Android Things: Google tries to fix IoT security, but fails

Google Things is out of beta. And la Goog is crowing about its fancy new security stance: It promises to keep updating the IoT platform for a very, very long time.

Three whole years, in fact. Oh, wait, that’s actually not very long, is it?

Look, if I’m installing devices in my home—especially if they’re going into the fabric of the building—I want them to last a heck of a lot longer than three years. How about you?

These sort of limitations are encouraging unfettered consumerism, and rampant e-waste. In this week’s Security Blogwatch, we wish IoT vendors would get real—or get lost.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Visualizing irrationality

State of Security Operations 2018: Go Inside World SOCs

Internet of fecal matter

Rock me, Ron Amadeo—Your Wi-Fi enabled toaster might soon be more up-to-date than your Android smartphone:

Android Things … lives alongside Android TV, Android Automotive, and (Android) Wear OS. Things is meant for IoT devices.

The root cause of security problems on most Android devices is the same problem that plagues IoT: Device makers don't want to update their devices. Google is going to solve this problem by just doing all the update work itself: every single Android Things-based product will get three years of OS updates, direct from Google, for free. … Automatic updates are enabled by default and will arrive as monthly security updates and the occasional major OS update.

Android Things only supports certain pieces of hardware. With the 1.0 launch, Google is certifying … the NXP i.MX8M, Qualcomm SDA212, Qualcomm SDA624, and MediaTek MT8516. … Additionally, the NXP i.MX7D and hacker favorite Raspberry Pi 3 Model B are supported as developer devices.

I’ve been living under a rock; is Google Things a new Google thing? Frederic Lardinois slides in with Android Things IoT platform comes out of beta:

Google’s IoT platform for developers who want to build connected devices, is now out of beta. … Quite a few companies started building products for the platform a while ago, including Google’s launch partners for its Android smart displays.

Google says it saw over 100,000 SDK downloads during the preview and that over 10,000 developers provided feedback. … If you bet on the NXP i.MX6UL [system-on-module], you’re out of luck … support for that platform is being phased out.

Here’s Google’s Dave Smith—Say Hello to Android Things 1.0:

Android Things … enables you to build and maintain Internet of Things devices at scale. We [do] the heavy lifting with certified hardware, rich developer APIs, and secure managed software updates.

For each long-term support version, Google will offer free stability fixes and security patches for three years, with additional options for extended support.

Wait, what? Here’s what grinds John Miller’s gears: [You’re fired—Ed.]

Only 3 years for long-term support seems short for IoT. My doorbell, thermostat, washing machine, security camera, etc. all last much, much longer than that.

And he’s not alone: James Puderer agrees:

One of the major value adds for Android Things were the updates from Google. 3 years is too short for IoT. Worse, is if … "bad guys" … can target a large class of devices outside of the 3 year window with known exploits.

But Adam Brown chugs the kool-aid:

How long is long enough then, 5 years? 10 years?

Good question. cbf was doing IoT before IoT was a thing:

I used to work in the "building automation" space. Most substantial sized commercial buildings … have had networked digital controls for about 40 years.

When you put in a microprocessor controlled air-handling unit, or variable air valve … it's more like 30 years before the building owner wants to touch it. You can still find the occasional commercial building with a legacy pneumatic controls -- running just fine 50 years later.

I think Silicon Valley vendors trying to re-invent the IoT space only have vague ideas of what the actual applications are.

So zelendel is slightly sarcastic:

I am loving the idea of peoples houses being connected to the internet. Much easier to break into.

My sons locked out an entire housing building because it was connected to the internet. They had to replace the whole system when they were done. Yeah being connected to the internet is always a good thing lol

And Madokami is as mad as heck, and isn’t going to take it any more:

What happens after three years when support stops? My garage door opener has been in use for over a decade.

The next wave of DDoS attacks is going to be a tsunami too. Can't wait for that to happen.

Are you depressed yet? Sajuuk is:

Peak digital era: buying new fridges every 3 years so someone can't install a cryptominer on them.

The moral of the story?

If you make things that connect to the internet, your things will need updates for way longer than three years.

And Finally…

Visualizing irrationality


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Nicolas Vigier

Topics: Security