Why don't people secure their IoT gadgets? 'It's not my problem'

Canonical, maker of Ubuntu Linux and its Internet of Things variant, has discovered the obvious – that people cannot be trusted to secure their connected devices.

Thibaut Rouffineau, evangelist for Ubuntu Core and the Internet of Things, admitted late last week that developers and IoT device makers know people seldom update the firmware of connected devices. But, he argues, they probably don't realize how bad the security situation has become.

The distro maker says it surveyed 2,000 folks about how they dealt with connected devices. It found that less than a third of respondents (31 per cent) installed updates as soon as they were available. Some 40 per cent never knowingly updated their devices.

"In other words, consumers are leaving their devices open to exploits and hacks, from DDoS attacks to invasions of personal privacy or theft of personal data," said Rouffineau.

Why such disinterest? According to Rouffineau, almost two thirds of respondents felt that keeping software updated – their security – was not their responsibility.

About 22 per cent of respondents felt software developers should be responsible while about 18 per cent indicated the responsibility should fall to device makers. Presumably the remainder of those who shirk device maintenance think service providers should step up.

The Register reached out to Canonical but hasn't heard back.

Rouffineau says that Canonical supports automated vulnerability patching for IoT devices and will explore the topic in a paper planned for January.

This is hardly going out on a limb. The US Department of Homeland Security recommends automated IoT patching in its November report, "Strategic Principles for Securing the Internet of Things" [PDF]. And earlier this month, Critical Infrastructure Technology, a Washington, DC, think tank, called for regulation to deal with the "negligence" in the design of IoT devices.

Basically, people expect their internet-connected gadgets to work out of the box just like their non-connected appliances and tools, because, well, has anyone taught them otherwise? You buy a traditional lock, you fit the lock, the lock works and keeps on working, maybe will a little oil, and it certainly doesn't need constant updates and upgrades like a web-connected so-called smart lock needs.

Because people buy an Internet-connected toothbrush to brush their teeth, not to become an unpaid toothbrush sysadmin. https://t.co/n5ooVBjqrX

— Ken Tindell (@kentindell) December 20, 2016

Meanwhile, attacks conducted by the Mirai botnet highlight the consequences of assuming that someone else will take responsibility for IoT security.

But when it comes to online security, stating and restating the obvious is the new normal. ®