Security Vulnerabilities, the Current State of Consumer Protection Law, & How IOT Might Change It

so this stalker Lee came out of this tweet from well pond back in October of this past year he was talking about Tom manufacturers a lot of times make legal threats to security researchers when they're disclosing vulnerabilities and he's pointing out like hey consumers can't really make legal threats when they buy software and it's broken and something happens they really don't have a voice in a way to use the legal system right now as I guess having just gone through a few years of law school I understand why but it's kind of complicated and I thought it might be interesting sort of explain to people why that is and there's a lot of talk these days about software product

liability last year's black hat was a lot about it it's kind of fuzzy and so I want to talk about the current state of it and why it might actually start changing not just because a lot of people are talking about it but because Internet of Things is going to change some stuff that affects the reasons why we haven't had software product liability so far so let's start out by comparing two different situations let's say you go to target you buy a coffee maker and you bring it home you plug it in and something happens the glass carafe has a flaw in it and it explodes and cuts your wrists or it catches fire or something and this instance is a

consumer you might have medical bills and you can go to the person who made your coffee maker sue them in a court and have them pay for your medical bills this happens all the time with with defective products but now let's compare that to another consumer who buys a router chippings at home and plugs it into her home office and there's a flaw in the software on the router and all of her information gets exposed she goes to identity theft and so forth this consumer does not really have any recourse under our system right now she's also been harmed but she can't bring a suit or she could probably get tossed out of court pretty quickly so

why what is the actual difference between these two situations we have to consumers who are harmed by products that they bought and they're facing fundamentally different situations in the court so start with that I need to explain to you a little bit about how the American legal system works so generally if there's an agreement between two people as a contract this is super common in the software world we have quick wraps we have EULA's we have terms service and essentially how the American legal system works is that if you have a contract and something happens any sort of damages or so forth are going to be governed by this contract so basically unless there is some really grievous

physical harm what happens in that contract gets governed by that contract on the other hand you might get harmed by someone who you don't have an agreement with we have car accidents maybe a roller coaster goes flying off of the track we use tort law to address that tort law is for when someone out there who you are not in an existing agreement with her too and I tell you how your medical bills paid for and product liability law is a subset of tort law it's the law that governs basically it purchases or products and if those products are defective so let's think about what you need for a product liability suit and our legal system

right now you need more than what we call pure economic loss you need a physical harm to the consumer like that glass carafe exploded and cut your wrist or something or you need property damage maybe a coffee maker caught fire and it burned your kitchen so now let's think about what happens with the Internet of Things software has always just been on our computers and we've had buggy software we've had problems caused by software but it was not capable of causing any physical harm out in the real world and this changes with IOT we have software and fridges if someone hacks into your fridge and raises the temperature of it your food could go bad

it could cause you to get sick we have software and drones a drunk could fall out the sky and hurt you this had been a really fundamental or there's this really fundamental shift in the sorts of ways that software is going to be interacting with the real world that changes one of the fundamental assumptions that we've always had about why there is no such thing as software product liability so this is not actually the first time that software or that product liability might be changing so I'm going to go all the way back to nineteen sixteen there's a very influential case that sort of developed the product liability as we know it today is called mcpherson versus buick

sky went and you bought a car from a Buick worship it's 1916 so for whatever reason time they made wheels out of wood and there was a flaw in one of his wooden wheels he's driving down the road and the wood breaks the car crashes he's injured and he goes back to his Buick dealer and he's like hey you know there was a problem with that car that I bought from you and it entered me and I'd like you to pay my medical bills and dealer does okay well sure there was a flaw but that came from the person who built your car all I did was sell it to you so essentially the guy who bought

the car and the seller were what we call in the legal world in privity they had an agreement but the guy who bought the car was not in privity with the person who built the car who is also the person who introduced the defect and so the court said oh we have a problem this guy was injured and he can't have his medical bills paid for and as a society at that time they were moving away from you everybody being a farmer or buying things and general stores where you knew the person who is selling products to you and they were shifting towards you know mass production supply chains and so forth and the Court recognized that

this was a change and they decided to allow the guy who bought the Buick to go recover from the person who built the defective product and so they developed the idea of basically the ability to go have your medical bills or ever paid for from anyone who had built a product or sold it to you anywhere up and down that chain so in the courts we recognize three different types of defects these have all developed mostly since the nineteen sixteen case we have manufacturing defect which is probably what a lot of people think about and I think about defective products that would be like that flaw on the glass of the coffee maker this one instance of a

product came off the factory line and there was a problem with it we also have we call a design defect so maybe that coffee maker was built such that if it's on for more than three hours it might overheat it could catch fire it cause problems and there's a little switch or something that the coffeemaker manufacturer could have installed in the coffee maker but chose not to and so if it catches fire the consumer can go into court and be like hey this is just a really poorly designed product you probably should have put that wouldn't have cost that much and it would have eliminated the danger and finally we have failure to warn failure

to warn is the reason why your mcdonalds coffee cups a warning this is hot and why there's stickers all over everything so in that instance maybe we can say the coffeemaker you know as a tendency to overheat after 30 minutes but we could just put a little sticker on it until the consumer you know don't leave this on for more than 30 minutes and so that will allow the consumer to be aware of this problem and take action to prevent it so product liability is what we call strict liability which is liability without fault and it sort of feeds into the question of why can you go buy knives but you can't buy lawn darts if

we think about it these are both sharp objects that could injure you and yet one is freely available in the American consumer market and the reason is really risk utility balancing and that is also the reason why product liability is not really strict liability so foreseeability and obvious dangers really play a big part in this so an obvious danger like a knife you know I can look at it and I can be like yeah I can see that this is something that could hurt me but it's really useful we need to be able to buy knives or you know I go home and cook dinner and I'm going to have a lot of problems preparing my dinner or s lawn darts

they're fun they're sharp they're not super useful our society is kind of running without them right now the foreseeability also plays into how you use a product so if i buy a stepladder and i decide to do something really dumb and set it up in a rowboat and I climb up on the step ladder in the rowboat and it collapses and I now broke my leg if I go to the manufacturer and I'm like hey I was injured by you know your step ladder they're going to go like in a rowboat no not going to happen like that's completely not foreseeable you were doing something dumb there I could take a coffee maker I could mount it on

a drone because I want to be lazy and I want my coffee to come get delivered to me over on my sofa and then someone hacks into the drone and causes it to you know sort of wobble in the air and it dumps a hot coffee on me like that is a legit stupid thing to be doing you are not going to recover under sort of scheme so some of the reasons why we have product liability really is that it serves an insurance function our society has decided to sort of push the burden and making products safe onto manufacturers rather than requiring every consumer to be their own you know consumers research sort of people and

have to go investigate whether these products are safe you know I can go to a target I can purchase a blender and I'm not super concerned that this blender is really going to harm me because i have this reasonable expectation that if i buy this product and they use it in a fairly ordinary way that it's going to be okay it's not going to harm me and this is something that might start changing with IOT so the people who build blenders are totally used to building blenders however they're not really totally used to building software we don't know right now how common it is for them to build blenders that can be upgraded do they have experience of

accepting reports from the security community about vulnerabilities do they understand what sorts of features they should put in to be secure there have been things with Lake IOT teakettles that were leaking Wi-Fi credentials because they were just poorly designed from a software side and all of us are likely yeah that's really stupid you know but we also have experience building software these folks who are starting to put software into things that can interact at the world do not yet have that background so this is kind of cool we could empower consumers and they could use software product liability but that's a big fuzzy thing like how would this actually work in a court you can't just go into the court

and be like I feel like we should have this sort of a liability so failure to warn is one framework we could use and one way we could think specifically about it is it may be software companies or companies that are using software should have to warn about known vulnerabilities failure to warn is a pretty well-developed field in product liability and it really breaks down into two components one of them is the risk reduction warning like if you're going to use this chainsaw wear goggles we could think about that in a software world by saying hey if you're going to run this particular software make sure that you know you upgrade the Java it's running on

you know go do these particular configuration settings so that it's a little bit safer for you or we have informed choice warnings the informed choice warning is incredibly common in the pharmaceutical world we tell the consumer there are these risks out there they exist I'm just going to let you know about them and you need to make your own risk calculation so we can think about that in the software world we could say well the software has maybe this vulnerability and we're going to tell you about it and you need to make your own decision about whether it's important to your business to keep using this software and maybe you can figure out in your network how to set it up and

protect it now one of the things we can think about is a failure to warn might provide incentives for better software development practices we can think about encouraging the people who are making these internet-enabled smart fridges to design items I can get patched following for example maybe the open web application security projects top ten if you're going to have like a web application for this sort of thing we can talk about making it easy for researchers to disclose problems that they found rather than having to force them to go through endless CS cues triaging issues and releasing them these are things that software companies are really used to you know we can get in a

bug report and decide whether it's a serious problems exploitable if it actually needs to be addressed or not and that's something that companies that aren't used to building software are not used to doing one part of failure to warn that we really should worry about if we're going to start thinking about this with phoner vulnerabilities is warning overload this is a picture my coffee maker covered with a million and a half hot warning stickers like if I saw this I would just be like I don't even know where to touch this anymore this is complete warning overload and we're really worried about telling consumers too many things and so they take in no information and we're back at

base 0 they haven't actually been effectively warned about anything there's limited amounts of attention that people have you need to think too about weather warnings are reasonable you know we all joke about the warning on the McDonald's coffee cup of warning this is really hot like okay yes I know it do I actually still even read it should I have been warned about something else if we think that consumers have limited amounts of intelligence and we tell them 30 different things but we bury the most important warning in number 30 is that really an effective morning and one that particularly concerns me with separate boner abilities is what if we have people warned about unpatched

vulnerabilities you know we got this report we need to tell you about it but we have no plans to patch is that just going to be a big like hey go reverse engineer this particular thing over here so obvious risks I love this image you might not be able to read it it says please make sure you have made the right decision it's a little ducky I can plug in that is like the perfect warning I so enjoy to warn you should have known is completely obvious if you notice your kitchen knives at home do not necessarily say warning sharp because you guys should all know that knives are sharp this also allows you to it plays

into that for see a building if you thing when I talking about you know like hey what if i use a stepladder and a rowboat and that's a dangerous thing to do if you just have bad security practices you know and that's the actual root cause of your harm that's going to protect a software creator so people freak out a lot when they hear about software product liability and open source it turns out that we can analogize to some existing product liability doctrines so for one there's a big focus on commercial sellers a product liability you can't really go to like an etsy seller and be like hey your product is defective you could try but

you're it's probably not going to go anywhere in the courts but the thing that is a little more important only think about open source is the component product liability the product liability understands if you build a gear and it goes into a machine and machine goes into our product and the consumer buys it and there's some problem like in the engine in this product the person who built the gear that goes in is not really the person on which the liability is going to be pin like yes we have liability for the retailer we have liability for you and supply chain of liability for the person who built and assembled the engine but the component

itself would be deemed too you know I will say okay this little individual product here they just went into the larger defective product is not responsible for the harm and therefore we can exclude them from liability so we can take all this I think about how does this relate to the way that we currently develop and patch software especially as they're going to be putting these into IOT devices so let's think about what happened after nineteen sixteen when we had our poor guy who bought the Buick and it you know dumped him on the highway consumer safety really increased in large part we got used to how to build things in factories we develop standardized practices for mass

production so the Buick case is kind of what we can think of as a trigger case it caused the law to adjust because society had changed and we wanted to develop sort of this insurance function because it was going to allow us to sort of put the risk of these products on to people who we thought were in a better position to handle them and this sort of shift could happen again with IOT so with IOT we're really now having software that can cause these physical harms and physical harms are something that we're used to having liability for we can say you know right now a lot of IOT products are released to some pretty

questionable security practices a lot of them don't have the ability to patch and using software product liability as a way to affect basically as a lever to make those things safer is something that might help us protect consumers so this is so much not a perfect solution there's tons of problems we talked about what happens if it's an unpatched vulnerabilities should we warn people about it you know like this maybe this informed choice morning like hey there's a bug over here we want you to know about it before you decide to keep using it a lot of times you say software liability and people go oh my god innovation we're really concerned about that is something that has really driven

our industry to be the success that it is and we don't want people in their garages or small companies to be burdened by this sort of scheme we also if we're going to warn about vulnerabilities seriously need to worry about the warning overload fatigue anybody in this industry knows the number of security vulnerability announcements that are made and patches and we joke about patch fatigue this is actually a serious problem so let's think about where do we go from here we do not necessarily have the sort of liability but we do have a standard set of practices that a lot of us agree on you should be testing there are guidelines out there and how to prove

your software development lifecycle people talk about using bug bounty programs generally you should probably already be taking reasonable care to put safe products out in the market place I'm probably preaching to the choir and this one but if we did ever get this sort of liability you could go be like hey I am following standard industry practices there should be a presumption that I have fairly safe products here so thank you very much i love talking about this sort of stuff so come find me and do i have time for questions cool so is anybody questions awesome so crystal ball five years from now what do you think the reasonable standard of care will be for IOT providers for what

providers for people who make like these Internet of Things devices um I think definitely and I am a web developer so most of my development experience comes from that from riffat middleware services are but things like being able to patch alerting people about you know what vulnerabilities you have and what fixes are available getting your stuff audited doing code reviews and following what's out there in the industry like the open web application security guidelines is sort of you know well agreed upon things that you should be checking for red teaming your products and so forth you know I don't know specifically what they will be but we're moving towards consensus for a lot of these things in courts will look to that

sort of thing and say what does the industry think is fairly standard just curious what's your take on you know the whole Tesla crash with oh you know had that kind of is really interesting wrapper of software and you know consumer products so just cool yeah i am not super familiar with the Tesla crash I did literally just spend three months locked away with la block speaking for the bar but you know I me this is something where they need to be making sure that this is a safe product they put into the consumer hands if a consumer gets something you can use it in a completely unexpected way and some harm happens like I'm not that concerned

that the consumer is using it and what would be a fairly normal reasonable way and there's a bug and it causes a problem that's where we would start looking insanely well can we go see you know this is a vulnerable is a sort of thing that liability would help protect the consumer for but it's hard what happens in the courts a lot is it's a lot of sort of risk utility balancing it's a lot of economics it goes into it like how much would it have cost them to make something that is really safe I mean like cars are unsafe cars are not square boxes of square wheels built out of a hundred tons of steel because that

would be safe but it would be unusable and expensive and like our society has decided where we want to place the risk on that and we need to move towards that in IOT sort of world oh sorry um any comments on Mudge and sara's echoes cyber UL as part of trying to beat the insurance companies into doing stuff I that's actually a really good sort of indication that kind of thing that our industry should be doing to move towards what's accepted practices you know they're going to be putting out like labels and saying these are safer versus less safe that fits perfectly and of this kind of thing and I think it's awesome and more companies

should be doing this sort of auditing of stuff out there yeah I was wondering uh would it wash if a company said warning this product uses a default username or default admin username and password combination please do not expose to public internet FYI were doing something stupid uh it's sad to say that actually does work a lot of times but on the other hands we don't have one darts you know it what happens is you'll have these outlier court cases that will say yes and not lower court cases to say no and in a way the law works and the u.s. is the kind of builds towards this consensus and that kind of happens you

know as juries who are the ones who decide this charge at mosaic morning so i could buy time i say morning we're doing something incredibly stupid I think you're aware of it you took on the risk courts to actually recognize that sort of thing well lawn darts ever make and come back there you go Hey okay it could I mean so New Jersey actually outlawed swimming pools is being unnecessary completely unreasonably dangerous and about the 1970s and you can buy swimming pools and install them in New Jersey supports realize their their failure do we have any more questions funky thank you guys