In-brief: A prominent Googler says the company is committed to keeping the Android operating system open source, but wouldn’t mind the security benefits that come with Apple’s closed iOS ecosystem, either!
Google’s Android operating system has provided a useful, if at times painful, lesson that the company is using to refine its approach to the Internet of Things, which will add tens- of billions of devices to the Internet before the end of the decade.
Speaking on a panel at the annual RSA Conference in San Francisco, Max Senges, a Program Manager for Google Research and Education said that the company’s open source Android mobile OS has helped underscore for the firm some of the problems that will challenge any IoT ecosystem player in the years ahead.
“We’re bringing the lessons we learned from Android to the Internet of Things,” he told the audience at the event on Monday, which was hosted by The Trusted Computing Group. Among the challenges Google has had to confront are creating an ecosystem that allows it to “verify its partners,” Senges noted.
Google has struggled to keep rogue and malicious applications off its devices and its Google Play marketplace. Most recently, researchers at the security firm ESET documented 340 instances of so-called “click-jacking” mobile malware that had infiltrated Google Play, the company’s official app store, in the last seven months.
[Read more Security Ledger coverage of Android security.]
Other challenges that Google has encountered with Android: defining roles and responsibilities among different mobile ecosystem players. “Who is responsible for testing and updating devices?” Senges offered as an example on Monday.
History has shown that Android handset makers (or OEMs) are slow to roll out Android updates once they are made available by Google. The result: the bulk of Android users are often running a version of the mobile OS that is one, two, or three versions behind the latest operating system update.
Google’s decision to offer Android as an open source operating system has contributed greatly to its adoption. Today, Android accounts for 59% of the mobile and tablet OS market, way ahead of Apple’s iOS, which accounts for around 33%. It is also used to run a wide variety of devices: from mobile phones and tablets to kitchen appliances and in-car entertainment systems.
But ubiquity has come at a cost. Namely: Google’s downstream partners, including handset makers and carriers, exert tremendous control over the configuration and management of Android devices. In 2015, for example, researchers at Aalto University in Finland found recent security improvements to Google’s “Lollipop” release of its Android mobile operating system were not being adopted by Android users. The culprit: Android original equipment manufacturers (OEMs) which relaxed Google’s strict policies around application processes running within confined SEAndroid access control domains.
Speaking on Monday, Senges said that Google wished “we had control that Apple has” over iOS. Still, he said Google was committed to keeping Android open source and felt that the advantages of an open source operating system outweighed the disadvantages of a large and unruly ecosystem. “You have to accept the downside, which is that it makes security more difficult.
Appearing on a panel along with Lee Wilson of the firm Security Innovation and moderated by Daren Andersen of the firm Cybertrust, Senges said that industrial applications and use cases were a better indicator of where the Internet of Things is heading than the fast-moving mobile device space.
“In the consumer space, we’re used to quick cycles. But I look at the durability of devices in the industrial space, where they live much longer,” he said. Companies should take their queue from those kinds of long-lived deployments in designing Internet of Things products and technologies, rather than assuming short-lived and disposable devices like mobile phones, he said.
“There’s so much diversity in the mobile space,” noted Wilson of Security Innovation. “Whereas in the industrial space, there are far fewer firms and their technology is more closely held.”
But connecting industrial devices and other critical systems to the Internet could present dire challenges to companies, he warned.
“The danger of IoT is that you have threats that can ‘brick you’ – that aren’t fixable and that you can’t scale to support these devices in the field,” he said.
That dynamic played out in the recent attacks on electric substations in Ukraine, which required engineers to travel to the affected substations and manually bring them back online.
In time, there will be more pressure on governments and industries to help set ground rules by which devices connected to the Internet of Things operate.
Low value, low risk end points may get a pass on security. But connected health devices like pace makers or critical infrastructure will need to be governed by rules formulated by subject matter- and industry experts.
“The reality is you can’t control this,” said Senges. “There won’t be one IoT security institution.”