Posted on by Achim D. Brucker, licensed under CC BY-ND 4.0.

Did You Patch Your Light Bulb today?

More and more devices that we buy today are “smart”, i.e., they can be connected to the Internet. Actually, many experts expect that by 2020, over 50 billion (smart) things will be connected to the Internet. Technically, a smart device contains a small computer which runs software and, as we all know from our daily experiences, software often has bugs that can lead to security vulnerabilities. In 2016, a botnet called Mirai targeted smart home devices and used them for attacking a domain registration service provider. This resulted in the unavailability of well-known services such as Google for Github for a large number of users.

The Mirai attack showed the potential of exploiting security vulnerabilities in smart things. This risk is likely to increase, if more and more devices get connected to the Internet. To avoid (or at least minimize the risk of) such attacks, smart things need, as any computer, supplied with updates.

Let’s make a thought experiment and assume, we would be using smart devices since decades. Now let’s try to answer the question, which version of Microsoft’s Windows would run, if various devices are close to their average span:

  • Computer and mobile devices: Computer and mobile devices have an average life span of three to five years. Thus, your computer most likely was bought with Windows 8 (released on 26th of October 2012).
  • Wi-Fi routers: Small network devices such as switches or wi-fi routers have an average life span of seven years. Thus, your wi-fi router most likely would be running Windows 7 (released on 22nd of October 2009).
  • Cars: Cars have an average life span of 14 years. Thus, your car would most likely still run on Windows XP (released on 25th of October 2001).
  • Fridges: Large home appliances (e.g., your fridge) have an average life span of 17 years. If you had bought a smart fridge 17 years ago, it would have been shipped with a brand-new version of Windows Me (released on 14th of September 2000).
  • Light bulbs: Modern LED light bulbs have an expected average life span of 20 years. Thus, your light bulb might still run Windows 98 (released on June 25th 1998).

Of course, smart devices usually do not run consumer-oriented operation systems. Still, this thought experiments illustrates how long the software running on a smart devices needs to be supplied with security patches. This long maintenance of the software of smart devices will be a challenge for both manufactures and users

An even more interesting question is the liability of operating smart devices. If a vulnerability in a smart device is exploited by a third party and, as in the case of the Mirai botnet, the smart device is hijacked for criminal activities, who is liable? The manufacture that, maybe 15 years ago, produced an insecure smart device, or the user that is still operating an insecure device. And if security patches are available, who is responsible that patches are applied?

Thus, traditional manufactures will need to learn that, in the future, they are no longer producing physical devices, they are turning into software companies that sell software-defined products. Hence, manufactures need to be able to provide security patches for their smart devices for the whole life of the product, which is often much longer than the life span of most consumer software that we use today. And consumers need, either manually or automatically, able to apply the security patches.

With our research on security economics, security testing, and techniques for securing the software supply chain, we hope to contribute to making life easier and more secure for vendors, consumer, and everybody living in a software-defined world.