Connectivity and Cybersecurity: More Devices Means More Risk
More and more consumer products and devices are equipped with the ability to connect to the internet, sometimes with limited forethought as to the cyber exposure, and the implications of loss of privacy and cyber security, that such connectivity creates. This is not science fiction. Referred to as the “Internet of Things,” access to the internet is no longer restricted to smart phones or computers, and instead the internet can be accessed through televisions, lights, appliances, home security systems, and even cars. Although expanded internet connectivity can place a wide assortment of of devices at our fingertips, that connectivity also creates a myriad of security issues (and the related legal issues that go along with them) when products are connected to literally billions of people all over the globe.
One of the most interesting (and frightening) reports of vulnerability comes from a Wired article published in July. Two security researchers demonstrated to a reporter that they could access a Jeep’s internal computer system. Not only did they access it, but they did so remotely – while the reporter was driving it on the highway. With no more than a laptop and internet connection, the researchers were able to obtain unauthorized access to the Jeep’s controls, turning on the air conditioner, changing the radio station, and starting the windshield wipers, all while blocking the driver’s ability to control the system. Then, they cut the transmission, leaving the Jeep stranded on the highway and the driver helpless. The Jeep's vulnerability came from its use of a Uconnect system which controls the entertainment and navigation systems and provides a wi-fi hotspot.
Reports of baby monitor hacking also have come to light in recent months. Many baby monitors now include cameras and connect to the internet so that they can be controlled and monitored through phone apps. In one instance, a parent walking by a baby’s room overheard a stranger saying “Wake up little boy. Daddy’s looking for you.” Another report described a similar incident in Washington state that involved a mother who walked into her child’s room and heard a voice say “watch this one, she’s coming again.” She also reported that her son had been saying that “the ‘telephone’ was telling him to stay in bed.” In September, Rapid 7, a security research firm, tested nine popular baby monitors with cameras, grading eight of them an F, and the other a D-minus.
In other scenarios, hackers accessed home devices not for the sake of attacking their owners, but for other nefarious purposes. In late 2013 and early 2014, for example, hackers created a botnet of more than 100,000 devices. A “botnet” is a group of computers controlled by remote hackers, typically without the owners’ knowledge. Hackers run unauthorized software on these computers, giving them the benefit of additional computing power and allowing them to cover their tracks since they do not own the computers being used for attacks. Many of the devices involved in this incident were traditional home computers, but included among them were many televisions and at least one refrigerator. This network of compromised devices was then used to send out hundreds of thousands of malicious spam emails. A compromised refrigerator in and of itself may not seem like a significant security issue. However, the botnet story is just one example of how cyber criminals are able to use the compromised device as a platform for further attacks.
What does this all mean on the legal front? Poor cybersecurity protection in connected products could create a new wave of products liability for manufacturers and retailers from loss of privacy claims. There may also be personal injury claims. One may imagine a lawsuit in which a hacked online navigation system could be blamed for a car accident. Cyber risk does not just reside in corporate databases. It is expanding into products that are sold on retailers’ shelves. Nor are consumers the only potential victims. A compromised device could enable a hacker to access a consumer’s home network. If that consumer then accesses his or her employer’s network through that system, the hacker could now access that company’s network, bypassing the company’s firewall and cybersecurity measures.
When a company laptop or tablet issued to an employee connects to a home network that is also harboring a compromised home appliance, that laptop becomes even more susceptible to intrusion. By now, most employers have recognized the need to work with and educate employees on protecting corporate data. Countless stories of lost thumb drives containing sensitive, confidential information provide cautionary tales. Employers must now recognize that things seemingly far removed from the workplace, such as a home coffee maker, present real threats and should be treated as security issues for the employer, as well as the employee. Allegations of data breaches impacting consumers’ personal information, such as those made against Sony, send out a clarion warning about the need for scrupulous protection as well as post-breach best practices. See Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F. Supp. 2d 942 (S.D. Cal. 2014). Recognizing the reality of these concerns and taking precautions may help minimize the risk of liability stemming from data theft and cyber intrusion.
For more information, please contact Michael Jervis (email@example.com | 215.864.7042), Joshua Mooney (firstname.lastname@example.org | 215.864.6345), Jay Shapiro (email@example.com) or another member of our Cyber Law and Data Protection Group.