Where is the product liability
...issued an advisory due to the lack of support from the manufacturer.
Shouldn't this be called criminal negligence? The C-suite should be personally liable for this crap.
A handful of bugs in Nexx's smart home devices can be exploited by crooks to, among other things, open doors, power off appliances, and disable alarms. More than 40,000 of these gadgets in residential and commercial properties are said to be vulnerable after the manufacturer failed to act. After the Internet-of-Things biz …
Under current EU and UK consumer law, this may well be a "manufacturing defect" and allow owners to return them to the retailer for repair, replace or refund if less than two years old or a partial refund if 2-5 years old assuming repair or replace isn't an option. Unless the manufacturer provides a firmware update to remove the defects. If any of the marketing, advertising or user manuals refer to anything like "secure login" or mentions "secure" almost anywhere, that's a good place to start with reference to "of merchantable quality" or "as described". IANAL, if taking on the retailer or manufacturer, do your own research and/or get proper legal advice :-)
They've looked at the cost of fixing all this, the loss of sales from the bad publicity and the existing, unfunded, running costs for their servers. They've decided that now is the right time to execute plan B; take all the remaining cash and run for it.
(We need an IoT/Ponzi scam icon).
The problem is that financial consequences mostly aren't consequential. If the fines are small, the company shrugs them off. If they're large, it declares bankruptcy, parachutes out the officers, and the remnants are bought up by a competitor. Many of the employees suffer, including perhaps some of the responsible developers, but not the people calling the shots.
In cases of extreme negligence like this we need the courts to pierce the corporate veil and hold officers to account. I'm not worried about any "chilling effect" on business or innovation; corporatist culture has no shortage of adherents who will be happy to take their place.
"it declares bankruptcy, parachutes out the officers"
If it's a listed company the shareholders might sue the management.
The longer term advantage, however, is that even the most recalcitrant board might start to take notice, realise that it can be a threat and start looking at their own products and processes.
This sounds like they opted for an easy to use set of remote switches for stuff, but without bothering to make it secure. Like a remote control version of having a button on the garage wall so you can open it when you want get the car out, but without a lock to keep strangers out.
I’ve worked in several places where the deadlines are dictated by management and not how long myself and fellow devs say how long things will take. In these cases we’re forced to do bodge jobs and take shortcuts. They often don’t care if it’s a complete bodge job under the hood as long as it looks ok on the surface.
I’m always sure to use a CYA Note though (an email explaining I’m being forced to do something improperly and explaining the consequences)
You can get it repaired under the The Consumer Rights Act 2015. However since, I suspect, that a fix will never be forthcoming then ask for your money back from the retailer.
I wish that many people would do this because it will make the retailers only sell goods from reputable manufacturers who have a good history of: a) selling stuff that works; b) providing fixes for things like this. Currently many retailers sell whatever is cheap and try to fob off consumers when things are found to be faulty.
it will make the retailers only sell goods from reputable manufacturers who have a good history of ...
So they will only sell products from major OEMs and the next Nest or iRobot type startup will never get a foot in the door because retailers would be justifiably afraid to offer products from a small OEM with no track record who might declare bankruptcy rather than fix something that would cost too much leaving retailers holding the bag for refunds.
Sorry but I don't see holding the retailer liable as a viable fix.
It doesn’t matter whether you like it or not; the law already exists :)
Perhaps retailers might start buying insurance to protect themselves, and/or insisting manufacturers do likewise.
Product liability isn’t a new concept. But tech sometimes just likes to hide behind a “software isn’t guaranteed to be bug-free” line somewhere & we’ve all-so-readily bought into the idea.
".............Product liability isn’t a new concept............."
It does sometimes appear to some of us who don't live there, that it is an alien concept to large swathes of corporate USA.
As far as the article goes, any truly smart home, will not have any 'smart' devices in it ;)
"Sorry but I don't see holding the retailer liable as a viable fix."
That's how the law stands. The customers contract is with the retailer, not matter what any included "warranty cards" in the box might say. The manufacturer may have no presence in the local country so how is the customer supposed to get any sort of warranty service if not from the retailer?
It's just corporate risk shifting, like everything.
Retailer fights it, but ultimately they should have done their due diligence that this is covered by the manufacturers or more likely in this case, importers, insurance in the UK. The importers insurance then carries that on overseas to the manufacturers etc. Either they have or need to learn that lesson in retail.
Start ups should have the same insurance, so they can shift the risk off the retailers and the insurers should be doing more due diligence too, that they shouldn't have to pay our because this stuff should be secure in the first place by demanding reports from third party pentesters, if those reports are misleading then their professional liability kicks in... It looks inefficient on first glance but when the efficient option involves marking your own homework or having to sue people outside of legal reach - it starts to suddenly look much better for the ol' consumers.
The failure for anyone to give a crap about this structure is what leads to this mess - retailers pushing crap not caring what the state of it is and no real means themselves to check it, and the manufacturer knowing they can stonewall and file bankruptcy after draining the funds out year on year so the companies are always carrying no spare cash.
Ultimately the retailer needs some comeuppance so they start putting some thought in and get the whole chain involved.
That doesn't block people from entering the market.
The other option is criminal prosecution which I don't hate the idea of but even if it exists it would be hard to prove this negligence, or lack thereof in cases where best efforts really were made. Either guilty parties generally walk free, or people that really tried are prosecuted for cases they shouldn't be.
Personally, I think there is room for both but it starts with retailer responsibility as the baseline course of action
it would be hard to prove this negligence
In general yes, but hard coded credentials - that's a slam dunk as our US friends would say.
In fact, of those listed, I'm not sure any of the weaknesses would be something that could be defended as having made best efforts - they really are from the "basics of device security 101, chapter 1".
Also known as : hacker paradise.
And the company isn't responding to any questions, official or otherwise ? Well duh, the CEO is busy packing the suitcase with the contents of the cash register and bank account.
He has an urgent meeting in Madagascar, you see.
Not very well. And until there is a specific, inherently secure and fully security focused IoT protocol developed, tested and adopted as the industry standard so that every device is completely vendor agnostic and works flawlessly with all other devices using the same protocol, it will never work either securely or reliably.
They spend more time on designing the UI for their 'App' to manage their crap devices than they do in seeing how secure they are. And they never will be without the correct protocol to use.
Looking at their website, they brag about how they're a US company with 'smart engineers' who are 'experts in IoT' (lawl).
But that cuts both ways - If they were a Chinese company making IoT stuff this complete lack of security would just be working as expected, but instead people are actually upset about it.
This post has been deleted by its author
Is it a coincidince that this Sam works for Amazon ? A dinosaur company with huge stakes in IoT and smart home, trying to crush small companies that cannot afford millions for secuity ?. Perhaps Amazon wants their product by an easy take over after their declaration of bankruptcy ?Perhaps the register can elaborate on this ?
I have a supermarket sourced light in my front room. Has a remote control to turn it on and off.
I decided to add it to my "Home Assistant" home automation setup. Zero security. Now I don't only turn my lights on and off, but also on of my neighbours. And someone's doorbell....
I remember years ago when my MIL bought a wireless doorbell and asked my to fit it. It had only 3 channel options. Tried Ch. 1 and the neighbour next door, who had recommended it to her, came out wondering who was at her door. Tried Ch. 2 and another neighbour, two doors down the other way came to the door. Last chance, tried Ch. 3 and a neighbour across the road came to his door, wondering who had rung his bell. Took it back to the shop and had a bit of an argument convincing the shop assistant that no, it was useless since it could not be set to a channel that didn't ring other peoples door bells. "We've sold loads of them and no one ever brought one back before"" she tells me. LOL, well expect more if you sell lots of them.
It's just as well I was installing at the weekend when the neighbours were at home. If I'd done it mid-week, it might have been days, weeks even months of confusion and hilarity in that street before anyone twigged :-) Absolutely no security of any kind in this case. And bell push could operate any bell with a 1 in 3 chance of already being on the correct channel. Great for kids playing knocky door neighbours with far less chance of being caught!
Another detailed article about "security" which fails to address some real issues:
(1) Does the smartphone "app" require a customer to create login details on a "cloud" server?
(2) If "yes", then the server environment is a serious security risk
(3) If "no", then presumably all customers look the same on the internet
Either way, the IoT environment described here is a security nightmare.
Six years ago I bought a Linksys EA7500 WiFi router. This device required me to create an account on a Linksys server somewhere. You know, name, address, etc....plus my IP address available to Linksys during the creation process. I eventually found a way of configuring the router COMPLETELY OFF THE INTERNET......but this required a series of pretty unnatural acts! My take on this story is simple.....Linksys made it impossible for ordinary users to configure the router WITHOUT DISCLOSING PERSONAL INFORMATION. I wonder why!! In the end I reset to router to "factory settings" and gave it to the local charity shop.
This news item......six years later......a different manufacturer.......has exactly the same character. Why does El Reg focus on the detail......and never mention the big picture?
Whether the server is or isn’t in “the cloud” is irrelevant. There is piss poor security everywhere.
You configured a WiFi router off THE INTERNET, and then connected it TO THE INTERNET, thus enabling all the back doors and default login / passwords that you didn’t know about.
I use LoRaWan to receive my IoT data and throw the data via https to my model bound web services. It's all a bit restrictive (3 huge device codes to register for each device) but it works fine.
I cringe though when I see all those ads on the telly for home security set ups that are using zigbee or similar in small flat environments and wonder how many passwords are 12345678.