When personal computers were introduced, few manufacturers worried about security. Not until the early 1990s did the need for security become widely understood. Today, the Internet of Things (IoT) is following the same pattern — except that the need for security is becoming obvious far more quickly, and manufacturers should have known better, especially given the overwhelming influence of open source.
The figures speak for themselves. In 2014, a study by Hewlett-Packard found that seven out of ten IoT devices tested contained serious security vulnerabilities, an average of twenty-five per device. In particular, the vulnerabilities included a lack of encryption for local and Internet transfer of data, no enforcement of secure passwords, and security for downloaded updates. The devices test included some of the most common IoT devices currently in use, including TVs, thermostats, fire alarms and door locks.
Given that Gartner predicts that 25 billion smart devices will be in use by 2020, no one needs to be a prophet to foresee a major security problem that will make even the security problems of the basic Internet seem insignificant.
This looming problem is not only alarming, but puzzling. Given that the IoT, like OpenStack before it, is built on an open source — an area of technology whose developers are more aware of such issues than most — how have IoT manufacturers failed to be more security conscious?
A recent study suggests that two- thirds of those questioned are concerned about IoT security, yet nothing indicates that the number of security problems has improved in the last few years, or that steps are being taken to prevent the coming crisis. So what is happening?
Cherrypicking IoT Purposes
That smart devices, like OpenStack before it, are being built on the shoulders of open source, is too obvious for anyone to doubt. In early 2015, VisionMobile’s survey of 3,700 IoT developers indicated that 91% used open source in their work.
This figure suggests that, without open source, the development of the IoT would be much slower if it happened at all. If nothing else, the use of open source and open standards helps to reduce compatibility problems between manufacturers’ devices.
Open source is also well-known for helping manufacturers develop products quicker, and to make profitable products that would be impractical if they were researched and developed from scratch. As in technology in general, most manufacturers of smart devices could hardly survive without open source.
Ask developers why they use open source, as the VisionMobile survey did, and they are likely to cite idealistic reasons, or the chance to learn new technologies.
However, the trouble is that, while manufacturers use free licenses for tactical reasons and developers pay lip-service to the advantages of community-based development, very few corporate open source projects are open in the sense that community projects are. Abstractly, corporate projects are open to anyone, but in practice, very few who are not employees ever hear about them. If they do hear about projects, non- employees are often discouraged from actively participating because of non-disclosure agreements.
This situation is illustrated by Canonical Software, the company behind the Ubuntu Linux Distribution. For six or seven years now, Canonical has shown a preference for either starting its own projects or dominating existing ones rather than working with large or well-established community ones.
To judge from the frequent requests for other developers, few who do not work for Canonical seem eager to contribute to these projects. Developers are not so naive that they fail to see that such corporate projects amount to contributions of free labor — especially if, as with Canonical, contributing requires assigning copyright to the corporation.
In such an atmosphere, I suspect, the emphasis is on the short term advantages of open source. Just as importantly, the participants in the project are too focused and too few for the old adage that, “with enough eyeballs, all bugs are shallow” to come into effect. Not only are there likely to be a short of eyeballs, but those who are available are more apt to be concerned with rushing to market as soon as possible to spend time worrying over security.
Manufacturers, could, of course, compensate by hiring developers to watch for vulnerabilities. That, of course, was how the lack of eyeballs in projects like openSSH were solved a few years ago, when the Linux Foundation donated money for more developers for core projects.
However, when a project is not community-centered, that solution is not an alternative. It takes a certain amount of foresight that can be difficult to apply when the focus on short-term benefits. As a result, the potential security problem with smart devices continues unchecked, with many worrying about it but few doing anything to prevent it.
The Right Tools for the Wrong Reasons
The ability to detect bugs because of a thriving community is not part of any general definition of open source. You will not find it mentioned in Richard Stallman’s four software freedoms, or in the text of the GNU General Public License or any other free license. Instead, it is the serendipitous effect of a healthy community.
That serendipity, however, is unlikely to happen for a corporation that wants to take advantage of open source while ceding as little control as possible. Some advantages of open source are achievable only by creating an active and open community. Until the manufacturers of smart devices can learn to trust the processes of communities, the security problems are only likely to escalate