Smart things are so dumb because they take after their makers. Let's fix that
IoT still needs its lightbulb moment
Opinion Tech is a great leveller. You can drop £50k on a shiny Tesla and £1k+ on the latest iPhone 13 Max Grunt to unlock it. But if some netops drone located half the globe away misconfigured a server, you're walking home just like a peon with a scratched-up Android and a battered Peugeot who dropped their keys down a drain.
Now, we don't know what caused the outage that outraged owners out with their Musk oxen last week – Tesla doesn't care to communicate details with the press about this or anything else, really. But we do know that the best you could get if you were caught out using mankind's most advanced phone to access mankind's most advanced electric vehicle in the closing stages of 2021 was "Server Error 500."
Numeric error messages were just about OK with the Sinclair ZX81, which had the excuse of an 8 kilobyte ROM with no room for text that could be looked up in the ring-bound manual ... That was 40 years ago.
Could we have a better system today, when the cars (kind of) drive themselves and the phones can converse in conversational Catalan if we ask them? Could we use just a smidge of all that AI to tell the punters that the phone is fine, the app is fine, the problem is being experienced by some 3,000 people right now and the automated roll-back will have you back online in five minutes? Of course we could. But we don't. There's no market force, no regulator that encourages or compels.
Thus basic network error management lags other aspects of system design by decades. That's bad enough when you're puzzling things out with a full-fat browser on a system with decent diagnostics like, god help us, ping and traceroute. It is beyond terrible with embedded systems like cars, edge automation, and anything IoT. If your living room smart light starts turning itself off at random, it might as well be demonic possession as anything technical: you're not going to be able to find out.
This matters. Total absence of diagnostics isn't just a complete repudiation of the right to repair, it removes any motivation or ability to manage security. It doesn't matter how good you are, whether you spend your days in the data centre shaping traffic or infoseccing like the love child of GCHQ and the NSA. You won't get far. Take that lightbulb – any idea what protocols it's running at the top of the stack?
Chances are, if it's one of the random-brand cheapies that flood Amazon, eBay, and Banggood, it comes from Zengge, a Chinese company so obscure it has no Wikipedia entry despite flooding the globe with products by the million. The phrase "Zengge Wi-Fi protocol" yields that rarest of rare birds, a Googlewhack single result (just ruined it, sorry). The other, higher-profile internet-connected smart bulbs on the Tuya or TP-Link platforms are somewhat better known, but they're all full of home-made security running on mostly undocumented infrastructures with no discernible diagnostics.
Sure, you can approach the problem from the other end, setting up a dedicated IoT network and routing all traffic through packet capture and analysis. This is non-trivial, and making sense of what you find is even harder. And then what? It's not as if you can contact anyone who can change anything. The only responsible security approach to consumer-level IoT, from smart plugs to smart TVs, is don't touch anything that touches the internet. Not advice the world will heed.
Consumer IoT IT, in short, is the worst IT in the world, much of it resembling a productised mass of hobbyist Arduino projects. Even at the top end, a company that can make (kind of) self-driving cars and is sibling to reusable rocket ships can't keep its servers from emulating home computers with buggy BASIC. There is no way to protect consumers from its problems, no advice to give and no clear path forwards. It's the Wild West, carefully disguised as fun gadgets from the future.
- UK.gov emits draft IoT and smartphone security law for Parliamentary scrutiny
- Russia's orbital insanity is almost beyond redemption – but there's space for improvement
- Tech bro CEOs claim their crowns because they fix problems. Why shirk the biggest one?
- Please, no Moore: 'Law' that defined how chips have been made for decades has run itself into a cul-de-sac
There will be one of two outcomes: tombstone regulation, where the negative effects of such carelessness forces the imposition of restrictions and standards, or an industry that learns to look after itself. The early days of the microcomputer – where the worst that could happen was that you could never make something work or, if you neglected backing up, you lost months of data – sorted itself out through finding standards and building its own tests. The magazines were full of benchmarks, compatibility reports, commendations, and warnings. IoT – where the stakes are so much higher because we're installing unknown, untestable and unreliable devices at the heart of our personal information infrastructure – needs to emulate that.
Does a device or service use inspectable, known protocols? How much does it rely on cloud services that are opaque, how much on a published architecture? What diagnostics are available, and let's see the beginning of the evolution of some standards to work towards. For when you can tell your gran to buy smart lightbulbs that have a certain score or above for technical goodness, and when the supporting infrastructure of a Tesla can be compared to that of a Nissan, then the evolution of market-driven security and reliability can begin.
The return of Tesla owners' insufferable sense of superiority will be a small price to pay. ®