IoT devices are becoming an ever-more popular target for hackers in 2017. A security company has discovered malware that is attacking smart devices such as webcams and smart home infrastructure. Similar to the well-known MiraBotnet, which hijacks connected devices and uses them to launch DDoS attacks, the so-called BrickerBot is designed to turn the victim’s device into a useless ‘brick‘. Called Permanent Denial-of-Service (PDoS), the attacks damage the device so severely that the hardware needs to be replaced or reinstalled. The BrickerBot targets technology running on Linux/BusyBox.

Companies selling connected devices may see product liability claims arise against the backdrop of these DDoS and PDoS attacks. The risk of a ‘destroyed’ device causing additional damage becomes more realistic, for example an attack on a connected car device leading to a road accident. Case law on such scenarios is still rare but the general principles of product liability could allow for claims against the producer of the smart device – especially if it knew of a potential hacking threat and didn‘t take appropriate protective measures. Also, in Europe the EU Commission is reviewing whether existing product liability rules are appropriate for IoT and autonomous systems. This review runs in parallel to the Commission’s more general consultation on changes to the Product Liability Directive. Companies should watch this space and consider adjusting existing agreements and practices in order to minimise their liability exposure.