More and more devices that we buy today are “smart”, i.e., they can be connected to the Internet. Actually, many experts expect that by 2020, over 50 billion (smart) things will be connected to the Internet. Technically, a smart device contains a small computer which runs software and, as we all know from our daily experiences, software often has bugs that can lead to security vulnerabilities. In 2016, a botnet called Mirai targeted smart home devices and used them for attacking a domain registration service provider. This resulted in the unavailability of well-known services such as Google for Github for many users.
The Mirai attack showed the potential of exploiting security vulnerabilities in smart things. This risk is likely to increase, if more and more devices get connected to the Internet. To avoid (or at least minimize the risk of) such attacks, smart things need, as any computer, supplied with updates.
Let’s make a thought experiment and assume, we would be using smart devices since decades. Now let’s try to answer the question, which version of Microsoft’s Windows would run, if various devices are close to their average span:
Of course, smart devices usually do not run consumer-oriented operating systems. Still, this thought experiments illustrateshow long the software running on smart devices needs to be supplied with security patches. This long maintenance of the software of smart devices will be a challenge for both manufactures and users
An even more interesting question is the liability of operating smart devices. If a vulnerability in a smart device is exploited by a third party and, as in the case of the Mirai botnet, the smart device is hijacked for criminal activities, who is liable? The manufacture that, maybe 15 years ago, produced an insecure smart device, or the user that is still operating an insecure device. And if security patches are available, who is responsible that patches are applied?
Thus, traditional manufactures will need to learn that, in the future, they are no longer producing physical devices, they are turning into software companies that sell software-defined products. Hence, manufactures need to be able to provide security patches for their smart devices for the whole life of the product, which is often much longer than the life span of most consumer software that we use today. And consumers need, either manually or automatically, able to apply the security patches.
With our research on security economics, security testing, and techniques for securing the software supply chain, we hope to contribute to making life easier and more secure for vendors, consumer, and everybody living in a software-defined world.
]]>