Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
IoT - IT 423 ppt
IoT - IT 423 ppt
Loading in …3
1 of 28

Security Vulnerabilities, the Current State of Consumer Protection Law, & how IOT Might Change It



Download to read offline

BSides Las Vegas 2016 - Proving Ground Track
If a consumer purchases software (like, perhaps, a word processor or a note taking software) and that leads to some harm- perhaps the software allows malware to run on their computer, locking all their data for ransom, or their private data is stolen, then do they have any recourse?

In the area of private law suits, a consumer would likely first look to products liability. Product liability law acts as a form of insurance to protect users - if a product is built in an unsafe way, and it injures you, you may sue the retailer or manufacturer of the product.

There are three general theories a consumer can recover under:

Design defect: the product was designed in an unsafe way
Manufacturing defect: the specific instance of a product was assembled incorrectly and had a one-off manufacturing flaw
Failure to warn claim: the product had non-obvious ways it could harm the consumer, that the consumer should be told about

Although these suits are common for defective products such as lawn mowers, coffee makers, and other consumer goods, they are not used by purchasers or users of software. The primary reason why this is so far is that products liability is so focused on physical harms- it covers serious injuries like losing your finger to a bagel cutter, for instance, and the fact that until somewhat recently, most software couldn’t physically harm you. (Although alternatively, some users can recover if they had a contract with the software creator or provider - as in the Trustwave Incident Response suit)

The rise of the Internet of Things is about to change a lot of that. There have already been a small number of cases where liability was found where buggy software caused physical harm to some consumers. Returning to the fridge, what if someone could connect remotely to your fridge, and adjust the temperature to be a little too warm, leading you to get food poisoning? What if they could do so without the temperature display in the fridge changing, so it looked like it was still cold enough?

This talk will explore the background of product liability law, and discuss how and why IOT might bring about a change in expanding coverage of software flaws.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Security Vulnerabilities, the Current State of Consumer Protection Law, & how IOT Might Change It

  1. 1. Security Vulnerabilities, the Current State of Consumer Protection Law, & how IOT Might Change It Wendy Knox Everette @wendyck BSides LV Proving Ground 2016
  2. 2. This is not legal advice I’m not (yet) a lawyer. But I am interested in your thoughts on this topic! Please find me around, or tweet me (@wendyck)
  3. 3.
  4. 4. Let’s compare these consumers One consumer buys a coffeemaker. It has a flaw that causes it to overheat, break, and scald the user. Would this consumer probably be able to get the manufacturer to pay for any losses? Probably yes, using product liability law. Another consumer buys a router & hooks it up in her home office. There’s a flaw in it, and her files are exposed to the internet. Can this consumer get the manufacturer to pay for any losses? Probably not.
  5. 5. Why?
  6. 6. What if there’s an agreement between two people? That agreement governs. Think of EULAs, Clickwraps, Terms of Service. What happens in a contract stays in a contract.
  7. 7. What if there is no pre-existing agreement? Tort law: how we deal with harm to people in car accidents, roller coaster malfunctions, and similar problems Product Liability law: how we deal with harm to consumers from products they purchased
  8. 8. What do I need for a Product Liability suit? You need more than pure economic loss: • Physical harm to the consumer • Property damage
  9. 9. What changes with IOT?
  10. 10. What’s your Smart Blender patching strategy? Software is now in devices capable of interacting with the physical world. This is a fundamental shift that affects a main reason why we’ve lacked software liability in the past.
  11. 11. Products Liability as Insurance, 1916
  12. 12. Products Liability as Consumer Protection When a product harms a consumer, they allege one of these types of problems: 1. Manufacturing Defect 2. Design Defect 3. Failure to warn
  13. 13. Why do we have knives but not lawn darts? Risk - Utility balancing is a core part of products liability: Product Liability is strict liability; that is liability without fault. But not really. Foreseeability of use & obvious dangers play a part. These are most important for design defect & failure to warn cases.
  14. 14. What do you mean by serves an insurance function? Consumers expect products to be safe. Are you really worried about your blender harming you? What if I tell you that your blender is internet connected- why are you concerned now?
  15. 15. would this actually work?
  16. 16. Empowering consumers is nice, but is this even feasible? Failure to warn as a framework: Should software companies have to warn about known vulnerabilities?
  17. 17. What does a Failure to Warn claim look like? 1. Risk reduction warning: “Wear goggles and don’t stand on a ladder” 2. Informed choice warning “Product is dangerous. Here’s what you need to know to weigh that risk”
  18. 18. Can Failure to Warn provide incentives for better practices? Could provide incentives for better practices like: Designing items that can be patched Publishing a security contact form Triaging issues and releasing patches regularly Fixing usability issues with end consumer patching
  19. 19. What is warning overload? Failure to warn doctrine takes into consideration cost-benefit analysis that might be adapted to vulnerability disclosure. What warnings are reasonable? For what audience? Should we warn even if there isn’t a patch available?
  20. 20. What about obvious risks? “You should have known” is a defense. Would make it hard to blame lack of warnings if you just have bad security practices Photo by JohnnyXmas
  21. 21. What about open source? Turns out products liability has worried about this sort of problem before. Components in product liability: if your component is used in a product, not strictly liable, unlike the retailer or supplier, unless your product was also defective. Focus is on commercial sellers, not hobbyists.
  22. 22. How does this relate to the way we develop and patch software?
  23. 23. What changed after 1916? Mass production and supply chains changed how we bought & sold products. Consumer safety increased as certain factory practices become standard: presumption that your product is safe by following industry norms.
  24. 24. Could change happen again? IOT changes how software interacts with the world. So now what?
  25. 25. So this is a perfect solution, right? Lots of problems. When should a company disclose un-patched vulnerabilities? Does this impact innovation? What about warning overload fatigue?
  26. 26. Where do we go from here?
  27. 27. Do the things you already know you should Make sure you’re set up to receive and validate vulnerability reports. Test. Improve your SDLC. Take reasonable care to put a safe product on the marketplace.
  28. 28. Thank you! Come talk to me about software product liability: @wendyck Thank you to BSidesLV Proving Ground & Chris Eng!

Editor's Notes

  • we need to learn a little bit about how american law works
  • Unless – courts don’t so much like to let Ks override tort L
  • Product liability law: making consumers safer. Insurance function.
    ** recover
  • Pure Economic Loss

    What if there’s an agreement but there is serious physical harm?
    Well, at that point, courts might step outside the terms of the contract

    Pro-CD v Zeidenberg, 1996, might go beyond damages directly anticipated by the contract
  • Software is now capable of causing harms beyond pure economic loss
  • Software is now being embedded in devices that can cause actual physical harm. We’re moving beyond the world where a liability wall around software was fine, because it could only cause pure economic loss types of harms.
    At the same time, some of this software is being built by companies without a long track record of software development. Should we worry when a refrigerator company embeds internet connected software into your home fridge? Was it tested well? If there are vulnerabilities, how will they be handled?
  • MacPherson v Buick 111 N.E. 1050 (NY 1916),: just tell the wooden wheel case
    economically infeasible to limit recovery
    Later we left negligence behind & product liability became a strict liability regime: performs an insurance function in the market

    Putting cost onto manufacturers
  • Flaw in the glass of a coffeemaker carafe
    Lacking an auto-off cutoff switch that leads coffeemaker to catch fire easily
    Coffeemaker should be left on more than 30 minutes, no warning to tell you this
  • Breathe

    Foreseeability: you aren’t really liable if the person uses your product in a ridiculous manner
    Mount a coffee maker on a drone, it spills hot coffee on you: unlikely to recover
    Someone hacks into the coffeemaker drone and flies it around and spills it on you: unlikely to recover
    Legit crazy use of software: nope

  • Reasonable expectations; Reduce transaction costs; Consumers don’t generally have to audit safety of their kitchen appliances. Why is software different?
  • “if you use our WonderWidgetSoftware, turn off features x & y and don’t run it with Java v N.N”

    “WonderWidgetSoftware has a vulnerability in that attackers can spoof a wifi hotspot and get your wifi credentials. You can’t tweak any settings to prevent this behavior, but you should know.”
  • Under a Failure to Warn claim, however, the consumer might be able to argue that the vendor should have at least alerted the consumer that there was a particular type of vulnerability in the software, and made clear when and why to apply patches when they become available, or how to mitigate.

  • Imagine if all your appliances were covered in warnings like this

    What’s a sufficient warning? What’s too much? Can a lay jury decide what an adequate warning is for a technical issue?
  • Much as you are only liable if product is dangerous if used in a foreseeable way, you don’t need to warn consumers that knives are sharp or that your IOT tea kettle shouldn’t be dropped into the bathtub
  • Libraries that are incorporated into products: if the vulnerability is not in that library, liability would not be found
  • ** trigger cases
    ** people no longer bought products at a corner store; we developed mass market supply chains & retail
    ** That change is similar to the change occurring with IOT
  • Trigger case: If a product is found defective because a vendor was unable to patch it and didn’t communicate how to mitigate risk, it could change the field, much like previous cases moved products liability into its modern form

    Right now some devices are released using questionable security practices, and without any ability to patch.
    Products Liability could help establish industry standards that would protect consumers by encouraging manufacturers to follow
    More mature practices
  • Expand if time

  • Even though we don’t have this sort of liability yet, there are particular practices that you might want to set up because then if you were sued you could point to them & say “hey, but we take reasonable care” –this is a good thing to be doing anyway.
  • ×