The IoT – Internet of Things – is undergoing a rapid development that will continue to transform how we interact, conduct business and live our lives. The movement toward IoT’s ubiquitous application and use does not come without risk and, while some of the consequences can be easily predicted, many will not be fully understood for some time to come.
One area that will be impacted is product liability. The advent of smart devices will have far-reaching consequences for manufacturers and software developers to tech service companies, insurers and, most certainly, consumers. The U.S. Federal Trade Commission (FTC) issued a report in January 2015 that highlights and forecasts these very concerns.
The FTC report noted security concerns for consumers using IoT devices, such as enabling unauthorized access and misuse of personal identification, facilitating attacks on other systems and creating safety risks. It was noted that while these risks exist on traditional computers and computer networks, they are heightened in the IoT.
What Is the Internet of Things?
The IoT has been identified as the third wave of the Internet. Various estimates and predictions suggest that as many as five billion devices are connected to the Internet and there will be 25 billion more within five years. The revenue stream from the IoT is expected to exceed $300 billion.
The IoT enables devices to connect to the Internet via embedded sensors built into the devices. These embedded sensors send environmental and activity information to data storage centers that in turn allow analytic engines to provide feedback and control. The IoT has transformed everyday devices into smart devices connecting consumer objects and industrial equipment to the Internet, enabling information gathering and management of these devices via software to increase efficiency, enable new services, or achieve other health, safety and environmental benefits.
A 2014 Goldman Sachs report identified five key IoT areas of adaption: wearables (e.g., smart bands), connected cars, connected homes, connected cities and industrial Internet (including transportation, oil & gas and health care).
Primary Market Forces
The report identified primary market forces driving the growth of IoT, including low-cost enablers such as cheaper sensors, bandwidth and processing; smartphones and ubiquitous wireless coverage; the value proposition from revenue generation by new product cycles; and productivity and cost savings.
More than 900 exhibitors showcased IoT technologies for the home, cars, security systems and kitchen appliances at the 2015 Consumer Electronics Show.
Each day new products and services for businesses and the home are becoming IoT-connected. For the home, the primary reasons are twofold:
- With IoT connectivity, the potential for energy savings derives from using IoT products during off-peak energy periods. This application already exists in many central heating and air-conditioning applications. Other opportunities for the programmable use of appliances include washers, dryers and dishwashers in off-peak time.
- The second benefit is in the area of tech services, performing a diagnostic from a remote location and either correcting the problem remotely or dispatching the service tech who will know what the problem is in advance.
The proliferation of applications for IoT devices is raising concerns with respect to the security of these devices and the purposes for which personal data collected will be used. The use of IoT technology therefore introduces a new layer of risk for these products, which raises concerns about privacy and the potential for outside interference by individuals or groups with nefarious motives.
Could the vulnerability of IoT devices and products actually encourage such attacks against consumers? The answer is probably yes. A study released by Hewlett-Packard in 2014 found 70 percent of IoT devices are vulnerable to attack. The vulnerabilities identified in the report include password security, encryption and general lack of granular user access.
In 2014, the German government’s federal office for information security (the BSI) released details of an attack on the network of a steel plant. The perpetrators eventually gained access to the plant’s production network and other systems and took control of a blast furnace, preventing it from shutting down, which caused massive damage to the system. This was identified as the second cyber-attack to cause physical damage; the first known attack was the Stuxnet malware attack on the Natanz uranium enrichment plant in Iran.
In the consumer setting, the FTC report provides some examples of potential vulnerabilities:
- Smart televisions that store or transmit information could be exploited to compromise personal information.
- IoT devices may be used to facilitate attacks on the consumer’s network or on other systems, including denial-of-service attacks.
- The risk to physical safety was also noted. One member of the FTC group studying the problems stated he was able to hack two insulin pumps from a remote location and changed the settings to deny delivery of medicine.
- Another example was the hacking of a car’s computer system from a remote location.
The FTC report notes that the proliferation of inexpensive IoT devices may be part of the risk to consumers. IoT device makers may not be attuned to the security issues and lack the economic incentives to provide software updates and support when vulnerabilities are discovered.
In the private sector, similar concerns are being voiced. Michael Coates, director of product safety at Sharpe Security and chairman of OWASP (Open Web Application Security Project), has predicted that the lack of updates to IoT consumer devices will become an area of vulnerability for manufacturers because it will “be a very low priority for the manufacturer.” Coates also predicts “criminal organizations will run their malicious activities in the background without impacting the overall performance of the device and this will mean the customer will not notice the malware, and the security vulnerability will have no impact on the performance of the device. These kinds of vulnerabilities could result in the loss of private data that will be monitored and sold without their knowledge.”
Coates, like the FTC, forecasts effective patches as a problem: “Once it is discovered, the manufacturer will rush to issue a patch. But, how will the patch be delivered? Will consumers have to reboot their oven? Will the updated software only be available in the next release of the physical product?”
The Impact on Product Liability
There are at least three areas of vulnerability for consumers and businesses that are fairly predictable:
- First is the simple malfunction of an IoT product due to a software glitch that could result in physical damage to property or personal injury. For example, an IoT furnace control could fail during cold weather in an unoccupied home leading to frozen pipes and water damage.
- Second is an attack from an outside source. For example, a gas range in a home could be subject to a cyber-attack causing fire and property damage.
- Third, an IoT product or server is hacked and personal data is downloaded and used by the hacker. Imagine the personal data stored on your television and computer stolen and used in a denial of services attack.
These types of problems, if widespread within a product line found to be vulnerable to such malfunctions and attacks, could lead to product liability law suits and class action litigation by the affected consumers.
Liability and Consequences
In each of these hypothetical situations, one can ask: “Who will play a role in the allocation of fault and who will bear the financial consequences?”
Under the traditional principles of strict liability, fault flows up the chain of distribution from the retailer through mid-channel distributors ultimately to the manufacturer. But will the software developer for an IoT product or handheld device be brought into the equation when an IoT product causes a loss? Who will bear the responsibility if the software is vulnerable to an outside attack? These risks are often addressed between parts suppliers and manufacturers under the terms of supply agreements where a contractual duty to defend and indemnify against damages caused by a malfunctioning device is spelled out.
What role will the consumer play? Will the consumer become a target for fault apportionment if it is found that the consumer failed to update security software or used easily hacked passwords or downloaded malware from unsecure sites? What issues of privacy will develop when litigation is brought and demands are made by potentially liable third parties to examine the device used by the consumer and download its contents? What issues of privacy will arise when information downloaded from an IoT product is stolen? What issues of privacy will exist when information collected from an IoT-connected device is sold by the IoT device manufacturer to a third party?
How will the losses be investigated and will responsibility for failure of an IoT product prove more difficult to investigate and thus to establish liability? What types of experts will now be called on to play a role in the investigation?