As governments start to contemplate legal responses to IoT security flaws, will the threat of a date with justice finally force manufacturers of connected products to smarten up their act, asks Antony Savvas?
In recent months, the IoT industry has seen a significant escalation in the threat of legal action over the supply of insecure systems. Various governments and agencies have made it clear that the status quo of lax security cannot continue – and they are taking steps to combat it.
The US Federal Trade Commission’s lawsuit earlier this year against a perceived lack of security in a range of D-Link router products, which are said to have contributed to the global Mirai distributed denial of service attack last year, is still ongoing. While D-Link strongly disputes the claim and is strenuously defending the action, other government and consumer action against weak IoT security is widely expected.
In July, the US Federal Bureau of Investigation (FBI) issued public guidance [https://www.ic3.gov/media/2017/170717.aspx] encouraging parents to report weak security in children’s toys connected to the internet, after a number of incidents that had left data relating to individual children potentially vulnerable to criminals. The FBI said that if manufacturers were found to be wanting around data security, they faced legal action from the Federal Trade Commission.
Soon after that advisory, it became clear that authorities in the UK were also closing in on poor IoT security. Chief constable Mike Barton, who leads the National Police Chiefs Council on crime operations, warned about the dangers of IoT as more ordinary household items become connected to the internet. He urged consumers to ‘do their homework’ on the security of the products they buy and to make appropriate choices around purchases and usage as a result.
And more seriously as far as financial penalties are concerned, the UK Government confirmed in August its intention to fully integrate the European Commission’s General Data Protection Regulation (GDPR) into UK law ahead of Brexit. This means that those companies responsible for managing personal data, including data being transferred over IoT systems and stored in IoT databases, face fines of up to £17m or 4 percent of global turnover for the most serious data breaches.
A busy time
It has certainly been a busy time in the UK as far as IoT compliance is concerned, as the government also set out its demands around security for smart cars and vans. The government said it “feared” would-be hackers could target vehicles to access personal data, steal cars that use key-less entry, or even take control of them for “malicious reasons” [in other words, crash them].
New government guidance demands that engineers developing smart vehicles must toughen up cyber protection and help “design out” hacking.
Back in the US, meanwhile, a bill has just been introduced in the US Congress that aims to block IoT devices if they can’t be patched or have their password easily changed – common faults or difficulties around IoT security. The bill also calls for federal agencies to only be able to purchase non-compliant IoT devices if they get approval from the US Office of Management and Budget, and if they put in place additional security measures.
On this last initiative, Travis Smith, principal security engineer at security vendor Tripwire, says: “This bill will help to resolve some of the known issues plaguing so many IoT devices being hacked on a daily basis.”
But, he warns: “For this bill to be successful, there need to be incentives for vendors to get their devices to a secure state. Releasing a device which is free from security bugs is time-consuming and costly. With many of these devices being a commodity, delaying the time to market or charging a higher cost may not fit their current business model.”
Legal action inevitable?
But if IoT device makers don’t act, legal action is almost inevitable from some quarter in the present political and media climate around the issue. How that action manifests itself will of course vary from country to country. As for the UK, Daniel West, an associate at insurance and risk law firm BLM, says: “Typically, security claims in relation to product liability are normally pursued due to a defect under the Consumer Protection Act 1987, or through breach of contract if the product does not meet satisfactory quality requirements.
“The court would then need to determine whether a lack of security in an IoT product would be classed as a defect or a lack of satisfactory quality in the product, and if so legal action will follow.”
However, adds West, there are also “causation issues” to consider with these types of cases. For example, if a vehicle has a locking system that is not considered sufficient to prevent a thief from stealing it, the thief is held responsible for the theft rather than the lack of security. Similarly, if damage arises as a result of an IoT device being hacked, the damage should be considered to be caused by the hacker rather than a lack of security, “limiting the potential for these claims”, says West.
Leigh-Anne Galloway, cyber security resilience lead at security solutions firm Positive Technologies, says potential reputational damage also goes hand-in-hand with the legal threats. “The threat of a lawsuit and the possibility of reputational damage could be a serious driver of security as reputation loss also means revenue loss,” she says. “The publicity and the open discussion of vulnerabilities may play a big role, too.”
Galloway continues: “For example, after the Mirai attack affected Deutsche Telekom customer routers, the telecoms company said it would be reviewing its business relationship with the supplier of its Speedport routers, Arcadyan Technology, since all three flawed models came from this vendor.”
Due diligence versus due care
If damage to one’s reputation is not enough though, Mike Pittenger, vice president of security strategy at Black Duck Software, a specialist in open source software security for IoT systems, says security laggards risk going out of business. He says: “Businesses often talk about security due diligence. This frequently refers to an understanding of the risk posed by an action or supply chain relationship.
“Attorneys, on the other hand, discuss due care. This refers to what an entity has done to reasonably assure that no harm will come to others from their actions.” He says a reasonable company, to use the due care standard, would not build and sell a car without brakes. This would not only put the driver, but pedestrians and other drivers, at risk. “A company doing this could expect to be sued to extinction,” says Pittenger, and points out moves to take insecure IoT products out of the equation altogether.
As well as potential legal action, there is also now the threat of blocking insecure devices from the internet. Pittenger says: “In the US, senator Mark Warner has asked the FCC for guidance on how ISPs can respond while complying with the Open Internet Order, which prohibits denying non-harmful devices access to ISPs’ networks. Blocking a manufacturer’s devices [which are harmful] from networks would certainly put a damper on the company’s revenue.”
Insecure IoT devices are putting the internet, and those services that depend on a reliable communication channel, at risk. Soon, government bodies and customers will no doubt decide that enough is enough.