Uh oh, Google just stopped updating my kids’ phones

So, Google has revoked Huawei’s Android license. Huawei’s new phones won’t get any of the nice Google features like Google’s store, Gmail, and more. But also, all existing Huawei phones will stop receiving updates from Google.

What? This includes my kids’ Honor-branded phones, and as far as I know, a significant portion of the kids in their middle school, as Honor has been proposing phones with a great value for a few years, and they are popular in that population who are usually not getting the top-of-the-line models.

I could also have titled this blog more provocatively as “Google denies basic security to their customers,” “Donald Trump throws millions of kids in hackers’ hands,” or “Evil Americans exercise extra-territorial power over people around the world.” There are plenty of opportunities here to be angry, but the problem is elsewhere.

There is here a trust and liability issue. When I buy an Android phone, I expect some service from the vendor, but I also expect some services from Google. In my professional life, I am battling for improving IoT security, making updates mandatory and secure, among other things. Until now, this was a battle against slackers and profiteers, but today, politics is getting in the way. If hackers benefit from this, who can be held liable? Is this just Huawei? Doesn’t Google share some responsibility for stopping their support? My kids have done nothing, for sure.

Most comments seem to emphasize that Google dealt a big blow to Huawei, but Google has also dealt a big blow to themselves: Huawei didn’t cut my kids’ updates, Google did. This really has some consequences on the Android model: When you buy a phone with Android, you introduce a dependency between you and both the device vendor and Google, and you will be a collateral victim if their relationship turns sour. This almost sounds like Apple; when you get an iPhone, you belong to Apple, but at least, only to Apple.

It makes me rethink seriously my dependency on Google, so it’s time to take some strong decisions. I will switch my family streaming subscription from Google Play Music to Spotify, just to make sure that my kids still enjoy music on their unsupported phones. And if this madness continues, I will move them to Huawei’s app store as well…

Is the IoT apocalypse coming, or not?

There is a wide agreement on the fact that IoT is much more vulnerable to attacks than traditional internet, and even on the fact that IoT attacks could lead to considerable damage to all kinds of assets, logical and physical. But risk is not just about vulnerability level and potential consequences. There is also intent. […]

We’re back for 2019!

It’s 2019, and it took me 2 months (including a great deal of procrastination) to fix a PHP version issue after a site migration. My hate of PHP just grew a bit more… In this early 2019, the Road to Bandol can be quite dangerous, as exemplified by the video below: Yep, that’s the Bandol […]

Time bombs, from climate to IoT security

The comparison between IoT security and climate change is getting better every single day, and I am not sure that this is good news. A few minutes ago, a tweet on climate change got my attention: This is not the new normal, just a pit stop on the way to decades and decades of deteriorating […]

The Collective Risk of IoT

One of the favorite activities of certification experts is to define security levels based on risks. Such levels allow us to put the items to be certified in well-defined boxes. Then, we can certify them according to the rules on that box/level. Until recently, life was easy, and we could define levels easily. Since 3 […]

Should we Protect Cars from Terrorists?

Some days ago, Mark Cuban published on LinkedIn a question about weaponized cars: who has developed solutions to detect/prevent such events? I live close to Nice, so I would definitely extend the question to trucks, and basically to anything heavy that moves faster tn humans. Terrorists are not easy to distinguish from normal drivers before […]

Is it Reasonable to Own a Connected Car?

I have been hearing for a while that « cybersecurity is a process » and that one of the issues with executives is that they don’t understand that: most of them think that cybersecurity is a problem that should be solved by engineering. When you think about an online service’s lifecycle, it all makes sense. […]

Des contraintes naît la beauté

This quote from Leonardo da Vinci “Beauty is born from constraints” was chosen by Alain Colmerauer as the motto for Prolog IV, the last iteration (for now) of the Prolog language, déveloped by Prologia in the early 1990’s. Alain Colmerauer passed away this week. I have plenty of memories about him, starting from classes with […]

Think like an attacker with a bottom-up threat analysis

A risk analysis is a great tool when planning the security of a product. This is typically done with a top-down methodology: You first define assets, then identify threats or risks on these assets, followed by attack strategies and attack objectives, countermeasures, getting finer and finer. These methodologies present many advantages, and one of the […]

Can we try to get some IoT devices right?

Last week at RSA, various crypto stars, including Don Rivest, Adi Shamir, and Whitfield Diffie, have discussed security research trends in a panel, and the conclusion seems to be that quantum computing and AI are not the real priority with the Internet of Things. The priority is, or should be, to invest in better programming. […]