Internet of Things

The Internet of Things (IoT) is the concept of connectivity between different objects through a wireless connection. Each IoT system is a separate entity from another complete IoT system. It is made up of technologies that communicate with each other. A complete IoT system uses four components: devices, connectivity, data processing, and a user interface. This connectivity can be used in a multitude of fields. The system is used for smart traffic control, manufacturing, agriculture, and monitoring the environment. According to reports, by 2030 there will be approximately 50 billion connected devices across all technologies.

The IoT is emerging and expanding. The issues of security and safety online are widely discussed in regulation. Critics of the IoT say that it could take away human autonomy due to the increasing reliance on technology for daily tasks. IoT is reshaping business practices, automobile use, and home life. Further, IoT enables human behavior data to be collected efficiently.

Background

IoT refers to the interconnection of computing devices via the Internet, embedded in everyday objects, thus enabling them to send and receive data. This includes all sorts of devices and information centers. Technologies that rely on and communicate via an interconnection (WiFi, network data, or an ethernet cable) are a part of IoT.
Part of the IoT software is Blockchain, a digitalized, public ledger of transactions. It allows for data to be exchanged between users without use of a “middle man” as is typical with a traditional banking website or application. Instead, transactions are validated by the users themselves.

IoT gains value and influence (called “network effect”) as more people use it. Facebook and Google are two examples of this phenomenon: the product functions on a higher level as user interface grows. More connections within IoT increases the value, helps gather more information, and completes tasks more efficiently.

There are four mechanisms involved to have a fully working IoT. The first is the actual device (phone or recording system), which collects data from the environment around it. The second factor needed is a connection, such as WiFi or an ethernet cable, which enables the device to be connected to the third component: the storage space (or cloud) in which the data is then processed. Finally, there is the user interface, where the data collected goes into effect.

One of the main issues arising out of IoT is security. This includes preventing cyberattacks, which are becoming increasingly common. Moreover, IoT is expanding at a quicker rate than governance and regulation.

Injuries and Damages

The largest threat that comes from the use of IoT is cyber-attacks. The majority of attacks includes Distributed Denial of Service (DDoS). This category of attack can shut down sites for hours at a time by creating ‘internet traffic’ on a service or network. These incursions can stay in the digital world; however, some have real world implications. Injuries are broad, and can include emotional distress, identity theft, fraud and privacy concerns.

There is the potential for technology to become more autonomous, meaning that certain devices will no longer need a human to directly control them. There is a danger when technology is completing a task and is not directly controlled by a human. For example, in March of 2018, a pedestrian in Arizona was killed by a driverless Uber. There is also the potential that other items, such as an automatic tea kettle, could start a fire if there were to be a glitch. With the absence of human interference, there is the possibility for dangerous results.

Alongside that autonomy comes the threat of fraud and theft. Credit card information or a social security number could be subject to burglary as the security on the systems in which this information is given is not always secure.

Legislation and Regulation

In the United States, there is no federal IoT legislation, but there are several federal and state Acts related to cyber security and privacy.

Internet of Things Cybersecurity Improvement Act of 2019

This act was introduced to the US Senate on March 11, 2019, and requires that devices purchased by the U.S. government meet certain minimum-security requirements. It would "leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes."

Specifically, the bill would:
• require the National Institute of Standards and Technology (NIST) to issue recommendations for the secure development of IoT devices
• direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the above recommendations and charge the OMB with reviewing these policies at least every five years
• have the NIST to work with cybersecurity researchers and industry experts to address vulnerabilities related to agency devises
• require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies
• requires that guidelines are followed on any IoT device purchased by the federal government

Federal Trade Commission

The Federal Trade Commission (FTC) does not have regulatory control over security, but can make recommendations for IoT users. The commission has made three recommendations to companies who work to develop IoT technology. They recommended increasing data security within a device, allow what content a user wishes to share through data consent, and minimize the amount of data a company needs.

Though unable to regulate privacy or security, the FTC can penalize companies that are not transparent about consumer data use. An example of this happened in 2012, when TRENDnet, a web camera company, had a flaw that did not protect a user’s private video feed. TRENDnet was penalized by the FTC.

California Consumer Privacy Act (2018) and The Security of Connected Devices Act (2020)

Both of these Californian acts will enforce new rules for IoT device makers as well as businesses holding consumer information.

The California Consumer Privacy Act allows the consumer to know what personal information a business holds. Users can see what their information is used for and whether it is being sold or shared. The Act also allows a consumer to prohibit a business from sharing or selling their information and to ask a business to delete the information.

The Security of Connected Devices Act requires legitimate security for connected devices, though there are no specifics on what is “reasonable.” The law focuses on regulations for IoT manufactures and user authentication measures.

National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (2017)

The NAIC Insurance Data Security Model Law was developed to respond to the increased levels of data breaches among several industries. Based on the model, insurers and companies that are licensed by the department of insurance are required to create and maintain “an information security program, investigate any cybersecurity events and notify the state insurance commissioner of such events.” THE NAIC and the federal government has urged all states to adopt the model law. Currently, 8 states (AL, CT, DE, MI, MS, NH, OH and SC) have adopted the model law.

Liability and Insurance

There are two main problems that arise due to IoT technology: cyber-attacks and device malfunctions. However, there is still uncertainty about where the liability falls.

Cyber Insurance

According to Progressive, cyber insurance is protection against damages resulting from electronic threats to your computer systems or data. Cybersecurity insurance policies (also called cyber liability coverage) typically cover network and digital damage, business interruptions, cyber extortion, liability and the cost of forensic investigations, consumer notification, credit monitoring, media liability, public relations, legal defense, compensation, and regulatory fines.

Litigation

Litigation regarding IoT devices is growing. Plaintiffs sue companies for negligence, breach of contract, intrusion and public disclosure.

John Baker Orange v. Ring LLC and Amazon.com Inc.

Orange, the plaintiff, is pursuing litigation against Ring, a security device in many homes, and Amazon, the owner of Ring. Orange is suing on the basis of negligence and invasion of privacy. After installing a Ring on his garage, Orange claims that a hacker spoke to his children using the speaker system. Specifically, the lawsuit asks whether or not Ring should have required a two factor authentication system for users, and whether or not Amazon knew the susceptibility of Ring devices to hacking. The case is being heard by jury in California.

FCA US LLC, Et Al. V. Flynn, Brian, Et Al.

This is a class-action lawsuit claiming Fiat-Chrysler (FCA) knew about a cybersecurity issue in its cars but failed to fix them. It was appealed after the Illinois Seventh Circuit endorsed Jeep Cherokee drivers claim that their cars were vulnerable to hacking. The Supreme Court granted FCA’s motion to Dismiss for Lack of Jurisdiction and dismissed the case with prejudice.

The operating systems within the cars were able to be hacked from a remote location. The controls of the engine management system could be wirelessly manipulated through a security hole in FCA’s uConnect software. This is an IoT system connecting a vehicle and its internal WiFi to a public internet with a cellular connection, therefore allowing internet access on the go. However, with this failed security, hackers were able to manipulate the cars in such a way to be dangerous.

Future Outlook

By 2022, the average person is expected to own about 13 connected devices. Continuous growth of the IoT comes with a need to standardize the platforms these devices operate on, the means they store information, and the updates they receive. Increasing connectivity will lead to greater collection of data and smarter machines, but also more concerns around security and privacy. Such security and privacy concerns will almost certainly lead to more attention from legislators.

The IoT has beneficial potential for the insurance industry. According to Forbes, insurers will be able to decrease the cost of the claims process by 30% using IoT devices. IoT can also aid in loss prevention and continuous monitoring.

In the News

2024

• Hackers damaged over 600,000 routers last year that belonged to a single ISP - Alfonso Maruccia, Techspot (06/03/2024)
  Analysts at Black Lotus Labs dubbed the cyber-incident the "Pumpkin Eclipse," as it was felt across several Midwest states by the end of October last year. Between October 25 and 27, over 600,000 small office/home office (SOHO) routers were taken offline, unable to access the internet.
• Wyze camera breach let 13,000 strangers look into other people's homes - Artie Beaty, ZD Net (02/19/2024)
  If you have a Wyze security camera, you should be aware of a recent security breach – because it may have let a stranger see in your home. In a message to customers, company co-founder David Crosby explained that the issue began shortly after an outage on Friday morning, February 16.

2023

• NIST to explore further integration of privacy into Internet of Things cyber program - Jacob Livesay, Inside Cybersecurity (10/27/2023)
  The National Institute of Standards and Technology is considering how to address privacy as part of its work to secure Internet of Things devices, according to IoT cyber program leader Katerina Megas.
• Connected vehicles can be at risk of hacking, consumer awareness paramount: experts - Ritika Dubey, The Canadian Press (10/08/2023)
  Blasting the heat with a remote sensor before you even get into your vehicle on a brisk winter morning is a welcome convenience. So are the comforts of lane assistance, voice command, Bluetooth and Wi-Fi. But experts warn modern, connected vehicles, which are heavily packed with microchips and sophisticated software, can offer an open door to hackers.

2022

• EU wants to toughen cybersecurity rules for smart devices - Samuel Petrequin, The Associated Press (09/15/2022)
  The European Union’s executive arm proposed new legislation Thursday that would force manufacturers to ensure that devices connected to the internet meet cybersecurity standards, making the 27-nation bloc less vulnerable to attacks.
• Thousands of smart security cameras exposed online - Sead Fadilpašić, Tech Radar (08/23/2022)
  Thousands of security cameras(opens in new tab) are still vulnerable to an old exploit, and unless organizations move to apply the fix, they risk Russian hackers taking over their endpoints and stealing their data.
• Smart Office Buildings Can Help Sniff Out Viruses but Are Vulnerable to Hacks - Konrad Putzier, The Wall Street Journal (05/03/2022)
  The moment that Honeywell International Inc. employees enter their new headquarters in Charlotte, N.C., the smart building goes to work.
• Start-up company hired to fix McFlurry machines SUES McDonald's for $900 million after being accused of creating software that caused them to break - Alex Hammer, The Daily Mail (03/03/2022)
  

  McDonald's is being sued for nearly a billion dollars by a company hired to fix its infamously broken ice cream machines, after the burger chain nixed the startup's tech and accused them of selling flawed devices that stole customers' information.

• The Supreme Court on Thursday struck down the Biden administration's vaccine-or-testing mandate for companies with more than 100 employees. - The Associated Press, The Associated Press (01/14/2022)
  Newly unredacted documents from a state-led antitrust lawsuit against Google accuse the search giant of colluding with rival Facebook to manipulate online advertising sales. The CEOs of both companies were aware of the deal and signed off on it, the lawsuit alleges.

2020

• Federal Internet of Things Security Rules Could Provide Blueprint for Private Sector - James Rundle, The Wall Street Journal (09/30/2020)
  Legislation to set minimum cybersecurity requirements for internet-connected devices used by the federal government could end up becoming a standard for the private sector.
• T-Mobile exec explains Monday's network outage was not a DDoS attack - Cal Jeffrey, Techspot (06/17/2020)
  On Monday, social media went into a tailspin with unsubstantiated reports that the US was suffering a large scale DDoS that crippled all major cell service providers for about 10 hours. Some reports even claimed that platforms like Instagram, Facebook, and others were also under attack. As it turns out, it was only T-Mobile that was affected, and it was not a distributed denial of service attack that caused the outage.
• Millions of IoT devices at hacking risk globally: Report - IANS, Outlook India (06/17/2020)
  Security researchers have discovered serious vulnerabilities that could expose millions of Internet of Things (IoT) devices worldwide to hackers.
• Spies can now hack analogue lightbulbs to hear conversations using a telescope - Mark Blunden, Evening Standard (06/17/2020)
  Israeli researchers managed to depict a Beatles song and Trump speech in a room while stood outside on a footbridge.
• Security flaws in Ford and VW connected cars could pose risk to drivers – Which? - Jamie Harris, Yahoo News (04/08/2020)
  A pair of connected cars made by Ford and Volkswagen contain serious security flaws which could allow them to be hacked, according to Which? research.

Additional Items

Canadian and U.S. corporate networks at risk from vulnerable connected devices, says new Palo Alto Networks study
Smart teddy bears, implanted heart monitors, connected cars and other connected devices are regularly connecting to corporate networks, prompting technology managers to warn that significant action should be taken to protect them from being used to hack into businesses.