New digital contract legislation in the EU and Germany has manufacturers scrambling to address a prevalent weakness in the world of Android IoT devices—the lack of regular software updates to consumers.
A lack of regular OTA (“Over The Air”) updates can leave critical security holes open. And, as shown in this proof-of-concept “hack” of a Jeep Cherokee, unpatched IoT software flaws can literally put people’s lives at risk.
emteria has always included OTA updates as part of its embedded Android and managed Android OS to manufacturers. But now the matter of not regularly updating Android software has become a legal one. Failing to provide software that works, or failing to regularly update software, will mean a breach of contract for manufacturers.
The recent enactment in Germany was in accordance with the May 20, 2019, EU Directive concerning the sale of digital content and services. This includes Android IoT devices.
According to that EU Directive, the regulations must be homogenous across Member States, with neither more nor less strict regulations being implemented. According to the German Government’s announcement, several Member States have already enacted these changes.
The regulation will be in force as of January 1, 2022. Considering the enormous challenges required in implementing a secure and effective OTA strategy, manufacturers that use embedded Android and managed Android systems will need to move fast if they don’t already have such a strategy in place.
Manufacturers will also need to fix any major bugs that prevent the software from working as originally described.
Under the German enactment of the law, consumers will receive warranty rights similar to those previously only available in work or rental contracts. For a minimum of two years after purchase, if a digital product has a defect and the company does not resolve it, the consumer has the right to terminate the contract. They also have the right to a reduction in price.
Depending on the circumstances, the consumer might also be able to claim damages and reimbursement expenses.
For manufacturers selling tens of thousands of IoT devices, the potential costs could be astronomical.
Manufacturers tend to outsource their embedded and managed Android solutions. In such cases, OTA and FOTA (Firmware Over-The-Air) updates must be made available from business to business—the Android OS developer to the manufacturer—before they can be sent downstream to the consumer.
The new Germany Digital Contract legislation applies specifically in a Business-to-Consumer context. This makes it tricky for manufacturers who are dependent on an outside developer for their Android operating systems.
No doubt, manufacturers will attempt to upgrade their contracts with Android OS providers where possible to ensure that they do provide regular updates. But it is ultimately the manufacturer’s neck on the line if those updates don’t come through.
If B2B providers of Android for IoT devices have not yet implemented an effective OTA strategy, getting them to do it before 2022 is unlikely to be done efficiently because of the complexities involved in building one that is stable.
OTA updates are hard enough for companies that bake their own Android at home, with many devices lagging behind in their Android versions. And the problem is worsened when you have to count on an external company to do it.
The infrastructure needed to offer a robust OTA service and secure remote device management is enormous.
The new digital contracts legislation raises the bar for consumer electronic goods. In the past, some companies have been lax in updating known vulnerabilities. But failure to actively handle software bugs moving forward means that users have the legal right to demand compensation.
What that means is that data breaches will no longer be the measuring stick for “bad software.” Bad Software is now simply software that does not meet users’ expectations. Even poor UX could result in software not “meeting users’ expectations.” And that would mean a lot more updates than before.
Quoting the Federal German Government’s website, users now have a right to “fault-free performance.” That’s a hefty standard because it is commonly accepted among tech fundies that there is no such thing as bug-free software. Seamless OTA updates are imperative for manufacturers to survive moving forward.
The new law sets an expectation that when you sell an Android-driven cash register, it comes included with regular updates and fixes. Failing to do so triggers the warranty and the provider is liable to pick up the tab.
Enterprise-grade Android OS and service for devices
When we started emteria back in 2017, we understood the pain points of manufacturers who needed Android IoT devices—smart home devices, vehicle infotainment, interactive kiosks and digital signage, etc. At the time, there was no single system for Android-driven devices and each company had to cook something in-house.
It recalls the phrase that too many cooks spoil the broth.
That’s why we developed the emteria.OS based on Android, which can be modified to work on any IoT device.
Right from the start, we also built the emteria infrastructure in such a way that it would continue to deliver seamless OTA updates to multiple devices, and put the power into fleet managers’ hands to determine how those updates are rolled out.
Using a centralized Fleet Manager, fleet operators are able to determine device health and spot any flaws that might need to be patched.
Long before the new law came into effect, we built the infrastructure with OTA and Remote Device Management in mind because:
- It is the best for the consumer.
- It follows industry best practices.
The new law enforces these two points, and it signals a clear advantage to those companies, such as emteria, who already have this device management infrastructure in place.
The problem is worse for companies that have already deployed devices with bugs in them and yet have a complicated update process. If this is the case, companies should switch over to a more reliable Industrial Android OS provider as soon as possible to reduce legal risk in Germany and in Europe.