This year there have been so many reports about IoT devices being hacked, being misused, and being subverted. I think we are at a watershed when it comes to Internet of Things Connected devices. There are two major issues, which if not resolved, will crater the industry and drive a large spike of distrust into the industry.
First, most device manufacturers are not in the business to support their devices for the long term. We’ve gotten to a point in society were we have been trained to replace our technology every few years. PC’s are designed to last three years at most, phones are replaced every two years, and many software products are moving to subscription models, as consumers expect a never ending supply of updates and features, which standard upgrade pricing does not support.
Building a product, and the team you need to support it long term, requires planning and long term revenue streams. If we look at these trends, the desire to design hardware devices with long term security in mind, requires a fundamental shift in how those devices are conceived and charged for. The shift to subscription programs for some hardware is a great example of this change. Apple is doing this with their iPhones and Microsoft is doing this with their Surface laptops. Having cell carriers do this is great for carrier lock in, but doesn’t necessarily translate to the full value for the manufacturer.
Second, we need to have more consequential legislation for data privacy and security. If the only individual that is truly harmed by bad security is the end user or company, then the incentives to get it right by manufacturers is pretty much minimal at best. Many of the basic manufacturers continue to just pump out basic IoT devices, with no long term goal to support them. They make their money on the building and selling new devices. They do not have a long term revenue plan for any specific device, their long term plan is make newer devices.
While this manufacturer centric view of devices makes tons of sense as a manufacturer, the privacy and security concerns are only there in building reputation for manufacturing. While this will have long term brand impacts, many manufactures actually build for multiple other companies, and so they pass that band impact on to the company that white labels their devices. This passing the buck, causes even worse security policies, such as default passwords and open ports. The other bad practice that comes about is for some manufactures, to actually take advantage of the bad security to capture data themselves and exploit this data for additional revenue.
Hopefully in 2019, the value of GDPR will be realized as companies start having to deal with a legislation that takes security and privacy a bit more seriously. I don’t think GDPR is perfect, but it is a step in the right direction.