Chinese smart TV boxes infected with malware in PEACHPIT ad fraud campaign Bot defense software vendor Human Security last week detailed an attack that "sold off-brand mobile and Connected TV (CTV) devices on popular online retailers and resale sites … preloaded with a known malware called Triada." Human named the campaign to infect and distribute the Android devices BADBOX. The infected devices were …
Even the government are warning people against dodgy streaming boxes with billboard advertising campaigns saying "you're letting criminals in". Was quite surprised to see them. No-one is going to listen of course, so long as the box streams what they want. Most people are gleefully ignorant of what happens in the world around them and they will always be that way.
In the good old days, of course the retailer was liable for dodgy products (in the UK at least), and the consumer or trading standards could hold them to account. But with online retailers and marketplaces that no longer works. The bigger and very well known ones try and keep their own retail sales clean - with only varying degrees of success - but when it comes to "marketplace" sales, then they insist they are not the retailer, merely an intermediary, perhaps a fulfilment house, but no, not a retailer. So they take the money but wash their hands of all accountability. And if the consumer wants to take it up, they'll need to take it up with whatever cowboy outfit in the back of beyond. If you're dealing with a marketplace that has little or no UK presence, then there's little the authorities can do.
That's true for anything bought online, whether we're talking cheapo incendiary e-bikes, malware loaded IoT devices, unsafe phone chargers, counterfeit goods, or stuff that's simply non-compliant for example through inadequate product labelling. There's a consultation on changing the rule to give regulators more power to address things like this, and you can have your say before 24 October and pass it on to others - do read the consultation before responding, some is dull but that's the nature of policy consultations:
https://www.gov.uk/government/consultations/smarter-regulation-uk-product-safety-review
I would be surprised to see that the "not a retailer" defence stand up in court. On-line is legally no different from the old days, where you ordered stuff from a mail order catalogue by snail mail or telephone. If they say they are just a facilitator, you should transfer the payment direct to the seller.
Would it make any difference?
How many oil refineries, power plants, manufacturing/industrial plants, etc get hacked every year?
The most fundamental question is still left unanswered: If these critical network infrastructure (CNI) are deemed "critical", then why is the CNI network connected to the internet?
`tis all fun-n-games until somebody pokes an eye.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
