Software updates have become increasingly commonplace and integral to the world of personal computing. In particular, the ability to routinely update to software for consumer products allows for improvements to functionality by enhancing software features and, more importantly, security by applying fixes or “patches” to any known vulnerabilities. Just as adopting a vulnerability disclosure policy is essential for discovering and triaging vulnerabilities as they are found, “keeping software updated” is the critical next step in ensuring that consumers receive necessary updates to better secure their devices.
Keeping software updated is as important in the world of devices which make up the consumer internet of things (IoT) as it is for the traditional personal computing world, and it needs to become similarly commonplace. However, there are unique qualities to consumer IoT products that can make this process more complicated – including the kind of interface a device has and how it connects to the internet. Ensuring software will remain up-to-date throughout a consumer product’s life requires that manufacturers and vendors think through clear processes for software updates, as well as how they are communicating with consumers about updates and, importantly, about when software will no longer be supported.
Process for keeping software updated
The process for keeping consumers informed and then performing updates on their IoT devices will vary based on the product interface available. Consumer IoT devices that connect to the internet and have interactive screens can perform updates in similar ways to personal computers, with users either being notified/prompted to accept an update or having updates automatically deploy unless users change settings to require update approvals before installation. On the other hand, particularly for smaller devices that don’t have such a screen interface, manufacturers will need to adopt alternative methods for alerting users and authorizing an update. Devices which are operated via a phone or other trusted device with a screen can alternatively leverage a device app or communication via that device to manage updates and notifications to consumers about updates.
Not all updates are the same and manufacturers should consider how risk should play a role in how and when different updates are deployed. While regularly scheduled software updates may be appropriate for small fixes and updates to improve functionality, if and when a major vulnerability is discovered manufacturers need to have a clear process in place for expediting and requiring updates be performed quickly to ensure consumers are kept safe.
Many consumer devices are not intended to last forever and so in addition to having a process for updating software, manufacturers should also clearly communicate to consumers how long software will be supported and patched to address any known vulnerabilities – at least setting a minimum timeline for support that can be extended. Ideally, this length of support would be communicated to consumers upon purchase of the device – on packaging and/or unmistakably during device set-up – and be subsequently communicated well in-advance of any device becoming unsupported. When device software does become unsupported, in addition to communicating about this transition and any increased risk to users, manufacturers can also advocate for switching off digital/networked features for products that will continue to function safely otherwise. Manufacturers can also consider supporting updates via a subscription-based service.
Resources and guidance:
Cybersecurity for consumer products will always be a partnership between manufacturers and users, with the latter having an important role to play in the responsible use of connected devices. However, manufacturers should have clear planning around keeping software up-to-date for consumer devices, which can be clearly reflected in a “software development lifecycle.” Several resources to support this planning for manufacturers have been developed by government agencies and standards groups in recent years. In addition, many Cybersecurity Tech Accord signatories responsible for consumer IoT products, and software development more broadly, have developed relevant guidance that is provided below.
- Government/external resources on software development lifecycle and end-of-life
- NIST SP 800-218 Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities – National Institute of Standards and Technology (NIST)
- The BSA Framework for Secure Software – BSA
- Tech Accord signatory guidance on software development lifecycle and end-of-life
- App Builder User Guide, Sec. 25.2 System Development Life Cycle Methodologies to Consider – Oracle
- Cisco Secure Development Lifecycle – Cisco
- Get Secure: End-to-End Cybersecurity Lifecycle Frameworks – Schneider Electric
- How we build software at Cloudflare – Cloudflare
- Security Development Lifecycle (SDL) – Microsoft
- The Secure Software Development Lifecycle at SAP – SAP