Recent Cyberattack Highlights Vulnerabilities of the Internet of Things Recent Cyberattack Highlights Vulnerabilities of the Internet of Things

Recent Cyberattack Highlights Vulnerabilities of the Internet of Things

On Friday, October 21, 2016, Dyn was the focus of a distributed denial of service (DDoS) attack designed to render its external domain name services unavailable. This service was used by many popular websites, such as Twitter, Spotify, and Amazon, for domain name resolution, which resulted in these websites being intermittently unavailable throughout the duration of the attack. Many of the ten million distinct IP addresses that conducted the attack were associated with hacked connected devices – the Internet of Things (“IoT”) – which includes baby monitors, webcams and security cameras connected to the internet.
 
The attack on Dyn highlights the security issues related to the IoT. For many of these connected devices, security and state of the art design is not a focus of the manufacturer. Companies who design and manufacture these devices may not have designed the products with security in mind. They may not have done a risk assessment which incorporated potential data security concerns prior to the launch of the products. Nor may they be aware of the state of the art security for these products, including reasonable security coding practices, peer code reviews, and the use of penetration testing and other security measure testing before releasing a product. Areas such as these were suggested by the FTC in their guidance to companies designing IoT products.
 
As demonstrated by the car-hacking lawsuits and lawsuits based on products allegedly designed with security flaws, the scale of the cyberattack on Dyn should be a wake-up call to all companies involved in the IoT that litigation is possible. It is not difficult to imagine a disgruntled Netflix user bringing a class action claiming that he, and all others in the same position, were damaged when they were unable to access their favorite programs for some period of time. Or, maybe the companies who are attacked will seek to recover the costs involved in defending against the attack from the manufacturers of the connected devices. At this time, the potential litigation which may develop out of the IoT is unknown; however, as with all developing technology, companies involved in this area can be assured that as cyberattacks increase and disrupt service for businesses and consumers that litigation will ensue. Further, the recent cyberattacks based on IoT devices have already led to the European Commission preparing to propose new legislation requiring companies to protect these devices from security breaches. In an attempt to manage the risks of potential litigation and be prepared for possible regulation, companies involved in the IoT, whether manufacturers, service providers, or retailers should understand fundamental legal issues relating to contracting, privacy, security and state of the art design so as to be prepared as future legal issues develop. A true risk assessment should also involve looking at options such as the need for insurance, whether contingent business interruption, network security liability, tech errors and omissions, or other insurance or risk mitigation strategies.

For more information on cybersecurity and the Internet of Things, contact Judy Okenfuss, Nick Merker, Stephen Reynolds, or a member of Ice Miller's Internet of Things practice.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 


View Full Site View Mobile Optimized