IoT Devices and the Danger of Update Complacency

This post is also available in: עברית (Hebrew)

Internet of Things (IoT) devices nowadays are prominent in almost every area of our lives, industry, and critical infrastructures. These permanently connected smart devices process very sensitive data, and therefore it is crucial that they stay up to date to stay protected.

A study performed by Fraunhofer ISI analyzed the data of 52 billion devices and concluded that it is only a matter of time before we start seeing very serious cyberattacks, if we don’t improve the security of these devices.

People have smart devices in so many areas of their lives, from wearable smart devices tracking their health and fitness to smart speakers with powerful microphones in their living rooms. In the industry, industrial IoT devices are connected to monitor machines and are quickly forgotten once installed.

Furthermore, since many manufacturers prioritize a fast time-to-market mentality, more often than not vulnerabilities in outdated firmware are ignored and not provided even the slightest patch – a mentality that can create serious privacy and security threats for users.

Policymakers around the world have become aware of these threats in the past years and began pursuing strong regulations: like the European GDPR (General Data Protection Regulation) and the “right for updates” that has been in force since 2022. Additionally, the EU Commission recently signed the Cyber Resilience Act which introduces a legal obligation for manufacturers to provide consumers with timely security updates several years after the purchase.

Unfortunately, these acts towards better protection don’t seem to be working very well so far: A study analyzed the data from 175 million devices, 7,116 distinct models from 384 manufacturers categorized into 17 different device types. The overall conclusion from the data has been that IoT and smart connected devices are not being regularly updated or replaced, and the situation even worsened since the implementation of the GDPR act. But how is that possible?

Dr. Frank Ebbers, the author of two research papers on this topic, said “The low up-to-dateness-rate should alarm both manufacturers and users but also policymakers and sharpen the focus on this issue”. He expressed his belief that the manufacturers, the regulatory authorities, and the users themselves have a responsibility. “Only through the joint efforts of these three partners is it possible to create a more secure IT infrastructure.”

Therefore, regulatory authorities should issue recommendations to manufacturers that force them to incorporate good update mechanisms into the devices, which can then be easily understood by end users.

This information was provided by Techxplore.