There are currently few economic incentives for stakeholders in an IoT ecosystem to build in compliance by design. This problem arises in part because:
- Absence of regulation: in many jurisdictions there is currently an absence of regulation imposing explicit security obligations on the relevant IoT stakeholder (for more detail, see What are the Key Legal Considerations?);
- Liability is unclear: it is often unclear who (in the absence of regulation) is liable legally for security failures in an IoT ecosystem made up of different layers and component elements contributed by a multiplicity of different stakeholders. The problem is compounded by difficult factual enquiries about what happened, and where, within an ecosystem. Liability translates into cost. If the cost is not clearly attributable to a particular stakeholder, it will not be commercially incentivised to do something to mitigate it;
- Lack of consumer understanding: in a B2C context, consumers struggle to distinguish between robust and poor security in IoT devices on sale, and may not be prioritising security over functionality in a device (particularly where it forms part of a larger product, such as a smart refrigerator). Consumers do not typically have an understanding of how their IoT devices function, their role in an IoT ecosystem, or the significance of any security vulnerabilities embedded in an ecosystem; and
- Little return on investment: IoT device manufacturers typically consider that functionality is much more important than implementing security, particularly in a B2C supply chain. They may simply see no direct return on investment for security.
The costs of poor security are often not borne by those best positioned to increase security. U.S. Department of Homeland Security, Strategic Principles for Securing the Internet of Things, version 1.0, 15 November 2016, page 13.
IoT characteristics that exacerbate technology-related vulnerabilities
Like all information technology, IoT technology is not immune from technology-related vulnerabilities. However, certain characteristics of (or relating to) IoT technology exacerbate such vulnerabilities:
- Large attack surface: each IoT device represents a potential opportunity for attack. As there already exist billions of such devices (with numbers increasing all the time), the opportunity for attack multiplies;
- Limited device functionality: IoT devices, by virtue of their compact size, limited on-board computing power and limited battery life, have little spare capacity to provide for extensive security measures. Because updating and patching to address identified security vulnerabilities may not occur (see What are the Key Operational Issues?), IoT devices may over time become more and more exposed to emerging security threats;
- End-to-end risk: IoT devices typically contain multiple, pre-existing sub-components. Such building blocks are often in effect opaque “black boxes”, with a lack of transparency in relation to security. IoT devices also depend on integration with multiple communications protocols. These factors increase the security risk. Where a vulnerability is discovered in relation to a device, that puts at risk all other like devices operating in the ecosystem (compounding the risk);
- Lack of engineered security: IoT device component manufacturers are often small, or they may be traditional consumer goods makers rather than computer software businesses, and may therefore lack the specialist engineering knowledge required to provide for holistic security in relation to a device as a whole when operating in an Internet environment;
- Device price sensitivity: as IoT device manufacturers compete on price, costly security features may be left out;
- Unexpected connectivity: end users (particularly consumers) may simply be unaware that purchased products may include IoT connectivity, or give insufficient thought to the need to change default passwords or to secure them, leaving the ecosystem exposed to security attacks via the unsecured device; and
- Multiple stakeholder participation: a number of vendors is typically involved in an IoT ecosystem. One may design a device, another may supply component software, a third may operate the network in which the device operates, a fourth may operate the device, and so on. It may not be clear who is responsible for security issues that arise, as each participant will not typically have contributed on the basis of an end-to-end specification applicable to the whole ecosystem.
Granular and macro consequences
What potentially might flow from the various vulnerabilities of IoT devices and their ecosystems? The consequences might be both granular and macro in nature.
Insecure devices pose a significant threat to internet security in general, to destruction of digital assets and network infrastructure in particular, and to the population as a whole. Alan Butler, Products Liability and the Internet of (Insecure) Things: Should Manufacturers be Liable for Damage Caused by Hacked Devices? 50 U. Mich. J. L. Reform 913 (2017), page 925
- B2B and B2C security attacks: cyber attacks can exploit vulnerabilities in: (1) IoT devices (for example, common default credentials such as username and password set by the manufacturer); or (2) the wider IoT ecosystem, in each case in order to access, damage and destroy data, damage hardware and cause physical or economic loss in relation to an individual or a business. The impact of such attacks, however, may be mostly felt by third parties (for example, by denying them connectivity through a so-called “Distributed Denial of Service” or “DDoS” attack);
- Systemic / macro-economic risk: governments are widely concerned that large-scale cyber attacks perpetuated via unsecured IoT devices will have wider impact on the economy as a whole due to the large number of devices and systems that could be affected, resulting in multiple victims across geographical boundaries. The homogeneity of many IoT deployments (often consisting of collections of identical or nearly identical devices) magnifies the potential of any single security vulnerability by the sheer number of devices all having the same characteristics; and
- Safety and security issues are merging: IoT ecosystems are increasingly being relied upon for important applications that may have safety or life-impacting implications. Many regulators who previously thought only in terms of safety are going to have to start thinking about security too. For example, cybersecurity issues are migrating from software (where security has always been an issue) to, say, vehicles (where safety has been the main focus until now). The advent of IoT devices means that regulatory policy objectives of safety and security will merge.
In 2016 an Internet service provider suffered a major DDoS attack from an IoT botnet. Large parts of the Internet went down as a result, including many well-known websites. The IoT botnet relied on malware that infected computers, instructing them to search the Internet for vulnerable IoT devices, such as digital cameras and DVR players. Once these were identified, the malware used known default usernames and passwords to log in, infecting them with the malware.
The transition from safety being a matter of pre-market inspection to a matter of monthly software upgrades will be a severe shock to the regulatory system. … Regulators need to think about the incentives within their particular market. Eireann Leverett, Richard Clayton and Ross Anderson, Standardisation and Certification of the “Internet of Things”, 22 May 2017, page 14.