It was shocking to learn that the recent distributed denial-of-service attack of the nation’s internet infrastructure via DNS provider Dyn was aided and abetted by a hijacked army of products from the internet of things. It is thought to be the first DoS attack to rely overwhelmingly on a lot of “dumb” appliances that have little processing power of their own but are connected to the internet. That’s right, the internet was crippled because our coffee makers, washing machines and refrigerators were recruited to bring it down.
It was a disturbing illustration of how the IoT is quickly opening up a whole new world of legal liability. If you make a toaster oven addressable through the internet, that oven can be hacked and possibly cause harm. Someone’s house could burn down on a remote hacker’s order, for example. Most of these products’ usernames and passwords are simply not changed from the factory defaults, which might be such obvious things as “admin” and “1234.” Hackers can use software to search the internet for devices whose usernames and passwords have not been changed. Once those devices are identified, they can be hacked.
And the manufacturer of any “thing” in the internet of things that gets hacked could be held liable. Let’s say a coffee maker was hacked and then started a fire, causing damage to the consumer’s property. The consumer could have a claim against the manufacturer of the coffee maker, regardless of who the hacker was. To guard against liability, adequate cybersecurity measures must be implemented for these devices.
The Dyn DDoS attack raises another specter: It’s not just consumers who could make a claim against a manufacturer of an IoT thing. A company whose business is damaged by a DDoS attack could potentially look to the manufacturer as bearing responsibility.
In any negligence cases involving the IoT, the overriding question will be causation: Was a lack of cybersecurity the cause of damages, and was it foreseeable that a breach of cybersecurity would cause damages to a consumer or to another company through a DoS attack? After the Dyn event, I think the answer could be yes in some circumstances.
One way manufacturers can try to avoid liability would be requiring consumers to change the product’s username and password before use. Many will be reluctant to do this, though, because they don’t want to negatively affect the user experience, and if a username and password is changed and the consumer cannot thereafter use the device, the consumer may become aggravated at the manufacturer. Companies want to get their things into the hands of consumers. If a consumer is forced to change a password (and, even worse, if the consumer forgets the new password and cannot use the thing), the result could be lower sales.
Another possibility is federal regulatory intervention in the market, with IoT things needing to be certified as cybersecure-safe enough to be sold to consumers. There’s a good chance that cybersecurity is just too complex and fluid for that sort of thing, but it’s an interesting idea that can’t be easily dismissed.
Already, the Dyn attack shows that any manufacturer of devices for the IoT, must properly mitigate legal liabilities. If your product is hijacked for the next attack, the last place you want to find yourself is in a law firm’s conference room being deposed, where you may find yourself saying you did not understand or have the time to keep on top of these issues.
Steven Rubin is a partner with Moritt Hock & Hamroff LLP in New York, where he serves as co-chair of the firm’s cybersecurity practice group and as chair of its patent practice group. The opinions expressed in this article to not constitute legal advice.