When coffee makers attack

The liability risk of the internet of things has become a lot clearer

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

It was shocking to learn that the recent distributed denial-of-service attack of the nation’s internet infrastructure via DNS provider Dyn was aided and abetted by a hijacked army of products from the internet of things. It is thought to be the first DoS attack to rely overwhelmingly on a lot of “dumb” appliances that have little processing power of their own but are connected to the internet. That’s right, the internet was crippled because our coffee makers, washing machines and refrigerators were recruited to bring it down.

It was a disturbing illustration of how the IoT is quickly opening up a whole new world of legal liability. If you make a toaster oven addressable through the internet, that oven can be hacked and possibly cause harm. Someone’s house could burn down on a remote hacker’s order, for example. Most of these products’ usernames and passwords are simply not changed from the factory defaults, which might be such obvious things as “admin” and “1234.” Hackers can use software to search the internet for devices whose usernames and passwords have not been changed. Once those devices are identified, they can be hacked.

And the manufacturer of any “thing” in the internet of things that gets hacked could be held liable. Let’s say a coffee maker was hacked and then started a fire, causing damage to the consumer’s property. The consumer could have a claim against the manufacturer of the coffee maker, regardless of who the hacker was. To guard against liability, adequate cybersecurity measures must be implemented for these devices.

The Dyn DDoS attack raises another specter: It’s not just consumers who could make a claim against a manufacturer of an IoT thing. A company whose business is damaged by a DDoS attack could potentially look to the manufacturer as bearing responsibility.

In any negligence cases involving the IoT, the overriding question will be causation: Was a lack of cybersecurity the cause of damages, and was it foreseeable that a breach of cybersecurity would cause damages to a consumer or to another company through a DoS attack? After the Dyn event, I think the answer could be yes in some circumstances.

One way manufacturers can try to avoid liability would be requiring consumers to change the product’s username and password before use. Many will be reluctant to do this, though, because they don’t want to negatively affect the user experience, and if a username and password is changed and the consumer cannot thereafter use the device, the consumer may become aggravated at the manufacturer. Companies want to get their things into the hands of consumers. If a consumer is forced to change a password (and, even worse, if the consumer forgets the new password and cannot use the thing), the result could be lower sales.

To continue reading this article register now

5 power user tips for Microsoft OneNote
  
Shop Tech Products at Amazon