mupuf.org // we are octopimupuf.org

Beating Outdated Software, the Cancer of Smart Devices

Posted by Martin Roukala, né Peres on , In categories green, linux, security .

Foreword: This article has originally been written for the Interdisciplinary Journal of the Environment Tvergastein, and has been published in its 9th edition. Thanks to the journal’s commitee for allowing me to re-post it on my blog (great for search engines), but definitely bad for the styling… Finally, I would like to thank Outi Pitkänen for motivating me to write this article, reviewing it countless times and pushing me to make it as accessible as possible!

Our society relies more and more on smart devices to ease communication and to be more efficient. Smart devices are transforming both industries and personal lives. Smart and self-organising wide-area sensor networks are now used to increase the efficiency of farms, cities, supply chains or power grids. Because they are always connected to the Internet, they can constantly and accurately monitor assets and help deliver what is required precisely when and where it is needed. Also the general public has seen the transition to smart devices, cell phones being switched to smartphones, TVs to smart-TVs and cars to semi-autonomous cars.

Smart watches are growing in popularity

This “Internet of Things” (IoT) revolution is happening at a frantic pace as companies digitalize the physical world. Gartner estimated that there were 4.9 billion smart devices deployed in 2015, with this number expected to grow to 25 billion by 2020.1 With such high numbers, IoT devices have the potential to create significant amounts of waste, which may exceed their potential to reduce resource consumption thanks to their ability to keep the state of every asset of interest up to date.

In this article, I discuss how smart devices’ software is an artificial cause that limits their lifetime. I then explain the need for an alternative model that decouples the software and the hardware, to allow the software to be changed according to its owner’s need. Finally, I explain how the Open Source movement has already solved the software’s planned obsolescence for personal computers and servers, and how this model also naturally applies to the IoT devices.

How software reduces our devices’ lifetime

While a relatively old smartphone may still function perfectly as a phone, for many it is not good-enough if it does not support the newest applications. For instance, in 2016, the very popular messaging application WhatsApp dropped support for iOS up to 6.1, which is the latest operating system that can be used on the iPhone 3, which was taken out of production in 2012. This has left iPhone 3 users with three choices: they must either find alternative ways to communicate with their contacts, replace it with a second-hand phone, or buy a new one. Replacing an iPhone 3 with a new iPhone 6 would lead to 80.75 kg of CO2-equivalent in emissions.2 Given that the world’s average carbon footprint per year per capita is 4.6 tons of CO2-equivalent,3 buying an iPhone 6 would represent 1.75% of the annual budget of the average world citizen.

For some, buying a new device every four years may be acceptable because the devices genuinely improve a lot, however, cars do not change as drastically. A lot of people only buy a new car when it is more expensive to fix their current car than to buy a new one. New cars, however, can come with internet access and a wide range of driving assistance features, such as lane or break assist, that can take control of the car at any time, in order to keep everyone inside and outside the car safe. This ability for the software to control the car also technically means that any security issues in the car’s software can allow hackers to remotely crash the car, for example by driving it into a wall at full speed while disabling airbags, or ask for money to unlock the car (i.e. ransomware). While neither of the scenarios may have happened yet, hackers have already managed to remotely control a willing journalist’s car through the internet.4 Afterwards, they released some of their tools to help others replicate their work.5 This opens the way for the same kind of viruses found in the computer world, which can lead to hackers asking for ransoms to retrieve your files.6 For owners of hackable cars, either the manufacturer fixes the issue or the owner should consider buying another car to reduce the risks, provided that governments do not prevent such cars from being on the road, due to the safety risk. If a car is replaced by a new one, this incurs a significant environmental cost (1.5 to 7.6 times the global average carbon footprint per year per capita).7

On top of being an environmental cost, a financial risk and a safety issue, smart devices with outdated and insecure software are also a danger for our increasingly digital infrastructure. As these devices are meant to be connected at all times and usually never get automatic security updates, they make a valuable target for hackers to take control of the device and add it to virtual networks (botnets). These botnets can be used to perform illegal tasks such as to disrupt the internet access of an entire country, as demonstrated in the fall 2016 incident involving the botnet Mirai.8 This botnet, constituted of smart toasters, web-enabled vibrators, and other types of smart devices, managed to bring down dozens of websites, including The New York Times, Twitter and Paypal. Manufacturers have very few incentive to make secure devices, as they view this as a cost that does not lead to more sales. Even when faced with public shaming, some of these manufacturers fail to fix the issue.9

Owners of internet-connected smart devices also have very few incentives and little interest to actually take steps in order to properly secure their devices. From a user perspective, are not the devices supposed to be smart, as the name says? Since the device is connected to the internet at all times, why doesn’t it use this connection to update itself? This automatic over-the-air update approach is the one taken by the automotive-company Tesla motors.10 Thus they do not require their customers to make expensive trips to the dealer who sold the car in order to get security fixes and new features.

Even with automated over-the-air updates of smart devices, can we realistically expect manufacturers to provide security updates throughout the lifetime of the hardware? The average age of cars on US roads in 2016 was 11.6 years as opposed to software standards where a decade is considered like an eternity.11 For instance, Microsoft, the company behind the most widely-used operating system, announced in 2017 the end of the extended support for Windows Vista, released in 2007.12 The general support had already stopped in 2012. If even one of the most stable software companies, who produces an operating system used by hundreds of millions of people, is not willing or capable of supporting the operating system sold along with most computers bought between 2007 and 2009, should we expect a hardware company to be able to do any better?

The planned obsolescence of smart devices is indeed planned, as the software’s maintenance period is often explicitly mentioned by big companies. For instance, Google will stop updating the software of their Nexus phones two years after their introduction. Security fixes are however guaranteed for another year.13 This behaviour results in a lot of perfectly-functioning hardware waste, and the unnecessary production and transport of new smartphones, which have a non-negligible environmental impact. Using a hackable device is, however, not only a financial risk to its user, but also a threat to our communication infrastructure.

The IoT explosion is analogous to the revolution of personal computing of the 80’s when most computer hardware, operating systems, and applications were incompatible. This meant that programs had to be written for each computer and operating system. Over the years, both the hardware and software interfaces of personal computers got standardized, allowing applications to be written once and used on multiple machines and operating systems. Nowadays, old applications usually run also on newer versions of operating systems.

While applications may be executed on a wide variety of operating systems, the operating system sold with a computer may not necessarily be easily upgradable or even fully maintained during the entire length of the warranty. For instance, the user editions of Microsoft Windows 7, the de-facto standard operating system of the personal computing, were sold until October 31, 2014, while its main support ended on January 13, 2015, a mere 2.5 months later. Security fixes are, however, provided for another five years.[^12]

When the computer’s operating system becomes completely unmaintained, users are left with the following choices: Buy a new computer; keep on using the current version; update to the next version; or install an alternative operating system. The first choice is the least sustainable one, as the hardware could be used for a longer time, until its processing power becomes unsatisfactory. The second choice is not a responsible one, unless the computer is not connected to the Internet, as it may be taken over by hackers. These hackers may use the computer as part of an illegal virtual network of infected computers (botnet), which can be rented to take down parts of the Internet.8 They may also encrypt the users’ files and request a ransom to decrypt them, like with the Wannacry virus from spring 2017, which infected more than 200,000 computers that had disabled or delayed Windows 7’s security updates.14

Ransomware Wannacry’s window, asking users to pay to recover their files

With the third and fourth options, updating or changing the operating system, there are no guarantees that the computer will still be able to use all the features that it was originally sold for, or that it will be able to perform as fast as it used to. The ability to update to a newer version of Windows is not guaranteed and depends on the availability of all the drivers for the newer version and the knowledge to find out which ones are needed. Most alternative operating systems already come with all the necessary drivers and will most likely work without checking what components are installed or installing any driver. That makes them a good candidate for replacing an unmaintained operating system. They also provide new versions continuously, while remaining compatible with older computers. The most popular alternative operating systems are free of charge and based on the Linux kernel, which will be introduced in the next section. One of the most popular Linux-based operating systems is Canonical’s Ubuntu, which can be downloaded for free and installed on most personal computers by following a simple tutorial,15 usually without the need to install any additional driver.

The Open Source movement shifted the paradigm

Tux, the mascot of Linux

Linux is much more than free and open source software. It revolutionized the way software is developed. Instead of following a pyramidal approach where people at the top would design the entire project and give directions to people under them, Linux’s development model is akin to a bazaar, where everyone can propose changes.16 Before talking more about this model, let’s introduce what the Linux kernel actually is, and how central it is in increasing the lifetime of our smart devices.

The kernel is a piece of software at the heart of the operating system. It exposes the ever-changing hardware to applications, through a set of standard and stable interfaces. This is what allows an application to work on multiple machines and operating systems. The Linux kernel is open source and, although originally limited to personal computers, it is now found on most computers. It powers most of the Internet’s infrastructure (websites, networking equipments, etc.), and is used in/on more than 80% of smartphones,17 65% of tablets,18 the majority of smart TVs,19 most cars and in-flight infotainment systems,20 and 498 out of the 500 fastest supercomputers.21

Linus Torvalds, the creator of Linux, attributes the success of Linux to its software license, the GPLv2. This licence guarantees users the following freedoms:22

  • The freedom to run the program as you wish, for any purpose (freedom 0).
  • The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this.
  • The freedom to redistribute copies so you can help your neighbor (freedom 2).
  • The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

This licence enforced an open development model,23 which mandates anyone making changes to Linux to redistribute their changes back to the project. It created an incentive for people to collaborate, whether they come from academia, the industry or are private individuals. Nowadays, a new Linux kernel is released roughly every 3 months by Linus Torvalds. Linux 4.10, released mid-February 2017, saw the contributions of more than 1500 developers, out of whom 27% were private individuals and the rest were employed by 218 companies.24

Companies and individuals collaborate on the same Linux version for widely different reasons, making the Linux kernel very generic. The changes made by individuals or companies are accepted after people working on the project agree that the change will not cause compatibility problems with applications and/or hardware. This enables companies to optimize their products while allowing them to always update to the latest version and benefit from the other improvements made by the Linux community without having to re-do the same changes for every version.

Contributors to the Linux kernel use it themselves, and make changes according to their own or someone else’s needs. Companies like Intel, AMD, ARM or TI contribute to Linux to make it as easy as possible to use their hardware platforms, which drives their sales up. If a company does not have the knowledge to make changes, they can contract service companies such as Red Hat or Collabora to do so. Individuals or companies may also collaborate to create a “bounty” that is high-enough to fund the development of a feature, using a platform such as bountysource.com.25 Individuals can directly tweak Linux to suit their needs or for fun. In some cases user communities have written software to support decades-old hardware after companies stopped supporting them, beating this planned obsolescence (e.g. writing drivers for NVIDIA’s deprecated graphics processors from 1998-2010).26

The development model of Linux is the opposite of Microsoft Windows’. No company owns or dictates the direction of the project, and instead of selling different versions every couple of years, Linux follows a gradual improvement model which is never allowed to break anyone’s computer. This is sufficient to guarantee that users never have to throw away their hardware because of software reasons, as there will always be a new update to improve the operating system’s performance, power efficiency, and security. This allows Linux-based operating systems to run on 29-years-old processors (Intel’s 80486) when the more traditional product-based approach fails to deliver security updates a decade after its introduction. This helps to reduce the computer-related waste by keeping alive computers that are fast enough for their task, while not having to compromise on security or features.

This alternative development model is not just a nice idea, it is also a very profitable business. Last year, Red Hat became the first Open Source company to generate revenue of more than two billion dollars a year, doubling their revenue in just four years.27 This model is being adopted by a lot of companies, Microsoft included,28 which can be seen in the domination of Linux in most domains.

Multiple service companies now sell their services to other companies to modify Linux in the way they need, guaranteeing that anyone with a bit of money could make sure their IoT deployment is maintained. This is different from the current model where the hardware and software is controlled by a unique company, and users have a very limited control of the level of support they will receive.

The open source development model has however unique challenges. In order for the development to be sustainable, contributors need to stay engaged so as to: review other people’s changes; verify that they do not have unintended side effects; and file bug reports if the bugs still managed to make it into a released version. Engagement leads to a virtuous circle, since the more used and developed a project is, the more likely it is that improvements will be made, which attracts more users and developers. Finally, the open nature of the development also brings certification issues as everyone is free to change the code. This may make this model not applicable to all software, as laws may prevent user changes.29

Beating the planned obsolescence of IoT devices

In order to increase the life expectancy of smart devices, the lack of software and security updates should never be a reason to scrap perfectly-working hardware. However, unlike personal computers, smart devices are too new to have enough hardware standardisation to expect Linux to automatically run on them. This increases the cost of maintenance of smart devices that use a modified version of Linux, or a closed-source operating system of their own.

Regardless of the technical choice, some manufacturers have shown a lot of hostility against the idea of users tinkering with and fixing their devices. Indeed, some manufacturers state that their customers merely buy a license to operate the device they bought. For example, John Deere actively prevent fixes for their tractors, forcing some US farmers to go back to their dealer for even trivial repair.30 John Deere has been using the Digital Millennium Copyright Act (DMCA) to prevent making changes to its software, putting farmers at the mercy of John Deere’s dealers to fix their tractors in a timely fashion and will continue to do so in the future. This approach of fiercely protecting intellectual property rights opposes the collaboration-based open source model and promotes the planned obsolescence of products. This sort of problems arise when hardware manufacturers also write the software for their platform.

Fortunately, some companies do release products with open source software and allow users to tinker with it. For example, Google’s laptops (Chromebooks), which are quite popular in the USA,^31 use a modified version of the Linux kernel along with their web-oriented user interface (ChromeOS). Automatic feature and security updates are provided for five years.31 After this point, security-conscious users are free to switch to using any version of Linux,32 at the potential cost of losing features. This is due to laptop manufacturers not only having no interest but also being negatively incentivised to make sure their hardware work for longer than the stated time. One or multiple users could, however, rework or pay a company to add the missing features and get them accepted in Linux, thus beating the planned obsolescence of the product.

Small environment-friendly IoT companies may not have the resources to provide security updates for their products for decades. By basing their products on popular open source platforms and by making sure they are upgradable over-the-air, these companies can give the best chances for their product to be maintainable as long as people are interested in them. Indeed, such open source platforms are beginning to appear (Raspberry Pi zero W, C.H.I.P. pro, etc.), and they already have an impressive community backing them, which maximizes the chances of security bugs being fixed.

Software should not spell the end of your old smart device

The Internet of Things has the potential to make our society more efficient, offsetting the environmental and economic cost of deploying this network of smart devices. However, they are currently associated with security issues (ransomware or botnets) and, when they do get updated by their manufacturers, they still have an expiration date after which users should stop using them, if they do not want to expose themselves and others to increased risk.

Fortunately, another development model has been used for decades by the open source community. Paid and hobbyist developers collaborate on software development in order to improve it for everyone. The Open Source model, by providing system improvements, lowers products costs, increases device longevity and security. This benefits even people who do not have the skills or the experience to tweak computers.

This collaborative model creates a more environmentally sustainable and decentralized business model, while the rest of the industry is striving for greater centralization and control of the few over the many. This alternative model enables any software company to be contracted by anyone to maintain the software, or improve the software to fit the ever-changing purpose of the users of smart devices and wireless sensors. Thus the environmental and climate cost gets reduced by the increased longevity of such devices.

  1. Gartner, 2014. “Gartner Says 4.9 Billion Connected “Things” Will Be in Use in 2015”. Accessed May 31, 2017. http://www.gartner.com/newsroom/id/2905717

  2. Suckling, James, and Jacquetta Lee, 2015. “Redefining scope: the true environmental impact of smartphones?.” The International Journal of Life Cycle Assessment 20, no. 8 (2015): 1181-1196. Accessed May 31, 2017. https://link.springer.com/article/10.1007/s11367-015-0909-4

  3. The Guardian, 2012. “World carbon emissions: the league table of every country”. Accessed May 31, 2017. https://www.theguardian.com/environment/datablog/2012/jun/21/world-carbon-emissions-league-table-country

  4. Andy Greenberg, 2015. “Hackers Remotely Kill a Jeep on the Highway—With Me in It”. Accessed May 31, 2017. Wired. https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

  5. Charlie Miller and Chris Valasek, 2017. “Car Hacking: The definitive source”. Accessed May 31, 2017. http://illmatics.com/carhacking.html

  6. Keith Collins, 2017. “Inside the WannaCry ransomware cyberattack that terrorized the world—and only made $100k”. Accessed May 31, 2017. https://qz.com/985093/inside-the-digital-heist-that-terrorized-the-world-and-made-less-than-100k/

  7. Mike Berners-Lee and Duncan Clark, 2010. “What’s the carbon footprint of … a new car?”. Accessed May 31, 2017. Theguardian. https://www.theguardian.com/environment/green-living-blog/2010/sep/23/carbon-footprint-new-car

  8. Violet Blue, 2015. “That time your smart toaster broke the internet”. Engadget. Accessed May 31, 2017. https://www.engadget.com/2016/10/28/that-time-your-smart-toaster-broke-the-internet/

  9. Reuters, 2016. “​China’s Xiongmai to recall up to 10,000 webcams after hack”. Reuters. Accessed May 31, 2017. http://www.reuters.com/article/us-cyber-attacks-china-idUSKCN12P1TT

  10. Alex Brisbourne, 2015. “Tesla’s Over-the-Air Fix: Best Example Yet of the Internet of Things?”. Wired. Accessed May 31, 2017. https://www.wired.com/insights/2014/02/teslas-air-fix-best-example-yet-internet-things/

  11. Reuters, 2017. “​Age of vehicles on U.S. roads rises to 11.6 years: IHS Markit”. Reuters. Accessed May 31, 2017. http://www.reuters.com/article/us-usa-autos-age-idUSKBN13H1M7/a>

  12. “Windows lifecycle fact sheet”. Accessed May 31, 2017. https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

  13. Shaun Nichols, 2017. “​What is this bullsh*t, Google? Nexus phones starved of security fixes after just three years”. The Register. Accessed May 31, 2017. https://www.theregister.co.uk/2017/05/01/google_eol_for_nexus_phones

  14. Dan Goodin, 2017. “​Windows 7, not XP, was the reason last week’s WCry worm spread so widely”. Ars Technica. Accessed May 31, 2017. https://arstechnica.com/security/2017/05/windows-7-not-xp-was-the-reason-last-weeks-wcry-worm-spread-so-widely/

  15. “wikiHow to Install Ubuntu Linux”. Accessed May 31, 2017. http://www.wikihow.com/Install-Ubuntu-Linux

  16. Raymond, E. S. 1999. “The cathedral and the bazaar”. Accessed May 31, 2017. http://www.catb.org/esr/writings/cathedral-bazaar/cathedral-bazaar/

  17. James Vincent, 2017. “​99.6 percent of new smartphones run Android or iOS”. Forbes. Accessed May 31, 2017. https://www.theverge.com/2017/2/16/14634656/android-ios-market-share-blackberry-2016

  18. Ewan Spence, 2016. “​Apple’s Continued Domination Of A Shrinking Tablet Market”. Forbes. Accessed May 31, 2017. https://www.forbes.com/sites/ewanspence/2016/08/02/apple-ipad-pro-market-share/#161999665d1f

  19. Steven J. Vaughan-Nichols, 2015. “​​CES 2015: The Linux penguin in your TV”. ZDNet. Accessed May 31, 2017. http://www.zdnet.com/article/the-linux-in-your-car-movement-gains-momentum/

  20. Steven J. Vaughan-Nichols, 2016. “​Linux will be the major operating system of 21st century cars”. ZDNet. Accessed May 31, 2017. http://www.zdnet.com/article/the-linux-in-your-car-movement-gains-momentum/

  21. “List Statistics | TOP500 Supercomputer Sites”. Accessed May 31, 2017. https://www.top500.org/statistics/list/

  22. “GNU – What is free software?”. Accessed May 31, 2017. https://www.gnu.org/philosophy/free-sw.en.html

  23. Chris DiBona and Sam Ockman, 1999. “Open Sources: Voices from the Open Source Revolution”. O’Reilly. Accessed May 31, 2017. http://www.oreilly.com/openbook/opensources/book/linus.html

  24. Jonathan Corbet, 2017. “Free-software concerns with Europe’s radio directive”. Linux Weekly News. Accessed May 31, 2017. https://lwn.net/Articles/713803/

  25. “Bountysource – Support for Open-Source Software”. Accessed May 31, 2017. https://www.bountysource.com/

  26. “Nouveau – CodeNames”. Accessed May 31, 2017. https://nouveau.freedesktop.org/wiki/CodeNames/#NV04

  27. Steven J. Vaughan-Nichols, 2016. “​Red Hat becomes first $2b open-source company”. ZDNet. Accessed May 31, 2017. http://www.zdnet.com/article/red-hat-becomes-first-2b-open-source-company/

  28. Klint Finley, 2015. “Whoa. Microsoft Is Using Linux to Run Its Cloud”. Wired. Accessed May 31, 2017. https://www.wired.com/2015/09/microsoft-using-linux-run-cloud/

  29. Jake Edge, 2017. “Free-software concerns with Europe’s radio directive”. Linux Weekly News. Accessed May 31, 2017. https://lwn.net/Articles/722197/

  30. Kyle Wiens, 2015. “We Can’t Let John Deere Destroy the Very Idea of Ownership”. Wired. Accessed May 31, 2017. https://www.wired.com/2015/04/dmca-ownership-john-deere/

  31. “Auto Update policy”. Accessed May 31, 2017. https://support.google.com/chrome/a/answer/6220366?hl=en

  32. The Chromium Projects, 2017. “Using an Upstream Kernel on Chrome OS”. Accessed May 31, 2017. https://www.chromium.org/chromium-os/how-tos-and-troubleshooting/using-an-upstream-kernel-on-snow

Comments