IoT developers working on addressing potential cybersecurity issues

As governments start to contemplate legal responses to Internet of Things (IoT) security flaws, companies are beginning to contemplate changing the way they handle cybersecurity.

By Antony Savvas, Vinelake September 17, 2017

In recent months, the Internet of Things (IoT) industry has seen a significant escalation in the threat of legal action over the supply of insecure systems. Various governments and agencies have made it clear that the status quo of lax security cannot continue—and they are taking steps to combat it.

The Federal Trade Commission’s (FTC’s) lawsuit earlier this year against a perceived lack of security in a range of D-Link router products, which are said to have contributed to the global Mirai distributed denial of service attack last year, is still ongoing. While D-Link strongly disputes the claim and is strenuously defending the action, other government and consumer action against weak IoT security is widely expected.

In July, the FBI issued public guidance encouraging parents to report weak security in children’s toys connected to the internet, after a number of incidents that had left data relating to individual children potentially vulnerable to criminals. The FBI said that if manufacturers were found to be wanting around data security, they faced legal action from the FTC.

Soon after that advisory, it became clear that authorities in the UK were also closing in on poor IoT security. Chief constable Mike Barton, who leads the National Police Chiefs Council on crime operations, warned about the dangers of IoT as more ordinary household items become connected to the internet. He urged consumers to ‘do their homework’ on the security of the products they buy and to make appropriate choices around purchases and usage as a result.

And more seriously as far as financial penalties are concerned, the UK Government confirmed in August its intention to fully integrate the European Commission’s General Data Protection Regulation (GDPR) into UK law ahead of Brexit. This means that those companies responsible for managing personal data, including data being transferred over IoT systems and stored in IoT databases, face fines of up to £17 million or 4% of global turnover for the most serious data breaches.

A busy time

It has certainly been a busy time in the UK as far as IoT compliance is concerned, as the government also set out its demands around security for smart cars and vans. The government said it "feared" would-be hackers could target vehicles to access personal data, steal cars that use key-less entry, or even take control of them for "malicious reasons" [in other words, crash them].

New government guidance demands that engineers developing smart vehicles must toughen up cyber protection and help "design out" hacking.

Back in the US, meanwhile, a bill has been introduced in Congress that aims to block IoT devices if they can’t be patched or have their password easily changed—common faults or difficulties around IoT security. The bill also calls for federal agencies to only be able to purchase non-compliant IoT devices if they get approval from the US Office of Management and Budget (OMB), and if they put in place additional security measures.

On this last initiative, Travis Smith, principal security engineer at security vendor Tripwire, says: "This bill will help to resolve some of the known issues plaguing so many IoT devices being hacked on a daily basis."

But, he warned, "For this bill to be successful, there need to be incentives for vendors to get their devices to a secure state. Releasing a device which is free from security bugs is time-consuming and costly. With many of these devices being a commodity, delaying the time to market or charging a higher cost may not fit their current business model."

Legal action inevitable?

If IoT device makers don’t act, legal action is almost inevitable from some quarter in the present political and media climate around the issue. How that action manifests itself will of course vary from country to country. As for the UK, Daniel West, an associate at insurance and risk law firm BLM, says: "Typically, security claims in relation to product liability are normally pursued due to a defect under the Consumer Protection Act 1987, or through breach of contract if the product does not meet satisfactory quality requirements.

"The court would then need to determine whether a lack of security in an IoT product would be classed as a defect or a lack of satisfactory quality in the product, and if so legal action will follow."

However, added West, there are also "causation issues" to consider with these types of cases. For example, if a vehicle has a locking system that is not considered sufficient to prevent a thief from stealing it, the thief is held responsible for the theft rather than the lack of security. Similarly, if damage arises as a result of an IoT device being hacked, the damage should be considered to be caused by the hacker rather than a lack of security, "limiting the potential for these claims", said West.

Leigh-Anne Galloway, cybersecurity resilience lead at security solutions firm Positive Technologies, said potential reputational damage also goes hand-in-hand with the legal threats. "The threat of a lawsuit and the possibility of reputational damage could be a serious driver of security as reputation loss also means revenue loss," she said. "The publicity and the open discussion of vulnerabilities may play a big role, too."

Galloway continued, "For example, after the Mirai attack affected Deutsche Telekom customer routers, the telecoms company said it would be reviewing its business relationship with the supplier of its Speedport routers, Arcadyan Technology, since all three flawed models came from this vendor."

Due diligence versus due care

If damage to one’s reputation is not enough though, Mike Pittenger, vice president of security strategy at Black Duck Software, a specialist in open source software security for IoT systems, says security laggards risk going out of business. He said, "Businesses often talk about security due diligence. This frequently refers to an understanding of the risk posed by an action or supply chain relationship.

"Attorneys, on the other hand, discuss due care. This refers to what an entity has done to reasonably assure that no harm will come to others from their actions." He says a reasonable company, to use the due care standard, would not build and sell a car without brakes. This would not only put the driver, but pedestrians and other drivers, at risk. "A company doing this could expect to be sued to extinction," said Pittenger, and points out moves to take insecure IoT products out of the equation altogether.

As well as potential legal action, there is also now the threat of blocking insecure devices from the internet. Pittenger said: "In the US, senator Mark Warner has asked the FCC for guidance on how ISPs can respond while complying with the Open Internet Order, which prohibits denying non-harmful devices access to ISPs’ networks. Blocking a manufacturer’s devices [which are harmful] from networks would certainly put a damper on the company’s revenue."

Insecure IoT devices are putting the internet, and those services that depend on a reliable communication channel, at risk. Soon, government bodies and customers will likely decide that enough is enough.

Antony Savvas is editor at Internet of Business. This article originally appeared here. Internet of Business is a CFE Media content partner. Edited by Chris Vavra, CFE Media, cvavra@cfemedia.com.

ONLINE extra

See additional stories about the Internet of Things (IoT) linked below.

Original content can be found at internetofbusiness.com.