IoT liability: Legal issues abound
IoT liability: Legal issues abound

The fact that U.S. intelligence agencies have the ability to use connected devices as spy tools may or may not be surprising, depending on one's level of cynicism. But the fact that these household items can be easily hacked, even without advanced tools, places consumers in the unenviable position of not knowing the cyber protection level of their smart products – nor who is responsible if and when something negative happens.

The mountain of evidence available proving Internet of Things (IoT) devices are not only vulnerable, but being regularly hacked might be tall enough to scare off the most intrepid mountain climber. Between the March WikiLeaks reveal that the CIA used everyday-connected devices to gather intelligence, to the Mirai attacks in 2016 that recruited webcams into a botnet army that helped knock parts of the internet offline, the problem is serious and growing.

There are 6.4 billion IoT devices in use right now with this figure expected to hit 20 billion by 2020, according to the most recent numbers from Gartner. These gadgets can be found populating every product category – from cars to washing machines to light bulbs. But despite the huge numbers and omnipresence, testing for cybersecurity is still in its early stages.

In fact, there are few guidelines in place for vendors to use to either test their own products against an industry standard or to inform consumers that a product is cyber safe.

One of the world's most well-known product testers, Underwriters Laboratories (UL), is attempting to fill this gap by delivering cybersecurity validation for IoT devices through its Cybersecurity Assurance Program (CAP). The initiative is designed to help vendors minimize cybersecurity risks by assessing software vulnerabilities and weaknesses, minimizing exploitation, addressing known malware, reviewing security controls and increasing security awareness. Not to mention, help consumers who are looking to purchase secure products.

“The U.S. Department of Homeland Security and the White House reached out to UL to develop voluntary requirements,” Ken Modeste, UL's cybersecurity technical lead, says. "We began working with them to develop core requirements. We also worked with ICS-CERT at Idaho National Labs and obtained input from federal agencies, industry and academia to help ensure all existing guidelines and standards were included in our program, which officially launched April 5, 2016."

The organization is covering a wide range of products, such as industrial control systems, medical devices, automotive, HVAC, lighting, smart home, appliances, alarm systems, fire systems, building automation, smart meters, network equipment and consumer electronics.

Currently, the UL program is testing products submitted by the manufacturers, a model the product testing organization believes is a good option as it gives the vendors the ability to prove the safety of their devices and software.

“UL believes that public and private partnerships will enable a better framework to meet the safety and security concerns of devices and systems,” Modeste says. "Vendors who have a need to demonstrate that their products meet a foundational level of security specifications that this program addresses are encouraged to contact us for support."

Considering the litigious nature of society today, it may prove invaluable to have a UL label on a product in case the manufacturer finds itself embroiled in a court battle over whether or not its device was the reason for harm, loss or damage that befalls a customer.

Amy Mushawar, counsel and chief information security officer for the law firm ZwillGen, notes that the case law regarding this type of legal action is still thin. Few cases have been filed, she says, but this is likely to change.

“Even though the tech is new or newish, that is not a get-out-of-jail-free card when it comes to liability,” Mushawar says, “When there is a case for harm we will start seeing cases appear.”

However, there are a great many regulations on the books by which manufacturers must abide. In most cases, these come from an industry's specific federal regulatory agency, like the Federal Trade Commission or the Securities and Exchange Commission.

Another area where liability issues are likely starting to pop up is when the connected or smart device is embedded in something larger and not considered a connected device, like a house or a used car. A recent survey by the National Association of Realtors (NAR) found that few potential homebuyers, 15 percent, are not asking about smart home technology. In addition, realtors are also in the dark when it comes to understanding smart technology and how it could impact a home sale.

This lack of interest, however, is what is creating the problem. These folks are most likely unaware that the home they are considering may contain all types of smart technology. Some are easy to spot, like security cameras; some not so much, like light bulbs or smart switches and door locks.

Because there are currently no disclosure regulations on the books that realtors must abide by, the National Association of Realtors (NAR) is attempting to raise the level of awareness on its own, says Chad Curry, the organization's managing director of technology.

“Each state realtor association is now looking at how to include these devices in disclosure reports and we are working with the states on how to do this,” he says, adding that this includes simple tasks like resetting a smart device on sale of a home.

This could prove important, because when it comes to homes and used cars there is no process or set of standards in place that require the devices to be wiped or reset, says Charles Henderson, IBM's global head of X-Force Red. If this is not done, he says, the previous owners may still have control over everything from a house's smart door lock to the HVAC sytem.

Henderson first came to this realization when he traded in a car and soon realized the app associated with his old vehicle gave him “digital ownership” of the car. This meant he still could control the door locks, remote start and geolocation, the remote features typically enabled on connected car apps.

“We need a unified revocation process,” Henderson says, adding that it should not be difficult for vendors to get together to put such a system in place. “Vendors work together all the time when it comes to interoperability, so why not for security measures?”

The NAR is also working on this. It is in the process of developing an app capable of creating a smart home checklist for each house on the market. Curry says the realtor and homeowner will go through the house and input each smart device installed. The app will then go out and either find the reset information or a contact where that information can be found.

While industry-specific efforts to create some type of cybersecurity framework is helpful, stronger guidelines will be needed.

“Creation of a standard and assessment program can provide confidence to manufacturers on the security of their systems and peace of mind to consumers” Modeste says.

UL has developed a specific cybersecurity standard called UL 2900 and its own team of white hat employees for hacking. The standard evaluates products on:

• Fuzz testing of products to identify zero-day vulnerabilities over all interfaces;

• Evaluation of known vulnerabilities on products that have not been patched;

• Identification of known malware on products;

• Static source code analysis for software weaknesses;

• Static binary analysis for software weaknesses.

Since the program started in April, UL has found a few general findings and common security issues with the products it has inspected, the most worrisome being that all interconnected devices are vulnerable to one degree or another with those systems that impact large populations more at risk for being hacked.

The Consumer Technology Association (CTA), an industry organization representing almost every computer and consumer electronic product manufacturer in the world, is also taking a grassroots approach when it comes to cybersecurity.

Brian Markwalter, the CTA's senior VP of research and standards, says his organization considers cybersecurity one of the top issues facing its membership and consumers.

For vendors, the CTA is working with companies that install smart products into homes informing them of security issues, and the organization has created a standards team that has come up with recommended practices.

For consumers, the CTA has pushed out on radio several public service announcements in select regions around the country that cover basic cybersecurity steps that everyone should follow.

Educating the public may also play a role in deciding liability if and when a product causes an issue. ZwilGen's Mushawar says one way a company may be able to avoid blame is by appropriately publicizing when firmware and software updates are made available and encouraging the product owners to install the patches.

Such messaging, whether done through email or another venue, is really the only way most companies – which cannot push automatic updates – can let people know what is being done to keep their products safe.