Computer misuse in the IoT

Clearly, IoT devices can be misused, and the rate at which it is happening is growing: Inadequate security sees surge in IoT data breaches, study shows (White 2019).

Frustratingly, the vulnerabilities of IoT devices are almost always exactly those of any other computer system, but because they are developed differently (often with product development of the physical device being the top priority rather than the software) and used differently (how many people apply good practice IT security to boiling a kettle?) there seems to be a lag between the level of security in IoT devices and more traditional IT.

In the UK, there are government guidelines for IoT development (Gov.uk 2019a) but following them is optional.

As far as IoT and legislation are concerned, we can divide the issues into two rough categories:

• Laws relating to manufacturers of IoT devices
• Laws relating to misuse of IoT devices

At the moment, UK law, like in most of the world, has not adapted to deal with IoT specifically. There has been some consultation around this (Gov.uk 2019b), but nothing yet has been turned into even draft legislation. It seems clear that this path is heading toward legislation aimed at manufacturers of IoT devices rather than hackers looking to exploit them.

This leaves the second category, currently being served by the Computer Misuse Act (CMA). In many ways, this legislation works very well. It sets out a number of offences that cover what people generally see as bad behaviour: hacking, denial of service, etc.

The potential problems come when the law is applied in areas that are not so clear cut. For example, could the CMA be used to prosecute someone who modifies a device they own? If it gives them access to the firmware, or online services used by the device, it may qualify and is a possible route for manufacturers to protect their interests against people who tinker. It isn’t clear yet how this might be resolved if it came to court. Although this might seem a small issue, there is a very real worry that laws like the CMA could be used to prevent people from discovering security vulnerabilities. This article on car hacking (Naked Security 2015) raises some very valid concerns around similar laws in the US.

Further reading

• How a hack on Prince Philip’s Prestel account led to UK computer law
• What is the Computer Misuse Act?
• UK government advice for prosecution under the CMA
• Computer Misuse Act

References

_{Gov.uk (2019a) ‘The Government’s Code of Practice for Consumer Internet of Things (IoT) Security for Manufacturers, with Guidance for Consumers on Smart Devices at Home’. Secure by Design [online] available from https://www.gov.uk/government/collections/secure-by-design [1 October 2019]}

_{Gov.uk (2019b) ‘Consultation on Regulatory Proposals on Consumer IoT Security’. Closed Consultation [online] available from https://www.gov.uk/government/consultations/consultation-on-regulatory-proposals-on-consumer-iot-security [1 October 2019]}

_{Legislation.gov.uk (1990) Computer Misuse Act 1990 [online] available from https://www.legislation.gov.uk/ukpga/1990/18 [31 July 2019]}

_{Naked Security (2015) How a Law Making Car Hacking Illegal Could Make Us All Less Safe [online] available from https://nakedsecurity.sophos.com/2015/10/23/how-a-law-making-car-hacking-illegal-could-make-us-all-less-safe/ [1 October 2019]}

_{White, S. (2019) ‘Inadequate Security Sees Surge in IoT Data Breaches, Study Shows’. PrivSec Report [online] available from https://gdpr.report/news/2019/05/09/inadequate-security-sees-surge-in-iot-data-breaches-study-shows/ [1 October 2019]}