A “wave of litigation over IoT liability is on the horizon,” according to an attorney who has represented plaintiffs in the 2015 Jeep hack.
LAS VEGAS – The troves of insecure Internet of Things (IoT) devices have not yet led to widespread legal implications. But that’s set to change, a well-known attorney warned at Black Hat USA last week.
Ijay Palansky, partner at the law firm Armstrong Teasdale, said at the conference last week that IoT-related security issues have been challenging from a lawsuit perspective; despite high-profile headlines, there haven’t been that many IoT hacks, and there’s a lack of understanding of the technology and how the law applies to it, said Palansky.
However, he said that this is on the verge of changing.
Palansky said that the IoT market is set to explode – particularly in the smart-home market, with consumer IoT spending set to reach $62 billion in 2018, making it the fourth-largest industry segment, according to market research firm IDC. Many of these devices are built with little to no security in mind: “Everyone’s been trying to get the latest and greatest device out – but haven’t been accurately valuing defense, and underinvesting in it,” said Palansky. “So the product won’t reach the right level of cybersecurity.”
IoT security reached its first big breaking point in 2016 during the Mirai botnet attack, which was orchestrated as a distributed denial of service (DDoS) attack through 300,000 vulnerable connected devices, like webcams, routers and video recorders. The DDoS attack brought down the DNS giant Dyn, along with a number of large web services, like CNN, the Guardian, Netflix, Reddit, Twitter and many others.
However, there are several other threats that insecure IoT devices pose beyond DDoS attacks, stressed Palansky – from privacy issues in connected consumer devices all the way up to dangerous industrial IoT system hacks.
Even the 2016 DDoS attack, which led to an outcry for more regulations around IoT security, has ultimately not yet led to any widespread changes: “Statutes and regulations are an important piece of the puzzle for IoT security – but it’s going to be hard,” stressed Palansky.
Many experts in the legal space are not pursuing IoT security issues due to an array of challenges, said Palansky.
He added that he represented plaintiffs and class members who alleged in a 2015 Jeep hacking class-action lawsuit that the 3G “infotainment” center in those cars were vulnerable to hacking. Security researchers Charlie Miller and Chris Valasek were able to demonstrate how they were wirelessly able to hack into a Jeep Cherokee – taking control of the entertainment system, windshield wipers, and accelerator. A year later, they were able to find yet more flaws.
However, the Jeep hack is one of the few IoT-related attacks that has garnered legal attention. Another 2012 incident involved the hack of TrendNet Webcams, where hackers posted live feeds from 700 webcams in 2012. In 2013, the FTC reached a settlement with TrendNet – disallowing the company to misrepresent its software as “secure” and requiring it to get an independent assessment of its security programs once a year for 20 years.
Beyond these incidents, there’s really no precedence in legal implications for insecure IoT devices that are attacked and how security is enforced, said Palansky.
Another issue revolves around the interconnectedness of the supply ecosystem behind IoT systems, he said. IoT is difficult because partnerships are not only necessary, but required, for everything from connected cars to smart thermostats.
Beyond the technology security liability is complex even at a business-model level – an IoT implementation can involve different manufacturers, as well as OEMs or commercial buyers, plus of course end users.
“The ecosystem on the supply side is so interconnected that it creates risks and a lack of responsibility,” said Palansky. “Vendors will end up pointing fingers at each other when it comes to security.”
And on the other side of the coin, security experts working on IoT products should be “guided by an understanding of liability risk,” he said.
Despite these challenges, a “wave of litigation over IoT liability is on the horizon,” said Palansky – and this could be dire for IoT manufacturers who aren’t properly prepared.
There are varying ways that insecure IoT systems and devices could be impacted: “IoT products have certain characteristics – they have a wide variety of code that is often proprietary and makes detection and patching of code more difficult,” he said. “There are so many devices and configurations and many ways these products can cause harm.”
For instance, possible claims against IoT devices include strict product liability (in the case of a design defect) or negligence. The damages, which vary by legal claim, include compensation for anyone injured by the product (including bystanders), property damage, cost of repair or diminished value of the product.
Moving forward, Palansky stressed that for IoT manufacturers and those involved in IoT product design and engineering, decisions about the right level of security should be informed by considerations of potential liability.
“Companies need to be paranoid and allocate risk,” he said. “There needs to be a clear process involving hazard identification, design response, risk assessment and testing… that goes a long way to minimizing liability risk.”