Partner
As the number of physical devices that are connected to the internet increases so too does the threat of cyberattacks on physical devices that are part of the Internet of Things. Practically everything that has electronics nowadays is connected online in what is known as the Internet of Things. Vehicles, dishwashing machines, refrigerators, and a number of personal electronic devices are all part of the Internet of Things. Devices connected to the Internet of Things have a reputation for being vulnerable and insecure, and hackers try to take advantage.
One type of cyber attack that is becoming more and more common involves the disbursement of ransomware to smart television sets. In many homes across the country people have purchased smart tv sets that are capable of streaming tv programming, but tv streaming comes with the risk of exposure to hackers. Hackers have been using ransomware to hold smart tv sets hostage. The hacks made against tv sets can happen in a number of ways.
While tv sets are not a treasure trove of personal data, there is concern about how ransomware might be used in conjunction with smart tv sets that are always on. Voice activated smart tv sets are always monitoring what people say nearby while waiting to receive a voice command to turn on. It could be possible for hackers to gain access to this always-on feature to eavesdrop on people who do not realize that hackers are spying on them through their tv sets.
It is not uncommon for hackers to pull insecure and vulnerable devices belonging to the Internet of Things into bots for a botnet that are used to launch traffic-based attacks on targets, such as Denial of Service type attacks. While “smart” devices are marketed to consumers as physical devices that are connected to the Internet of Things, “smart” only refers to the fact that the device includes technology to connect the device to the internet – the term does not reflect how insecure and vulnerable devices connected to the Internet of Things are. Hackers see smart devices that are connected to the internet as opportunities for conducting their schemes.
Cybersecurity is one of the most complicated areas of law due to its technical nature, and also due to its constant state of change. If you have been victimized by a cyber attack, you need to get in touch with an cybersecurity lawyer. Revision Legal has worked with countless clients across the country as they deal with their data security breaches. Please feel free to contact the cybersecurity breach lawyers at Revision Legal by using the online form on this page or call us at 855-473-8474.
The explosion of internet-connected devices has created a legal landscape that lags badly behind the technology. Millions of IoT devices — smart TVs, routers, cameras, thermostats, baby monitors, and home assistants — are deployed in homes and businesses with default credentials, unencrypted communications, and no mechanism for receiving security patches. When these devices are exploited to surveil users, to serve as botnet nodes, or to provide entry points into home and corporate networks, the question of who bears legal responsibility is not yet fully resolved by courts or legislators.
California took a first step toward IoT device security standards with the passage of SB-327, codified at Cal. Civ. Code §§ 1798.91.04-1798.91.06, which took effect January 1, 2020. The law requires manufacturers of connected devices sold in California to equip devices with “reasonable security features” appropriate to the nature and function of the device, the information the device may collect or contain, and the foreseeable uses of the device. At a minimum, if a connected device uses a means of authentication outside a local area network, it must have a unique pre-programmed password or require the user to generate a new means of authentication before access is granted. While California’s IoT security law is limited in scope and enforcement mechanisms, it was the first in the country and has influenced subsequent federal discussions.
At the federal level, the IoT Cybersecurity Improvement Act of 2020 directed NIST to develop and publish standards and guidelines for IoT devices owned or controlled by the federal government. NIST’s resulting publications — including NISTIR 8259 and SP 800-213 — provide a baseline security framework for IoT devices that, while not directly applicable to consumer devices, establishes the technical consensus on minimum IoT security controls and is increasingly referenced in product liability litigation and insurance underwriting.
Consumers who find their smart TV or other connected device held hostage by ransomware have limited but real legal options. The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, prohibits unauthorized access to protected computers and authorizes civil actions by parties who sustain losses exceeding $5,000. A smart TV that is rendered inoperable by ransomware has arguably been damaged within the meaning of the CFAA, and the consumer may have a civil claim against the ransomware operator — though identifying and serving foreign ransomware actors is practically difficult.
More practically, consumers and businesses should focus on prevention. Ransomware delivered to smart TVs and other IoT devices typically arrives through sideloaded applications, insecure Wi-Fi connections, or by exploiting known vulnerabilities in device firmware. Keeping device firmware current, avoiding app installations from untrusted sources, and placing IoT devices on a network segment isolated from computers that hold sensitive data significantly reduces ransomware risk.
The always-on microphone concern described above — hackers using a smart TV’s voice activation feature to eavesdrop on household conversations — implicates federal and state wiretapping statutes. The Wiretap Act, 18 U.S.C. § 2511, makes it unlawful to intentionally intercept wire, oral, or electronic communications and authorizes civil claims with statutory damages of $10,000 per violation or actual damages, whichever is greater. States with all-party consent wiretapping statutes — including California, Florida, Illinois, and Pennsylvania — provide additional protection and potential civil remedies when someone’s conversation is recorded without consent.
For businesses, the concern is not just consumer-grade smart TVs. Conference rooms equipped with smart displays and voice-controlled meeting technology present real risk if those devices are compromised. A hacker with access to a conference room’s smart display can potentially intercept privileged attorney-client communications, trade secret discussions, or personnel matters — creating legal exposure for the business that extends well beyond the cost of the device itself.
If your business has been affected by an IoT security breach, ransomware attack, or unauthorized surveillance through connected devices, the cybersecurity attorneys at Revision Legal can help you assess your legal options and your obligations. Contact us using the form on this page or call us at 855-473-8474.
Image credit: Samsung Newsroom
EMV chip credit cards were supposed to reduce fraud, but questions remain about their effectiveness. Here’s what chipped cards protect against and where vulnerabilities remain.
Read more about Are New Chipped Credit Cards Safe From Fraud?
Cyber attacks fall into two categories: active attacks that disrupt systems and passive attacks that silently steal data. Here’s how each type works and how to defend against them.
Read more about Active vs Passive Cyber Attacks Explained
Advanced persistent threats are sophisticated, long-term cyber attacks targeting organizations for data theft or disruption. Here’s how APTs work and how businesses can defend themselves.
Read more about What Are Advanced Persistent Threats?