IoT: Where does the buck stop?
The Internet of Things concept has been around since 1982.
The phrase we have all come to know – and probably hate – is thought to have been coined in 1999 by Kevin Ashton, who was Procter & Gamble’s brand manager at the time.
Nearly 20 years later – with its name abbreviated to IoT – the idea is very much a reality. So much so that Samsung has reportedly said all of its products will be connected to the internet by 2020.
However, although the technology has rapidly improved, security practices have failed to keep pace and the fallout could leave integrators in a precarious position.
When bots attack
In October 2016, a huge distributed denial of service (DDoS) attack effectively paralysed much of the internet, thrusting into the spotlight the inherent insecurity of many IoT devices.
The botnet at the heart of the attack was called ‘Mirai’. It was particularly scary and successful because it was made up entirely of consumer-grade, internet-connected smart-home products.
Mirai works by scanning the internet for routers and other internet-connected devices protected only by generic usernames and passwords set by manufacturers. The software infects vulnerable systems and turns them into remotely controllable ‘bots’ or machines that can do an attacker’s bidding.
In October, hackers used the Mirai botnet to direct the largest amount of useless traffic known to have been used in a DDoS attack – about 600Gbps. This was aimed at the cloud-based internet performance management company Dyn. It caused critical systems to become overloaded, taking down Dyn customers such as Netflix, Spotify, Amazon and Paypal.
Scott Shackelford is an associate professor at the Indiana University Kelley School of Business, where he teaches cyber security law and policy. Scott also serves in major institutions devoted to cyber security and research.
“There seems to be a sense of ‘cyber fatigue’ that’s setting in for a lot of folks,” he says.
“Many have heard about the vulnerabilities surrounding IoT devices, but I don’t know if the average Joe understands the problem or, frankly, cares.
“And they probably won’t until we start to see some real damage being done, like self-driving cars crashing and people getting hurt.”
Scott points to a recent case in the United States where a particular type of cardiac implant was susceptible to malware. Hundreds of recipients needed to undergo another operation to remedy the situation.
“It’s this type of event that will change the public mindset about the importance of IoT security.”
Are you legally liable?
The IoT represents a big shift in the way society works, but attacks like Mirai have raised a lot of serious questions about its viability, at least in the short term.
Consumers have been made aware that breached devices could give attackers access to other devices on home networks, computers and phones.
As a result, attention has turned to the crucial question of liability. If you install IoT devices and they are breached, are you legally liable for loss of data?
Hamish Fraser, a partner at Bird & Bird, is one of Australia’s leading information, communications and technology lawyers.
“It’s fascinating because a lot of small companies don’t really know what they’re getting into when it comes to product liability,” he says.
“Those that do are often nervous about what they’re exposing themselves to.
“When you buy an IoT device made in China, say, how do you know that privacy and security measures are built in by design, as an afterthought – or with any thought at all?
“There’s no easy answer to the question of liability because there are so many variables in play. The short answer is ‘it depends’.”
The relevant questions for installers include:
• What do they represent to clients?
• What do they say is being installed?
• Do they promise a 100% secure system, or do they make it clear that is not the case?
• Do they even know?
Hamish says installers could be in trouble if they promise the best secure product on the market then substitute a cheaper version of questionable quality.
“Similarly, if an integrator installs a really good product but leaves the password as ‘1234’ or ‘admin’, then they might have a problem here too.”
Scott says a lawsuit involving IoT devices is inevitable.
“To my knowledge there hasn’t been any major litigation with IoT technology at the centre of the proceedings, but peripherally it’s all over the place.
“It’s unquestionably an area that’s going to be litigated more and more, and I think we’ll see a lot of lawyers cashing in. So much so, that we may see a push for liability and tort reform. We’re no there yet, but that’s going to change pretty quickly.”
To minimise the risk of litigation, Scott says, integrators should follow the ‘three Bs’ – be aware, be organised and be proactive.
“So many companies are reactive to cyber security, but after a major breach occurs it’s too late to do anything.
“If you follow the ‘three Bs’ you’ll get a better handle on the problem.”
Give the facts
Hamish says it comes down to discussions with the client.
“If you promise the earth and don’t deliver, you have a problem.
“However, you’re in a better position if you tell your client that although a product is the best on the market there’s no guarantee that it’s secure.”
Although this advice doesn’t have to be in writing, it’s very difficult to establish later if it is not.
“From an evidentiary perspective, the written word is the only way to really prove anything.
“However, things in writing can come back to haunt you. Advertising, contracts and written statements can all establish your claimed specifications for the installation. These days it’s very hard in Australia to rely on an asterisk and fine print.”
Scott says that avoiding the IoT would be an over-reaction.
“It’s simply a matter of risk mitigation. There’s not going to be technological silver bullet that solves all the problems. But by leveraging the tools I mentioned, we can make things more manageable.”
So, are integrators liable?
“There are as many answers to that question as there are products”, Hamish says.
“But they certainly can be. They just need to learn how to minimise the risk.”