The Wired Home
Internet-connected devices, ranging from thermostats to remotely controlled security cameras and locks, promise to take our homes to an unprecedented level of comfort and convenience, but this new digital format for the home brings considerable risk. Gadgets designed for our home can talk with each other, yet they risk being overheard when communicating sensitive data. They can also be accessed and controlled by malicious hackers in ways that compromise personal safety. For example, there are shocking reports of hackers gaining access to Internet-connected baby monitors, which permitted the cyber intruders to observe the infants in their nurseries. That is but one example of a potential cyber attack that sends chills up the spine of any parent.
In 2015, the Federal Bureau of Investigation (FBI) issued a public service announcement explaining some of the key IoT risks for homes:
- An exploitation of the Universal Plug and Play protocol (UPnP) to gain access to many IoT devices. The UPnP describes the process when a device remotely connects and communicates on a network automatically without authentication. UPnP is designed to self-configure when attached to an IP address, making it vulnerable to exploitation. Cyber actors can change the configuration, and run commands on the devices, potentially enabling the devices to harvest sensitive information or conduct attacks against homes and businesses, or engage in digital eavesdropping;
- An exploitation of default passwords to send malicious and spam e-mails, or steal personally identifiable or credit card information;
- Compromising the IoT device to cause physical harm;
- Overloading the devices to render the device inoperable;
- Interfering with business transactions.
FBI, Internet of Things Poses Opportunities for Cyber Crime, Alert No. I-091015-PSA (Sept. 10, 2015).
Because of these substantial risks, the FBI recommends either securing the devices and networks with password protections or staying away from them altogether.
Given these substantial hazards, the device manufacturers are at risk—and have exposure—under traditional products liability theories, as discussed below. Imagine that a security camera or lock is hacked, permitting theft or personal injury to the inhabitants or the business. Plaintiffs' lawyers then file suit against the device manufacturer for its failure to provide reasonable cyber security for its users, or they file a class action on behalf of all purchasers of the device. Although we are not aware of litigation like this, plaintiffs' firms are advertising for individuals suffering data loss or injury from IoT home devices. Litigation can't be far away.
Volvo, the most aggressive car manufacturer when it comes autonomous vehicles, predicts that by the year 2020 it will eliminate crash-related deaths in its cars. Now it seems everyone is in the game. Uber is pushing forward with development of its self-driving Ford Fusions, and GM announced it will roll out a fleet of autonomous cars with Lyft. About the time we got used to the idea of a self-driving car, the wheels came off, literally. In May 2016, a self-driving Tesla Model S failed to recognize the side of a white tractor-trailer truck against a pale sky, resulting in a crash that killed a 40-year-old technology consultant and autonomous vehicle enthusiast. Then reports surfaced that Uber's prototype testing got off to a bumpy start with a self-driving car turning down a one-way street before its operator took over and turned the car around.
Some suggest it's time to put on the brakes, but that does not appear to be the plan because the data look so promising. According to the National Highway Traffic Safety Administration, every day in the United States, some 90 people die and 6,400 are injured in automobile accidents. Not surprisingly, 94 percent of all those accidents are caused by human error. In 2013, the Eno Center for Transportation forecast that even at just a conservative 10-percent penetration rate, autonomous vehicles would help save over 1,000 lives per year and result in comprehensive cost savings for society of almost $18 billion annually. But the group estimates that if we achieved 90 percent adoption, almost 22,000 lives would be saved yearly, and society would garner a staggering $350 billion in cost savings.
Accidents involving autonomous cars will generate a whole new set of liability theories when the fleets actually hit the road. It stands to reason that manufacturers will be assigned more liability, relative to drivers, than is the case with conventional cars. With no driver at the wheel, plaintiffs' lawyers will no doubt focus on the manufacturers of the complex software and the automobile itself. With the ever-present possibility of computer equipment failure, the car and component manufacturers will be subject to suit on theories of defective manufacture or design, including failure to warn. This shift in liability will dramatically change car liability insurance because driver fault will not be the factor it is today.
Then there is the hacking problem. In 2015, Wired reporter Andy Greenberg introduced the world to a terrifying new kind of threat: that hackers could, given the right circumstances, remotely take control of a car, specifically his 2014 Jeep Cherokee—and possibly all kinds of newer cars manufactured by Chrysler, which makes the Jeep. The problem with the IoT is that anything that connects to the Internet has an access point, and hackers—whether security researchers or criminals—will exploit it. Greenberg's Jeep, for example, was hacked by two enterprising researchers who figured out that the model had vulnerabilities in its Internet-connected dashboard computer, giving them the ability to control the air conditioning and radio, to kill the engine, and to control the steering when it was in reverse. Other reports of "white hat" hacking of cars have recently surfaced, but to date, the National Highway Traffic Safety Administration reports that no car has been maliciously hacked in the wild—only by the good guys.
Nevertheless, you can imagine the liability theories that will be asserted against manufacturers for failing to provide adequate cybersecurity for the numerous systems on their automobiles. In this regard as well, it appears the car manufacturers will bear a heavier burden than ever before because the manufacturer is ultimately responsible for the safety of the vehicle it sells. Stay tuned, because with driver fault out of the equation or at least reduced, the manufacturer will be the target and will be expected to defend allegations that a hackable car is defective and unreasonably dangerous.
In a 2012 episode of the television show Homeland, the vice president of the United States was assassinated when his pacemaker was hacked. Then in 2013, former vice president Dick Chaney announced that the wireless features of his defibrillator had been disabled due to concerns that the device could be hacked. Many scoffed in disbelief and attributed the whole issue to paranoia. Now it has come to light that thousands of medical devices, including magnetic resonance imaging scanners, heart devices, X-ray machines, and drug infusion pumps, are vulnerable to hacking, creating privacy issues and significant health and safety risks for patients. This obviously creates liability risks for manufacturers and health care facilities that use the devices to treat patients. Some systems were connected to the Internet by design, others due to configuration errors, but the problem also arises because often devices are still using the default logins and passwords supplied by manufacturers. That creates a field day for hackers with an easy way in.
The issue came to the forefront when the Food and Drug Administration (FDA) issued a safety alert raising cybersecurity concerns in July 2015 regarding a Hospira infusion pump. Noel Brinkerhoff & Steve Streahley, "FDA Issues Its First-Ever Cybersecurity Alert," allgov.com (Aug. 4, 2015). The FDA warned of the potential for remote access of the pump by an unauthorized user, which could enable tampering with the dosage, causing serious health risks. The issue came to the FDA's attention when a "white hat" hacker disclosed it had hacked into the device and reported vulnerabilities, including the ability to control the device and obtain information from it.
Another hacker recently reported using the search engine Shodan to find thousands of unprotected systems in the United States—with one large provider, exposing over 68,000 systems with direct attack vectors to the systems and third-party organizations associated with the provider. The hacker located the device (down to the floor and office number) and identified its type. He also set up and monitored a "honeypot" and documented evidence of unintentional access to those devices.
Then there is the strange ongoing dispute between heart pacemaker manufacturer St. Jude and the hedge fund Muddy Waters. Muddy Waters claimed in late August there was a "strong possibility" that almost half of St. Jude's revenue could evaporate for two years because of security problems in its implantable cardiac devices—critical for patients who suffered from various heart ailments. It claimed there were flaws in the Merlin@home monitoring device that could allow it to be attacked from up to 50 feet away and estimated there were over 200,000 such devices in the United States. St. Jude has fired back repeatedly at Muddy Waters, saying it stands behind the security and safety of its devices. Then, in September, St. Jude sued Muddy Waters in the U.S. District Court for the District of Minnesota, claiming it made up the hacking allegations as part of an "insidious scheme" to manipulate St. Jude's stock price. St. Jude has also reportedly been the subject of a lawsuit from a patient, claiming he has been advised by his doctor not to use the device.
These recent developments raise a host of red flags and have increased awareness of vulnerabilities that manufactures and users must address to reduce liability risks and protect patient safety and privacy. Some software-driven, connected medical devices may be vulnerable, and the FDA has not stepped in to specify particular cyber safety or security controls. The FDA merely warns the manufacturer it is responsible for the cybersecurity of its devices. Given the current landscape, this is an area ripe for product liability litigation, including class actions from patients and consumers who may be at risk.
Application of Traditional Products Liability Theories
It is easy to see how the move to Internet-controlled devices is a tort lawyer's dream, and it is clear the IoT may prove to be a treasure trove for products lawyers. If a hacker uses the vulnerabilities of a device to cause harm, the injured party could sue the manufacturer, alleging the device was defective due to either insufficient security controls or a failure of the manufacturer to warn of dangers it knew of with the device's configuration. Under a product defect theory, the plaintiff could either rely on the consumer expectation test (the device was more dangerous than a reasonable consumer would expect due to cyber vulnerabilities) or the reasonable manufacturer test (a reasonable manufacturer would not have sold the device with knowledge of the cyber defect). The manufacturer could rely on traditional defenses, including that it adequately warned of the cyber risks in the product literature.
The pathway for plaintiffs' lawyers became easier earlier this year when the Federal Trade Commission (FTC), the watchdog for business cybersecurity threats, sued the makers and distributors of D-Link products for failing to take reasonable steps to secure their routers and Internet protocol (IP) cameras.
D-Link claimed its routers were "easy to secure" with "advanced network security," but the FTC says the company failed to protect its routers and cameras from widely known and reasonably foreseeable risks. According to the FTC's complaint, hackers could use a special search engine to find vulnerable devices over the Internet and get their IP addresses. After that, the FTC says, it was pretty simple to gain access to people's sensitive data, including tax returns and other financial information. The complaint also says security gaps could allow hackers to watch and record people on their D-Link cameras without their knowledge, target them for theft, or record private conversations. This FTC lawsuit essentially puts manufacturers on notice that Internet-connected products without adequate built-in cybersecurity protections may be regarded as defective and unreasonably dangerous.
In the brave new world of the IoT, consumers and manufacturers must both note the risks to personal safety and privacy, and act accordingly. Rest assured that products lawyers stand ready if the risks presented by the IoT instead result in injury to the public.
Keywords: litigation, products liability, Internet of Things, cybersecurity, manufacturing defect, failure to warn