MOUNTAIN VIEW, Calif. — Connected “internet of things” gadgets, like connected thermostats, cameras and speakers, suffer from security updates that arrive late or never. So Google (GOOG, GOOGL) has a solution in mind, and it involves the mobile operating system that has long suffered from security updates arriving late or never.
Android Things, the “IoT” platform Google unveiled at its I/O conference here, aims to transcend the problems Android has experienced on phones by taking device makers out of the update loop. Gadgets built on this foundation, Google says, will ship with software hardened against hacking attempts and at least three years of guaranteed, automatic security patches.
So, in theory, we should get smart devices that aren’t stupid about security and don’t get taken over remotely. That would be a welcome addition to a market currently swamped by security vulnerabilities that have allowed hard-to-detect privacy violations and fueled massive denial-of-service campaigns against web infrastructure.
How are you supposed to shop for a smart device?
Here in the reality of 2018, IoT security remains a big bag of unknowns. Manufacturers will introduce connected appliances without clear statements of how long they’ll get bug fixes — even though these things, if used like the non-connected sort, will stay in service for decades.
Even answering basic questions about security features in an allegedly-smart device seems too difficult for some companies, while government regulation has been patchy and sometimes slow to respond to clear failings by firms. One reason: It’s hard to know that a device without a screen or a user interface of any sort has been hacked.
That can lead to a certain willful ignorance or learned helplessness. “I don’t think that consumers are quite thinking about security yet,” observed summed up Carolina Milanesi, an analyst with Creative Strategies.
All this contributed to a horde of connected cameras and other devices being hijacked and enlisted into the Mirai botnet in October of 2016, then employed to launch denial-of-service attacks that left much of the internet unreachable across the U.S. In other cases, hackers have been able to tune into the video feeds of connected cameras by exploiting vulnerabilities in them.
Various third parties are trying to get a sense of the problem. For instance, Underwriters Laboratories is developing its own cybersecurity labeling program, Consumer Reports (disclosure: I occasionally write there as well) has begun testing connected devices for privacy and security, and a group of researchers at Princeton University is building a database of IoT security.
Things to know about Android Things
With Android Things, Google hopes to give developers and customers more than just vague assurances. This platform is built on Google-certified chipsets from such manufacturers as Qualcomm (QCOM) around which those companies can build smart devices. Then it adds a secured and stripped-down version of Android, on which developers can write apps using standard Android tools.
Google promises a minimum of three years of security fixes for each major release. That itself is well short of the lifespan of a thermostat or an LED bulb; Google hasn’t said what the maximum period of update support would be for Android Things, but it’s definitely not just three years. The developer blog post announcing this platform’s 1.0 release notes “additional options for extended support.”
Devices running this platform have been emerging since January — see, for example, the Lenovo “Smart Display” that Lenovo introduced then at CES, or the LG smart speaker shipped last month. But Android Things’ role went unadvertised until Google formally announced this effort on Monday.
During a keynote Wednesday morning, Android Things project-management lead Vince Wu said Android Things would soon show up in additional Google Assistant-based smart speakers and Smart Displays—and would work for everything from connected doorbells to point-of-sale terminals. Note, however, that Google’s own Nest thermostats don’t yet run on this platform.
Other attempts to address this problem
Milanesi, the Creative Strategies analyst, offered a tentative endorsement of Google’s move but noted the company’s competition. At CES Samsung announced that it would incorporate its Knox security platform into its smart-home devices, and Apple (AAPL) has been pushing its own HomeKit platform, under which Apple reviews and approves the security of third-party devices.
Last month, Microsoft (MSFT) introduced its own IoT platform, Azure Sphere. Based on the open-source Linux operating system—itself a major departure for the firm—this includes a full 10 years of guaranteed updates, a duration much closer to the service life of household gadgets.
The best possible next development would be to see the likes of Google and Microsoft prominently advertise their guaranteed-update timelines, if not get into some one-upmanship on that front.
Being able to compare the support pledges on different connected gadgets would mean you wouldn’t have to feel so dumb when trying to buy a smart device. Until then, consider yourself more than welcome to hold off on flinging yourself into the connected-home lifestyle.
More from Rob: