In one case, thieves were able to open car doors, leaving no trace, because their remote control devices had a major programming defect. In another, cyber criminals were able to take control of Android smartphones, because the manufacturers didn’t solve known security deficits. And in another, so-called smart thermostats and door locks, which can be operated by an app, had their protection mechanisms circumvented by hackers without too much trouble at the Black Hat 2016 security conference.
Recent reports on cases like this paint a disturbing picture. Companies are using information technology on their products but at the same time, they are neglecting the security aspects. Millions of customers are already affected by ongoing cases but in the future it could be many, many more because, thanks to ever cheaper processors, sensors and antennae, formerly analog devices are turning digital.
And it is the customer who bears the risk: For example, when criminals take bank data and private photos from a smartphone, when smugglers steal a car or perhaps one day, when blackmailers are able to cripple a company’s production.
Politicians must do something to curb this widespread lack of due diligence.
The average price of smartphones would be a little higher, but they would be considerably more secure. So that is a worthwhile result.
There should be a law obligating software developers and manufacturers alike to keep a device supplied with security updates during its typical operating life. A set of rules of this nature would be legally complex, but they are absolutely necessary in this day and age.
Smartphones are a typical example. It is not surprising that there are new security deficits in the Android operating system. Researchers and hackers have identified many problems in the past, some of them serious. That is why security updates are so important. But new hacking cases highlight the fact that they haven’t happened. Unlike with an iPhone or a computer running the Windows operating system, Android users cannot install the updates themselves. Manufacturers first have to adapt the software before they offer it as a download. Weeks or months can pass before that happens and many older models are not supplied with fresh software. They run out-of-date versions of the operating system. And that is the curse of the variety which Android makes possible.
Even if some firms like Samsung, LG, Blackberry and Google now promise regular updates, many consumers are faced with a difficult choice. They either exchange a device which still works well, or they live with the risk that hackers can steal their account data, or gain access to their private lives, including photos and instant messages.
Legally, consumers have hardly any leverage. The software used in smartphones is not subject to classic product liability, like automobiles or electronic products. It is also unclear how to deal with safety deficits which only become public after a device has been sold or which is the subject of an ongoing legal debate. So the chances of success for anyone going to court to contest smartphone manufacturers’ policies are highly uncertain.
But that doesn’t have to be the case: A legally binding product liability for firmware and software would obligate the manufacturer and bring more security.
Of course that will cost money. Manufacturers will have to provide ongoing servicing for more products, over a longer period. That’s a thankless task in an industry which is as fast-moving as it is competitive. A legal obligation would reward those players who are already investing in security. They could fulfil the demands without much additional effort, which would put them at an advantage over the cheapskates who have neglected after-sales service up to now and simply passed on the problems to users.
The result? The average price of smartphones would be a little higher, but they would be considerably more secure. That seems worthwhile.
This is legally difficult terrain and largely unexplored. But it is high time that politicians launched a few expeditions into this territory. A few research questions: Who bears responsibility in the complex supply chain: The manufacturer, the supplier, or both? How long does a company’s obligation last and what are the differences, for example, between smartphones and cars? And what reaction time is reasonable when a new problem comes to light?
IT security weaknesses don’t just affect the smartphone. But based on these versatile devices that almost everyone owns, product liability would obviously have a major impact on manufacturers. A good start would be to make our new world of networked smart devices more secure. Solving security deficits has its price but the investment is certainly worthwhile.
To contact the author: firstname.lastname@example.org