Everyone's talking about the internet of things. They talk about smart lightbulbs programmed to glow purple when it rains, and smoke detectors that do email alerts, and routers that network our houses. But there's one thing they're not talking about, and that could be a problem. No one is asking whether these devices should also be programmed to die when they get old.

It's a question posed by Dan Geer, a well-respected security researcher who also serves as chief security officer at the Central Intelligence Agency's venture firm, In-Q-Tel. Geer sees an emerging danger in the growing number of internet-connected devices whose software hasn't been updated in a while, making them vulnerable to hackers. "They have sentient opponents," he says. "Given that, an internet of things that is immortal will eventually be taken over."

This problem will only get worse as the internet of things grows. So many devices that were once unremarkable will morph into mini-computers that hackers will view as targets, things that can be misused for evil purposes. "I don't think we're at the point where we can write perfect software," Geer says.

One way to reduce the danger, Geer says, is to build devices that will eventually die. Maybe we have to: after all, all code has bugs, and in the course of time, these bugs are going to be found and then exploited by a determined attacker. As we build more and more devices like thermostats and lightbulbs and smart trashcans that are expected to last much longer than a PC or a phone, maybe we need to design them to sign off at the point where they're no longer supported with software patches. Otherwise, we're in for a security nightmare.

A Taste of Things to Come

The world got a taste of this problem earlier this year when malicious software called the Moon Worm started infecting Linksys routers around the world. Linksys issued patches for the moon worm, but vendors don't support their products forever. Last month, we reported on malicious software that turned a widely used security camera recorder into a bitcoin miner. That happened at around the same time that Microsoft stopped supporting its Windows XP operating system, used by hundreds of millions of computers.

Researchers have studied the way that security vulnerabilities are discovered, and what they've found is that security bugs will keep cropping up, long after most software is released. That means that the problems that Geer warns us about are not likely to go away. In fact, they'll only get worse. "You can't leave software to rot," says Jim Gettys, a developer of core parts of the Unix operating system and a member of technical staff at Alcatel-Lucent. "Yet that is what we're doing with our home routers, and most other embedded network devices now, and even more fun, from here on out, the remaining Windows XP devices."

Open Source to the Rescue

But programming our smart toasters to die isn't the only solution. Geer admits that there are gentler ways to deal with this problem. We could program embedded devices to automatically update or to at least demand a firmware upgrade every few years. Of course, this too becomes a problem if the company that made these devices no longer wants to patch them.

That's when the open-source comes into play. Geer believes that when a product hits its end-of-life, the company that made it should release it as open-source software, so that there's at least a chance that it can be patched and updated. That's an idea that's not likely to sit well with Microsoft, which has long ignored our advice to open-source parts of Windows.

Open-source software has been best at finding ways to remain patched over years and years, but it's not a panacea. If Microsoft, dropped the Windows XP code base in open-source form, it could take years for a community to start to do anything with it (that's what happened with Netscape's Mozilla browser code), and that might not happen at all.

One thing is clear, however. Building out an internet of un-maintained things is asking for trouble. "Right now, the way we build these systems just won't work over the long haul," Gettys says.