emteria Blog | Android OS experts

EU law forces provision of security updates for Android IoT devices

Written by Ilja Aizenberg | Aug 15, 2021

New digital contract legislation in the EU and Germany has manufacturers scrambling to address a prevalent weakness in the world of Android IoT devices—the lack of regular software updates to consumers.

Skip the full article to read the January 2022 update on German law.

A lack of regular OTA (“Over The Air”) updates can leave critical security vulnerabilities open. And, as shown in this proof-of-concept “hack” of a Jeep Cherokee, unpatched IoT software flaws can literally put people’s lives at risk.

Emteria has always included OTA updates as part of its embedded Android and managed Android OS to manufacturers. But now the matter of not regularly updating Android software has become a legal one. Failing to provide software that works, or failing to regularly update software, will mean a breach of contract for manufacturers.

EU-wide legislation to force regular updates

The recent enactment in Germany was in accordance with May 20, 2019, EU Directive concerning the sale of digital content and services. This includes Android IoT devices.

According to that EU Directive, the regulations must be homogenous across Member States, with neither more nor less strict regulations being implemented. According to the German Government’s announcement, several Member States have already enacted these changes.

The regulation will be in force as of January 1, 2022. Considering the enormous challenges required in implementing a secure and effective OTA strategy, manufacturers that use embedded Android and managed Android systems will need to move fast if they don’t already have such a strategy in place.

Manufacturers will also need to fix any major bugs that prevent the software from working as originally described.

Costs involved in violating the new digital contract law

Under the German enactment of the law, consumers will receive warranty rights similar to those previously only available in work or rental contracts. For a minimum of two years after purchase, if a digital product has a defect and the company does not resolve it, the consumer has the right to terminate the contract. They also have the right to a reduction in price.

Depending on the circumstances, the consumer might also be able to claim damages and reimbursement expenses.

For manufacturers selling tens of thousands of IoT devices, the potential costs could be astronomical.

B2B Android updates are crucial

Manufacturers tend to outsource their embedded and managed Android solutions. In such cases, OTA and FOTA (Firmware Over-The-Air) updates must be made available from business to business—the Android OS developer to the manufacturer—before they can be sent downstream to the consumer.

The new Germany Digital Contract legislation applies specifically in a Business-to-Consumer context. This makes it tricky for manufacturers who are dependent on an outside developer for their Android operating systems.

No doubt, manufacturers will attempt to upgrade their contracts with Android OS providers where possible to ensure that they do provide regular updates. But it is ultimately the manufacturer’s neck on the line if those updates don’t come through.

If B2B providers of Android for IoT devices have not yet implemented an effective OTA strategy, they are unlikely to do so before 2022 due to the complexity of developing a robust strategy.

OTA updates are hard enough for companies that bake their own Android at home, with many devices lagging behind in their Android versions. The problem is worsened when you have to count on an external company to do it.

The infrastructure needed to offer a robust OTA service and secure remote device management is enormous.

Image: Manufacturers of Point of Sale terminals are obligated to guarantee regular security updates. | Source: emteria

The bar has been raised for consumers

The new digital contracts legislation raises the bar for consumer electronic goods. In the past, some companies have been lax in updating known vulnerabilities. But failure to actively handle software bugs moving forward means that users have the legal right to demand compensation.

What that means is that data breaches will no longer be the measuring stick for “bad software.” Bad Software is now simply software that does not meet users’ expectations. Even poor UX could result in software not “meeting users’ expectations.” And that would mean a lot more updates than before.

Quoting the Federal German Government’s website, users now have a right to “fault-free performance.” That’s a hefty standard because it is commonly accepted among tech fundies that there is no such thing as bug-free software. Seamless OTA updates are imperative for manufacturers to survive moving forward.

The new law sets an expectation that when you sell an Android-driven cash register, it comes included with regular updates and fixes. Failing to do so triggers the warranty and the provider is liable to pick up the tab.

On a practical, digital contract law has now been brought up to par with existing Consumer Rights laws for the purchase of goods in Germany. That means the vendor must bear the full cost of the cure of a defective item, which the consumer has a right to demand. The cure can be in the form of an effective repair (as in the case of OTA updates) or a replacement—again, updating the software would usually be the case here, unless the defect is in the hardware.

This is why it is vital to deal with a company that offers managed Android OTA and FOTA out of the box.

Enterprise-grade Android OS and service for devices

When we started emteria back in 2017, we understood the pain points of manufacturers who needed Android IoT devices—smart home devices, vehicle infotainment, interactive kiosks and digital signage, etc. At the time, there was no single system for Android-driven devices and each company had to cook something in-house.

It recalls the phrase that too many cooks spoil the broth.

That’s why we developed emteria.OS based on Android, which can be modified to work on any IoT device.

Right from the start, we built the emteria infrastructure in such a way that it would continue to deliver seamless OTA updates to multiple devices, and put the power into fleet managers’ hands to determine how those updates are rolled out.

Image: emteria’s native Fleet Manager – emteria Device Hub – offers secure device control and monitoring from a browser.

Using a centralized fleet manager, fleet operators are able to determine device health and spot any flaws that might need to be patched.

Long before the new law came into effect, we built the infrastructure with OTA and Remote Device Management in mind because:

  1. It is the best for the consumer.
  2. It follows industry best practices.

The new law enforces these two points, and it signals a clear advantage to those companies, such as emteria, who already have this device management infrastructure in place.

The problem is worse for companies that have already deployed devices with bugs in them and yet have a complicated update process. If this is the case, companies should switch over to a more reliable Industrial Android OS provider as soon as possible to reduce legal risk in Germany and in Europe.

Update 2022/01/01: Implementation of the EU directives in the German civil code (BGB)

Just in time for the start of the year, the EU laws -on digital content and on the sales of goods (2019)- will be integrated into German law and come into force. This includes a right to receive updates for goods with digital elements (e.g. “smart” fridges, smartphones, TVs, or connected watches). Furthermore, consumers will receive extensive warranty claims (up to twelve months) for digital content and services. The amendment makes sellers and equipment suppliers responsible for the functionality and IT security of the devices after the purchase process has been completed. The main motivation is better consumer protection and the aspect of sustainability.

Consumers will have more rights, but retailers and suppliers will still face questions after the law takes effect in Germany, such as how long updates must be provided. The law states customers will be entitled to receive updates during “a period of time the consumer may reasonably expect”. This should vary depending on the device and is to be regulated in the purchase contract. The Federal Ministry of Justice assumes an average of five years.

A comprehensive German summary of the changes and effects can be found at heise online.