Another problem is that most devices are not easily updated, so when vulnerabilities are discovered, they remain. “Some of them are embedded in your wall,” Hibbard said. “They’re not designed to let you get access.”
And yet another problem affecting legal liability is what Hibbard called, “a mashup of devices – a half-dozen different devices put together in ways they were never designed to be in the first place.”
Those components could be in things ranging from bridges to traffic signals to cars. “From a legal perspective, it opens up interesting areas,” he said. ”If something bad happens, which component made the poor decision that caused the harm?”
Brudz said the legal system also has yet to sort out who is responsible for damages in the case of a breach. In the case of ASUS routers, “is the fault with the guy who made the router, or the guy who stole the information (from customers)?” he asked. “If somebody breaks into your house, can you sue the guy who made the lock?”
What makes it even more complicated is that many attackers are in different countries, far from the reach of American law enforcement or the courts.
Sannappa said some of the biggest names in the private sector, like Apple, Google and Samsung, may help to set overall IoT security standards. “There is a possibility where we could have larger ecosystems, industry leaders, setting up a way for smaller players to have guidance.
“Then regulators can say, this is what you were supposed to be doing and weren’t,” he said.
But there was general agreement that the process will take time. “We may be looking three to four years out before standards start arriving,” Hibbard said. “And I think it is going to be the legal community that is going to weigh in on it.
“It’s going to be a wake-up call to manufacturers and developers to do something about their house of cards,” he said.
Sign up for CIO Asia eNewsletters.