The push for some form of liability for vendors who sell faulty or insecure software has been the subject of debate for many years with little or no clear agreement on its legality or how to enforce it. However, that may be changing as the US Federal Trade Commission (FTC) seems to be intent on taking an active role in the discussion given two announcements made at the beginning of the year.
First, the FTC announced that it is offering a cash prize of up to $25,000 in its IoT Home Inspector Challenge for the best technical solution that would address security vulnerabilities caused by out-of-date software in IoT devices. An ideal tool, they say, might be a physical device that the consumer can add to his or her home network that would check and install updates for other IoT devices on that home network, or it might be an app or cloud-based service, or a dashboard or other user interface.
Second, just one day after the announcement of the challenge, the FTC filed a complaint against D-Link Corporation and its U.S. subsidiary alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.
In the complaint, the FTC charged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.
In a news release from the FTC, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection said: “Hackers are increasingly targeting consumer routers and IP cameras -- and the consequences for consumers can include device compromise and exposure of their sensitive personal information. When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
The complaint further referenced the FTC’s guidance issued in January of 2015 urging IoT companies to adopt best practices to address consumer privacy and security risks. It seems now the FTC is intent on pursuing vendors in the courtroom who ignore their guidance and put consumers at risk with vulnerable devices. The case will be decided by a federal district judge.
In 2017, most every market analyst, security blogger, and industry pundit predicts that serious security breaches are bound to occur given the rapid proliferation of millions of IoT devices. And, as a result of the heightened sensitivity towards security, vendors no doubt will come under much greater scrutiny for failure to keep data, devices and consumers safe.
What will be the degree of liability for vendors be in such cases? Probably little or no change in the near term, but it seems clear the discussion is about to be ramped up.
You can learn more about the many potential vulnerabilities that exist in connected devices, and more importantly, how to protect against them in the Industrial Internet Consortium’s Industrial Internet Security Framework document.