Saturday, January 16, 2016

The Internet of Things Isn't Just About Bad Security

The problem isn't just that the software has gaping security holes, it's that software driven everything appears to be a recipe for disaster.

EE Times reports this week that Consumers are feeling the peril of all the connectivity.  There's a "smart thermostat" for air conditioners called the Nest (which I mentioned here).  It offers convenience features such as the ability to set the temperature from elsewhere.  Your first thought is probably a widespread hacking, but in this case, that isn't the "uh oh".
Earlier this month, Nest’s smart thermostat reportedly stopped working, leaving many users frustrated and their homes freezing cold.

Users took their problem to social media, blaming a mysterious software bug that drained Nest’s battery, and complaining that the thermostat can’t connect to the Internet.
Later, company officials explained that during a December software update which was pushed onto the customers' thermostats, they introduced a bug that didn't show up until January.
Richard Doherty, research director of Envisioneering Group, called the Nest fiasco “the worst possible consumer experience imaginable.” All the more egregious is that most of the time “customers do NOT know of the update; or even the purpose of the ‘fix’ it was supposed to deliver,” he added.
You're not the only people getting concerned about this.  Apparently, that concern is getting pretty widespread.
Take a look at the 2016 Accenture Digital Consumer Survey in which 28,000 consumers in 28 countries were polled on their use of consumer technology.  One result that jumps out is that consumers’ “security and privacy” concerns over IoT devices are much more prominent, compared to 12 months ago, John Curran, managing director of Accenture, told us. 
An even bigger surprise is how many consumers said they are going out of their way “to quit or terminate an IoT device or services until they are assured of safety,” explained Curran. “It’s not a majority, but close to 20 percent of people told us that. It’s a big number.”
Curran said, “the most sobering view of where we are today is captured by a sharp drop of the purchase intent of smartphones among Chinese respondents.” Globally, the purchase intent for smartphones is declining. Only 48% of consumers plan to buy a smartphone in the next 12 months. The drop is sharpest in China, down from 82 percent last year to 61 percent this year.
I think this maturation of the IoT market is like the quote from the CEO of Big Ass Fans I used back on January 7th:
 "[The connected home] [or in this case IoT - SiG] is in the very early stages," Smith says, "and when people ask why hasn't this caught on, well, what the hell is there to catch on? There's nothing there. I mean, taking something off of the wall and putting it on your's a conceit to imagine that that's anything interesting or important. You aren't doing jack is what it comes down to." 
A running joke in the electronics hardware business is that software is going to cause the end of the world.  The way the software business is run is so fundamentally different from the way that hardware works that most of us are perpetually astounded.  Can you imagine buying a car where many features just don't work right, and the companies have you return to the dealer to install new hardware?  I suspect that would raise a pretty loud howl from their owners.  How is that different from a software patch to fix something that doesn't work properly?  Now imagine you don't take the car to the dealer, but someone comes to your car in the middle of the night, installs the new hardware, and the car won't work the next morning.  That's what Nest did. 

In the aviation business, commercial or military, software is deadly serious and the emphasis on the way software is created is unlike anything you'll find in a place like Nest.  In the commercial world I just came from, the industry specifications essentially require that every single line of code can be shown to come from a system level requirement; that every single line of code be inspected, tested and verified to work as intended.  The verification has to be done by someone independent from the software engineers.  That reduces, but doesn't eliminate, the chance the system won't work as intended.  The military and commercial aviation markets are so tough on software that the old cliche' of "fix it in software" has turned into "fix it in hardware".  The equivalent rigor for hardware is mostly aimed at complex digital components, such as FPGAs, ASICs, CPLDs and other hardware that's largely created by writing software.
Software issues have killed people already.  The Nest probably didn't kill anyone, but may have allowed some pipes to freeze and flooded some houses.
(found here, but the image is from Cisco, whose version is much more involved and interesting)


  1. You know I'm one of the few under 60 who have lived without electricity or running water. Where I grew up we farmed with mules and worked from sun up to sun down just to eat. I don't own a "smart phone" and couldn't care less if I never do. ALL of this modern "High Tech. world is about LUXURY and government control. We really don't need it, and some of us couldn't care less if it all disappeared today.---Ray

    1. ...he typed, on the internet.

    2. Yes Tam I did. But the type wrighter go's back to the 1870s And my 20 year old desk top isn't a smart phone. Oh! I'm sorry you were just being a smartass. You think its funny. ---Ray

    3. Ray, I've lived that way myself, by choice, for a while. While I like a lot of the luxuries now possible via the Internet (I live in the rural mountains of SW Montana, and buy most of what I need on the 'Net and have it shipped to my PO box, since nobody will deliver mail or anything else up my seven miles of dirt road), I know I can do all right if it all goes south.

      Most of what I have is backed by hand tools and equipment that will work just fine if the grid goes down - although I've got a decent solar PV system for things like my well pump and refrigeration. I've done without both of those before, but I like the convenience. Hauling water from the creek gets old pretty quickly, especially in winter. I agree about government interference and control.

  2. I'm actually shocked to see 20% of the public so worried about security that they won't get the products. I thought I was the only one.

  3. I've been an embedded automotive software developer since 1990, and I don't see why people aren't after us with pitchforks and burning brands. A year or so ago the re-configurable instrument cluster our company was building was experiencing resets in the field - leading to your IP blacking out for 12 sec or so while you were driving. I was sent to a dealership in CA that had a vehicle that had experienced the problem in order to try to debug it. It is a very, very sad thing to see the interior of a brand new $75K car splayed open like an Orc's head. And yes, it turned out to be several different software bugs.
    Unlike aviation, the goal in automotive is to constantly reduce the cost of the product, and if quality suffers it just doesn't matter. You're seeing a sh*t-ton of outsourcing in automotive embedded software (driving lower quality and cost), and a huge increase in complexity, but no desire to increase quality (other than by lip service). It is the worst I have seen since the early 90's, when we sucked but knew it. The problems we had in the 90's drove software quality and process improvements which have now been erased. And the current push to make self driving vehicles - that is just mind boggling. Knowing how the sausage is made, I can only shake my head.

    1. I was going to say something similar about self-driving vehicles. Besides having the system hacked (remember Woody Harrelson's dilemmas (plural) in "After the Sunset"?), bugs in the system could end up being fatal to not simply yourself, but others on the road. The software between most people's ears is bad enough. Compound that with people forgetting how to drive manually at all, and the emergency will be an order of magnitude greater than people who couldn't figure out how to take their Toyota out of gear, or shut the engine down (or take their foot off of the accelerator pedal).

      Although it might reduce the number of accidents from the ignorant/stupid fools who like to text and drive. On second thought, I'm not sure reducing the natural selection involved in ridding the road of "texters" would be a good idea, but it might save innocent lives.

  4. @Ray: Well said, even if I don't entirely agree with you. (I do in part, though. What kind of idiot connects their front door lock, or their thermostat to the fricking internet? Damn!) I'd add, you might notice it if only because of the burning cities. The infrastructure of most cities, and all of the banking systems, are on the "Internet of Things" because the net makes it a lot easier to move money around and connecting certain critical elements of urban infrastructure to the net allows for the money that would be spent on actual human inspectors/maintenance personnel to be spent making ordinary citizens lives a little harder. (Kidding...mostly) Anyway, the point is, if all that stuff disappeared tomorrow, you probably wouldn't notice it immediately, but you'd learn about it in fairly short order...if you know what I mean. *shudder* That said, I wish I could say that I grew up without tech, or that I could survive if it vanished, but I'm afraid neither of those things is true. Doesn't mean I like it...I may be a nerd, but my core streak of contrarian independence means being dependent on tech for my survival rankles. I'll stop yammering now, heh.