In the cybersecurity world, Internet of Things (IoT) is the current hot topic.  It is amazing how these little devices can dominate so much of the attention of the cybercriminal and cybersecurity industry.  The reasons are simple.  IoT devices are incredibly insecure and bad actors are looking for ways to manipulate these weaknesses.

We have already seen large scale attacks using IoT devices.  If you recall the Mirai botnet, the Linux botnet that has the ability to launch denial of service attacks, which was a precursor as to what is to come.  Mirai, which is Japanese for “the future”, was aptly named since this malware runs on the devices that appear to be the focus of the future.  Our homes and business are already overrun with three things.

So with all of the issues surrounding IoT devices, who is responsible when these devices fail, have vulnerabilities, or cause harm?  The answer may surprise you.  But first, some background.

Why IoT Devices are Insecure

Most IoT devices fall into one of two categories.  Either the technology is cutting edge from a startup company.  Or, the devices are made by companies that have been building similar devices for years before they were connected to the internet.

If the IoT manufacturer is a startup, they are most likely funded by venture capital or a Kickstarter type of funding.  The goal is to get the product to work as quickly as possible and deliver on the promise it brings.  Whether it is a door bell video camera, a bluetooth, lock, or any other technology the company has to get the product to work and get it to ship.  Security is not part of the equation.

If the device is made by a company with a lot of experience in their field, but are now trying to get the device to be a “smart” device, they are most likely building on older software code that existed before the internet and security was a concern.  Take the example of a smart refrigerator.  This is an appliance that never needed a computer to operate.   You plugged it in, set the desired cold and frozen settings, and completely forgot about it until you had to get a mechanical part to break.  There was no computer telling it what to do. Fast forward until now, the refrigerator gets plugged in, and you have to go through a setup wizard to tell it everything from the settings, the login credentials to your Google family calendar, the time of day you wake up, to how to alert you when milk gets low.  All of those capabilities require software code and it is the software code that causes issues.

So Who is Responsible

There is a lot of talk in the legal world about liability with IoT devices and how to hold the manufacturers accountable.  Spectators for years have seen all of the security issues around devices and have wondered why the creator are never responsible for the damages they cause.  How many computers and businesses have had issues because of faulty software made by Microsoft?  How many viruses have spread because of some zero-day vulnerability that existed in your office program?

Companies have been shut down and some have been put out of business because of these issues, yet there are never any lawsuits.  So I decided to look into why and the answer surprised me.

IoT devices, like computers and cars, are really just a collection if parts from several manufacturers.  Someone creates the processor, another company create the WiFi adapter, another one makes the memory, and another one writes the code.  The list is pretty long.  So when a vulnerability is discovered or a zero-day is manipulated, who is to blame?  In a legal sense.

If a person is assaulted, hit by a car, or falls walking into the grocery store the party that is liable is clear.  Jurors can see the preverbal man in a wheelchair sitting there in a neck brace telling his story.  The laws in the United States are written around the notion of personal harm.  If you cause personal harm to another person you are responsible.  When an IoT device has a vulnerability in it, there is no personal harm.  When a bug in software causes someone to lose all of their files, there is no person that was injured.

If you were to sue the company that designed a faulty babycam you would have to sue every other company that supplied the products that were also inside that device.  That is a legal mess and lawyers will not take those types of cases on.  Unless there is the possibility of a class action lawsuit.  Which is the case with the Jeep hack that was made famous.

There is currently a case pending against Chrysler Fiat and Harman International around the vulnerability that was discovered that allowed someone to remotely hack a Jeep Cherokee through the Bluetooth stereo.  This attack was shown all over the media and showed someone remotely taking control and crashing a Jeep outside of the control of the driver.  The led to a 1.4 million vehicle recall.

While the case is still pending in the courts, this is possibly a precedent setting case.  This case will give lawyers some insights into how judges and jury’s view these perceived threats that IoT vulnerabilities present.  If the case is successful for the prosecution, this will open the flood gates of holding IoT manufacturers responsible for the vulnerabilities that exist.

Regulations

Currently there is little regulation surrounding IoT devices.  The only real regulation that exists centers around the WiFi and Bluetooth radio signals they emit.  There is some regulation on the electrical aspects of the devices themselves, but that is really it.  There are no testing standards that exist before releasing the devices for general sale.  Plus with the internet and floods of devices being imported you really can’t control it, that market is too massive already.

Automobiles, for example, have to undergo safety testing in the US before they can be sold to the public.  But those tests focus on the mechanical and physical aspects of the car (brakes, airbag, steering, impact, etc.).  There is no test to see if the stereo or other computers in them is secure.  And with the vulnerabilities proven in the Jeep case, there are serious risks to these connected cars.

I of course am not big on regulations and government having a say in every aspect of our lives.  I am not sure that I have the answer as to how to fix these clear and present risks we face.  What I do know is that once the manufacturers are held to account for their actions, we will see an improvement in the quality of the products.  If you think about it, there is no reason why a stereo head unit should be able to reach the computer that handles the breaking or steering.  This is just bad design and thrown together in an insecure fashion with sheer disregard for safety and security.