Swim at your own risk: How botched IoT can sink your precious first-world life

Boo-hoo. A bungled Internet of Things (IoT) update means you can't switch your swimming pool to spa mode. Laugh all you want: When the HVAC or your home security system fails, the implications are serious.

Video: The Internet of Things must be futureproofed

Internet of Things security: What happens when every device is smart and you don't even know it?

When IoT devices are everywhere, the security headaches just get worse.

Read More

As some of you may know, I moved to Florida from the New York metropolitan area in late 2012. One of the reasons my wife and I decided to move was because we wanted to live in a warm climate and enjoy all the things it had to offer -- including having a swimming pool and a spa.

Read also: What is the IoT? Everything you need to know

I love my swimming pool. And I love my spa. They help me wind down after a long day. I've come to depend on them. During the winter months, when it's in the 50s (degree Fahrenheit) outside during the evening, soaking in a 102-degree spa will fix practically anything.

Add a fresh lime margarita to that and all the problems of the world seem to melt away. I highly recommend it.

So, when I lost the ability to turn on my spa or adjust my pool temperature for four days last week, I almost lost my you know what.

The Zodiac iAqualink apocalypse

This all started when Zodiac, the pool equipment giant, sent an email on April 2 about a planned series of upgrades to its cloud service -- which controls its iAqualink devices -- that would result in three hours of downtime on April 3 during the hours of 8am to 11am EST.

It didn't sound particularly disruptive, so I didn't give it much thought. It had sent a similar email on March 27, and I had no issues.

iaqualink.png

The Jandy/Zodiac iAqualink IoT pool control device. (Image: ZDNet)

Zodiac's iAqualink is composed of a small, outdoor Wi-Fi-enabled device that interfaces with your Zodiac/Jandy pool equipment and controls the pumps, chlorinator, heaters, and lighting. The device connects to a cloud service over the internet, which allows you to use a mobile device or a web browser to remotely access those functions including altering schedules.

Read also: How IOT network standards can influence security

So, when my wife and I are out for the day, and we know we want to use the spa that evening, which has to be heated separately from the pool, we switch it on from the app, because we know that, when it is in the 70s (degree Fahrenheit) outside, it will probably take four hours to get it nice and hot.

For about four days, we saw this message (with an additional update two days in) on the app:

iaqualink-bungle.jpg
(Image: ZDNet)

People could die

For four days, I could not log in to turn my spa, pool cleaning/filter cycles, or the pumps on or off.

I had to go outside, in the 90-degree heat and Florida humidity (yes, I realize I should stop complaining when the rest of you are dealing with snowstorms and frigid weather in the early spring) and operate the controls inside the main logic box installed on the side of my house, because the original remote I had for the thing when I put the pool in five years ago no longer works.

Read also: Security issues with IoT medical devices could put patients at risk

So, this is a first-world inconvenience, at best. But it could have very well been worse if this was a critical infrastructure control device, such as for IoT-enabled environmental controls in a multi-dwelling building in a city experiencing frigid cold weather.

Or in a place like Florida, during the summertime, when air conditioning is absoutely essential.

People could die, especially elderly people.

Or, it could have disabled security devices such as video-monitoring systems like cloud-enabled doorbells/sconces or garage door openers.

Regardless of the minor inconvenience to pool owners like me, this is a huge black eye for Zodiac, because this cloud service screw-up demonstrates the company has no idea what the hell it is doing regarding its technology products and services, and it doesn't know how to follow modern software development processes for IoT and the cloud.

This is all on the humans

I cannot fault this to IoT technology or even cloud technology. All this is a process fail. The cloud hosting was fine and its infrastructure provider did not go down. (It does not matter whether it uses major public providers -- like AWS, Azure, or Google -- or a private hoster.)

Read also: Cloud computing: As the big vendors get bigger is it time to worry about lock-in?

This is all on the humans. It just failed to do proper A/B testing, and clearly, it lacked proper internal processes to roll out changes in a manner that minimized the possibility of downtime or even rolling back the mistake quickly from an untarnished backup when it was recognized. Period. Full stop.

I am not sure about the nature of what Zodiac did and why the fix took so long, because my inquiries were not responded to other than, "We're sorry, we're working on it." In this day and age, customers deserve better.

Cupertino has nothing on Zodiac

The problem is Zodiac is something of a monopoly in the pool equipment business, and customers don't have a lot of other alternatives, and there are no third-party add-ons to control Zodiac pools. The Jandy iAqualink is it. Its main logic box is proprietary, and nobody but an authorized technician is allowed to even touch one.

If you think Apple is bad with proprietary crap, and customers having no recourse when they screw up, Cupertino has nothing on Zodiac.

I can only speculate what the scheduled maintenance was for -- perhaps to support new device versions and features, to increase scalability, to move hosting providers, to increase security, to add bugfixes, what have you.

Read also: IoT security spending to reach $1.5 billion in 2018

This is a lesson to any company that develops IoT products and services for mass consumer applications: You need to get your development and processes straight.

And it is essential you hire people -- not just skilled in programming and cloud technology infrastructure -- who understand the testing methodology and configuration management and the software development lifecycle of cloud-based systems.

In the meantime, I need to soak.

Were you affected by the Zodiac iAqualink apocalypse? Or a similar IoT cloud service screw-up? Talk Back and Let Me Know.

Previous and related coverage

Alexa smartphone: Amazon's next strike in the mobile IoT war?
Google and Apple are behind in the Internet of Things, but they have the leading mobile platforms.
Using the Nest E with Alexa: A cool tool for staying warm
Do you want to live in the future? If you do, then you're going to want to give your favorite AI assistant the ability to control your thermostat. This is better than the Jetsons!
Internet of Things security woes: Can smarter consumers save the IoT from disaster?
If consumers become aware of the risks of insecure IoT devices, they could prevent cyberattacks.
How many must be killed in the Internet of Deadly Things train wrecks?
History tells us that technology doesn't get regulated properly until people start to die. Why will IoT be any different?