In the last several years alone, the reach of the Internet of Things has grown exponentially, and the market is forecasted to reach a whopping $1.6 trillion by 2025. Whether we look at wearables, smart speakers, connected appliances or smart cars, there’s no denying that this level of innovation has changed human behaviors, and has introduced new opportunities for convenience as well as enhanced experiences. Unfortunately, the rise in IoT devices also has caused an explosion of shared data, and with it, the increased risk for hacking and stolen personal information.
We saw this unfortunate truth with smart lock manufacturer Tapplock, which recently came under fire from the FTC when its “unbreakable” products were discovered to be unsecure. According to the FTC, the company misled consumers by claiming that the locks had “double-layered lock design” and were made with “anti-shim and anti-pry technologies.” In fact, the locks were found to have several points of security vulnerabilities, including a way to bypass account authentication, gain access to Tapplock user accounts, and physically break in and access the device with a fair amount of ease.
While Tapplock has since settled its case with the FTC, some big box retailers still had their locks on their shelves afterwards. This begs the question: If a brand in a retailer’s supply chain gets “FTC’d,” so to speak, because they didn’t follow industry best practices, can the retailer also be held liable? In some cases the answer is yes, but for many — it’s safe to say that they wouldn’t want to find out.
Don’t Get Caught With The Bag
To take the above question a step further, do retailers always know exactly what’s in their supply chain at all times in order to ensure that this kind of lawsuit doesn’t happen? Most retailers might assume the connected products they are selling have gone through a vetting process, but this isn’t always the case — and assuming it is can result in disaster.
In order to protect consumers, retailers must take concerted efforts to ensure that they are knowledgeable about their suppliers and products before putting devices on shelves — even if it means more time, money and energy spent to do so. Despite any negligence from a manufacturer, once a retailer is caught selling these devices after any label of being “unsecure” or “defective” by the FTC, it can result in a class-action lawsuit. Under product liability laws for states such as Connecticut, California and New York, for instance, retailers can be held liable for selling defective goods and would be brought under the charges of negligence, strict liability, or breach of warranty.
Tips To Avoid Unsecure Products From Landing On The Shelves
With more smart devices introduced in the market every day, now is the time for retailers to take action to avoid a negative legal situation down the road. To do this, retailers should consider the following:
- Implement a Vulnerability Disclosure Program: In past years, the FTC has released guidelines stressing the need for Vulnerability Disclosure programs to create an open dialogue between all stakeholders in a product’s supply chain. Recommendations around best security practices include conducting risk assessments, testing security measures before launching products, training employees on security and monitoring products throughout their lifecycle. This allows participants like retailers to receive the latest security alerts on the products that they sell, which can enable them to take the necessary steps to remove unsecured products from shelves — if a security issue is detected.
- Create notifications for security issues: Retailers can ask their manufacturers or suppliers to provide them with regular updates around security issues, creating another direct line of communication and transparency. Retailers can and should include this strategy in their contracts to ensure that these processes are followed through on, and in order to create further accountability from manufacturers.
- Partner with industry-led organizations: There are several organizations working to address issues with security in IoT, including major tech players, government organizations and other industry leaders. Partnering with industry-led organizations that are at the forefront of smart device security will provide the transparency needed to help make retailers aware of current security standards, as well as offer best practices for protecting themselves and their consumers from faulty devices in the market.
IoT security continues to be an oversight for many, but it doesn’t need to be — especially for retailers with a huge stake in the game. They must be informed and smart about their supply chains, and not let the next hot smart product take them down a road of crippling legal fees. And although retailers are the last stop for products, stricter guidelines when it comes to security for the manufacturing stage of connected devices will also help ensure security is built into the products from the start. Implementing this precaution will not only save billions of dollars in legal fees; it also will save both manufacturers’ and retailers’ reputations down the line, and prevent consumers from potential damage or loss.
Brad Ree is CTO of the ioXt Alliance. In this role, he leads ioXt’s security products supporting the ioXt Alliance. Ree holds over 25 patents and is the former security advisor chair for Zigbee. He has developed communication systems for AT&T, General Electric, and Arris. Before joining ioXt, he was Vice President of IoT security at Verimatrix, where he led the development of blockchain solutions for ecosystem operators. He is highly versed in many IoT protocols and their associated security models.