)
If only this were a hypothetical risk, as opposed to something that actually happened, recently, with Philips Hue systems specifically. [duckduckgo.com] Bonus: it was intentional, not a bug. No, they weren't sorry. [meethue.com]
"Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
(Score: 2) by butthurt on Thursday December 22 2016, @10:58PM
This is linked from the top of the page you linked (emphasis mine):
We would like to let you know that we’ve rolled out worldwide software that replaces the previous 1.11 software update of Philips Hue. This means that lights from other brands will work as before with the Philips Hue system using interoperability provided by ZigBee Light Link.
-- https://developers.meethue.com/documentation/3rd-parties-and-homekithttps://developers.meethue.com/documentation/3rd-parties-and-homekit [meethue.com]
It goes on to say (if I understand correctly) that the compatibility with Apple HomeKit will remain disabled. At least, though, they did reverse part of what they'd done (assuming they're not lying).
(Score: 2) by Zinho on Friday December 23 2016, @03:02PM
Yes, they did roll back the change that bricked 3rd party lights.
No, Philips doesn't think that was the best solution. They are convinced that blocking 3rd party/non-"friends of Hue" products is the best solution and their corporate non-apology is very clear about that. They rolled it back after a wave of sharp, vocal criticism from first adopters with lots of social media influence called them out. Philips is on my "do not buy" list, right next to Sony, due to this shenanigan. Advertizing yourself as being an implementation of an open standard (ZigBee, in this case) and then transforming into an incompatible walled garden with no warning via software update is a Wheaton's Law violation.
That said, I don't really fault Philips for excluding the Apple products. Apple is also attempting to build a walled-garden lighting ecosystem, intentionally incompatible with off-the-shelf components. And they'll get away with it, because they're Apple. Philips has no responsibility, neither to their own customers nor to Apple's, to interoperate with a system that isn't even trying to implement the same standard.
"Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @04:33PM
Worse is that you have no idea if an update is patching a vulnerability or opening up some new spy/tracking functions...
Welcome to the world of Android updates. Sure, there is a patch to fix the terrible vulnerability in the system or that app. But before you can get it, you now have to agree to let it snoop on your calls, location, and contact list.
(Score: 2) by tangomargarine on Thursday December 22 2016, @04:59PM
If you're lucky enough to get updates for your Android device that's more than a year old at all. Very lucky.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 1) by Francis on Thursday December 22 2016, @06:01PM
That's why Google has been moving more and more Android functionality into the playstore.
It's definitely not an appropriate solution, but it's far better than it used to be where 100% of the patching had to be done by the carrier who mostly wouldn't do any because they've got waivers for any responsibility on file.
(Score: 2) by butthurt on Thursday December 22 2016, @11:15PM
Hasn't Google been creating proprietary apps to supplant more and more Android functionality? Open-source apps are possible (witness F-Droid) but that's not what Google is doing:
Google's update setup has the odd stipulation that easily updatable code must also be proprietary Google code. There's no reason Google can't use this "app-style distribution" to ship open source code just as easily [...]
--
http://arstechnica.com/gadgets/2016/11/android-extensions-could-be-googles-plan-to-make-android-updates-suck-less/ [arstechnica.com]
Google's licencing arrangement for those apps provides that all of them must be included--one cannot pick and choose. It smells like anti-competitive bundling.