Jason Lackey
Solutions Marketing

Internet of Things – Where Responsibility Meets Morality

January 30, 2017 by Jason Lackey

As we start to bundle more and more intelligence into products and devices that at least in the past were not particularly intelligent, it is more and more common to run into considerations that may not have been a factor in the past.

MIT's Moral MachineFor example, in the automotive world morality is taking on more meaning that just things like whether or not it is worth redesigning a gas tank of only a few people burn to death in crashes. For example, with autonomous driving systems there are questions of how to handle the inevitable situation where you have to choose between hitting a concrete barrier, killing everyone in the car, or an old lady crossing the road, killing the old lady. TechCrunch did a good writeup that included mention of MIT’s Moral Machine.

There is another aspect of the Internet of Things where technology and morality intersect – security. As we have recently seen (good article from ArsTechnica here) one of the challenges of building IoT devices is that while not particularly powerful, a typical IoT device is powerful enough to participate in a botnet if compromised. Even worse, there are forces that conspire to make IoT devices relatively easy to compromise. Developers face demanding deadlines and in many cases are not familiar with key security concepts – they are under enough pressure to just make it work, not necessarily looking at how to make it secure, not just now but in the future.

For example, many IoT devices are built on some sort of embedded Linux. This is a good thing, but for a variety of reasons many shops end up building on older versions of Linux and this creates challenges. One of the challenges is that vulnerabilities are well documented in older versions of Linux. The fixes are also well documented as well. Same for well-known IoT libraries and software – most are open source with the vulnerabilities and fixes being known and well documented.

This is where the need to update comes in. Even if an organization both wants to and has the resources to build a highly secure device today, vulnerabilities in OS and other software will be found if not tomorrow then the day after. When those vulnerabilities are found, there are few options beyond either discarding the device or updating to patch those vulnerabilities.

This is where the morality comes in. Due to the rise of IoT botnets, security on an IoT device has changed from being a concern for the device owner to being more of a concern for the community at large – kind of like open mail relays or people who refuse vaccinations. IoT makers are now under the gun to not only deliver that initial security and functionality, but to update and patch to maintain security. To make things even more challenging, ham fisted approaches that intrude on the user or break functionality (any Win10 users have an update kick in before or during a presentation?) are not going to work either – these updates will have to be relatively seamless yet not brick the device, require interaction from the user or cause disruption or be akin to a denial of service attack from the maker.