iconimage - Fotolia

IoT increases cyber and legal risk, say experts

Organisations embracing the internet of things must be aware of the information security and legal liability risks, experts warn

Although the internet of things (IoT) has many potential benefits, it also increases information security and legal liability risk, experts have told a seminar at legal firm Osborne Clarke in London.

“The attack surface is exploding from an information security point of view,” said Andrzej Kawalec, head of security research and chief technology officer at HPE Security Services.

“Security vulnerabilities are increasing exponentially as our lives are filled with these aware, sensing, reacting devices, that are naturally riskier,” he added.

As a technology organisation, Hewlett Packard Enterprise believes every new piece of technology is inherently less secure than what has gone before because of its maturity and adoption, said Kawalec.

“The form factor is typically much smaller, which makes it increasingly difficult to build security into these devices,” he said.

Desktop and laptop computers, for example, are more secure than smartphones, with 35% of normal applications exhibiting significant security flaws, compared with 76% of mobile apps.  

“That is because of the physical hardware they sit on, the development cycles and how they are used,” he said. “But the attack surface literally explodes with things like smart, connected light bulbs.”

This is compounded by the fact that many companies producing IoT devices and services are being driven to do it to remain competitive, but they do not necessarily have the skills, capacity or understanding to ensure that security is built in, said Kawalec.

“Many are relying on commonly produced components that have really low security capabilities within them, with the result that we have smart light bulbs that talk to mobile apps, but with very little security built in,” he said.

Composite systems

Kawalec pointed out that there is no way to predict the ways in which individuals and organisations will connect easily-available and cheap, but security-light, components together into composite systems that use a wide variety of publicly available data.

Any one of the multiple points of entry could give attackers access to aggregated or compound services and all the data within those services, he said.

This gives rise to security concerns, particularly as such services will soon be a reality, with applications and services talking to each other and potentially sharing personal information without the owner of that data necessarily being aware or involved, said Kawalec.

“While exhibiting the same characteristics of any cloud-based mobile application, those aggregated applications and services will be operating much faster, at greater volume, and with fewer human interactions,” he added.

Read more about IoT security

This combination will take security above and beyond everything that has gone before, he said, particularly as it will all be operating in a semi-autonomous environment.

“The ability of IoT devices to sense, connect and react, their inability to carry complex circuitry or be upgraded, and their ability to create a physical attack vector such as disable the brakes on a vehicle also mean that we have to change the way we think about internet or cyber security,” said Kawalec.

“Developers of IoT devices and systems need to consider everything from actuating  physical attack, to connectivity and the importance of data, and the systems to support these devices going forward. When you embed them in concrete and build them into homes and hospitals, you need to think completely differently than you would about a Wi-Fi printer.”

From a legal perspective, the dawn of the IoT era also means a potential increase in liability, especially in the light of new and planned data protection, privacy and information security regulations emerging in Europe and internationally, said Mark Taylor, partner at Osborne Clarke.

“Determining who has legal responsibility or liability in relation to an IoT service is inevitably a complex question because most services are likely to pull together data from many different people and places, making it difficult to disentangle the actors involved and fixing liability and responsibility in one place,” he said, adding that hyper connectivity leads to hyper complexity from a legal analysis perspective.

Criminal liability

In terms of IoT, Taylor said criminal liability could potentially arise from organisations or services accessing data for purposes other than those authorised.

“The UK’s Computer Misuse Act creates various offences around unauthorised access and modification of computer systems, but a point that is often misunderstood is that if someone is authorised to have access to a system for one purpose but accesses it for another purpose, then that is actually unauthorised from a criminal perspective, and so criminal liability could potentially arise unexpectedly,” he said.

Another potential area of criminal liability is the interception of communications, particularly in the light of the planned Investigatory Powers Bill, which expands the focus on voice communications to include data.

“It is going to be interesting to start to apply some of that legislation to the interconnection of networks enabled by the IoT and test whether it is considered to be a public network or a private network, which are treated differently by the law, determining whether liability is criminal or civil,” said Taylor.

The Fraud Act could also give rise to criminal liability in the context of IoT systems and services, he said, bearing in mind that the legislation is focused on false representations.

“Where different devices are authenticating to each other, we may need to consider if they can be involved in committing offences or if the person who created the device or software could have done so in some way,” he said.

False representation

Taylor predicted that there would be some careful analysis of provisions in the Fraud Act on false representation and how they can be translated into an IoT setting.

Finally, he said, the Data Protection Act has some criminal offences relating to the unlawful obtaining of personal data. “If we look at the interconnected aspect of IoT, we have to consider if we are clear – if we apply the analogies of data controller and data processor – as to which parties in the operation of a multi-party solution are inhibiting which roles, and therefore where some of the liabilities around that lie,” he said.

But when it comes to the IoT, civil liability is probably more relevant, said Taylor. “The Regulation of Investigatory Powers Act (Ripa) can give rise to liability in tort if you intercept communications without the consent of the send or recipient,” he said.

“There are certain exceptions, but they have been created in a world where IoT wasn’t thought of, and it remains to be seen if they translate across, in reality, to how a hyper-connected set of devices will work.”

The DPA has provisions that individuals who suffer damage can bring claims for compensation, but these will be significantly increased by the EU’s General Data Protection Regulation (GDPR), which comes into force in May 2018, said Taylor.

“That brings to the fore the idea that an individual who has suffered loss involving their personal data can take action, and although under the GDPR there will be significant fines for non-compliance, the rights to personal compensation and the fact that quasi class actions by non-profit associations on behalf of data subjects may be a more concerning aspect in the IoT landscape, vastly expanding the liability surface alongside the attack surface,” he said.

Maintain adequate security

The European Network Information and Security Directive (NIS), which is expected to be finalised around August 2016, imposes the first general obligation to maintain adequate security in certain network and information systems.

Although this will not apply to all systems and providers of those systems, Taylor said it could affect certain IoT services linked to essential or digital services and includes a data breach notification requirement such as the GDPR.

“The NIS directive will cover cloud service providers, search engines and marketplaces, which could possibly include some IoT systems and services, especially as IoT systems expand and evolve to share ever-increasing amounts and types of data and in the light of the fact that most IoT services are linked to apps with cloud-based back-end systems,” he said.

Civil liabilities

Other legislation that could potentially give rise to civil liabilities for IoT service providers include the EU electronic identification and trust services regulation (eIDAS) and consumer protection legislation.

In view of the fact that there are a number of people who can be responsible for different parts of an IoT system or service, Taylor said developers of such systems should give some thought to how liability is going to shift between them.

“And from a contractual perspective, if you are dealing with putting together a supply chain or contract arrangement to deliver a solution, thought will have to be given to how the liability will be allocated,” he said.

In summary, Taylor said legal concerns are unlikely to inhibit the progress of IoT devices, systems and services. “The march on is going to continue, so it is up to lawyers and adopters of the technology to try to understand and shape its progress in a way that is meaningful for the development of the industry,” he said.

Read more on Privacy and data protection