Executive *******
* ** ********** ***** in *********** ** *** found [**** ** ****** available] **** *** *** omitted ********** *** ************* despite ** ****** ** obligation ** ** **:
*** ***** ********* **** Plaintiff ************ ******* **** *** **** him * **** ** disclose ******* *** *** ********* ********* of ******** ***** ******* to *********.
*** ********* / **** still ******, **** ******* an ****** ****, ***** the ***** ********* **** the ******** (*** ****) should **** ********* *** vulnerability *** *** *** sufficiently ** **.
Industry *********
*** ********** ***** ********** calls *** **** *** industry **** ***** ***** risks:
*** ************ ***** ** Plaintiff ** *** *** suggest **** *** ******** to ***** *** ******* **** ** the ************* ** ******** devices **** ****** ********* contracted **** ***.
Consumers *** ******** ** ****
** *** **** ****, the ********** ***** ***** that ********* ***** *** be ******** ** **** of ***** *****:
**** ********* *** ************ pleaded ******** ********* *** noting **** "[*]**** *********** customers ***** **** **** tipped *** ** *** possibility ** [* ******], many ********* ***** *** have ********* **** * search, *** ***** **** be ******** **").
Rejects **** ** *******
*** ********* ** *********** no ***** ** ****** hackings *** *** ***** rejected ****, ******* **** a ******** ***** *** have ****** *** ******** ** they ****:
* ****** **** *** be ********* ** ** material. ** ** ********* plausible **** * ********** consumer ***** ****** ********** to *** **** **** their **** ******** ****** could ** ****** ** hacked *** ********, **** absent ****** ********* ** such *******.
General ********** ******** ************
*** ***** ******** *** applying ***** ******* ********* language, **** **:
"*** *** *** ******* ***** signals ** ************** ** power ** *********** *** any ******" *** "** alarm ****** *** ******* complete ********** ** ********* prevention ** **** ** injury."
******* ** *********, *** Court ***** ** *** not ***** *** ******** risk:
**** ******** ** *** a ********** ** *** allegedly ******* ****, ****** that ADT's wireless ******* *** ********** to *******, *******, *** other **********.
Misleading *********** / ********* ********* **** *******
*** ***** ************ ***** this ***** ** ******** the********** ****** *********** *** (UCL)*** *** ********** ********* ***** ******** Act (****), **** ******** ** protect ********* ******* ********** advertising *** ********* **** of *********.
Industry ******?
**********: **** **** *** offer ***** ****** *** recommends ********** ***'* *********.
**** * ******** ***********, it **** ***** ********. Many ***** ******* ***** security ***** *** **** an ***** ** ** actual ******* / **** / ****** ******. **** court ****, ** **** as *** ** ***'* ******* ******* *-****'* IP *******, *** ******** ** manufacturers ** ********* ****** legal ***** *** ********* penalties *** *********** ********** buyers ***** *** ******** risks *** ******** ***.
*** ************ *********** ********** factor ** ***'* ***** size ($* - $* billion ****** *******) ******** such ********. **** ********* that *** ******* *** not ******* ********** ***** / ******** ******* ** pursue **********. ********, ** is ******** **** ***'* monthly ******* ******* ***** increase **** *** ** financial ****** ** ******** manufacturers **** **** ******** for * ***-**** ******.
**** ***********, **** **** underscores **** * ******** claims (*.*., ******** ********) and ***** (*.*., ***** security *****) ***** ** used ** ****** ** sue * ******** **** if *** ***** *** not ******** **** ******, but ****** ****** **** they ***** *** **** bought * ******* ******** if *** ******** *** properly ********* / ****** marketed ***** ********. **** is *** **** ** risk **** ********* ****** carefully ********.
Comments (19)
Undisclosed Distributor #1
It's a very interesting read, but my interpretation is that any device that can ever, under any circumstances, be connected to the Internet must have a disclosure that it can be hacked. This includes every PC ever built, routers/firewall, any "smart" product or IoT device, etc. Back in the military they had a security rating for devices that a company providing computers was proud to claim, but they also noted that this security rating was immediately invalid if the computer was plugged into a network.
Create New Topic
Edgar Mora
I see this as an unforgiveable omision in ADT sales strategy. When I used to sell monitoring services in my country (Costa Rica) we stated clearly in contract - that had to be signed by cliente- that our burglar alarm system and monitoring service was not an insurance policy. We offered service as a way to lower probability of an intrusion and left clear probability of such undesirable event was never zero.
Create New Topic
Jeremy Ellis
This is huge. The industry has relied on that contract language as an ultimate get out of jail free card for years.
Create New Topic
Undisclosed Manufacturer #2
It will be interesting to what the trickle down will be as a result of this ruling.
With IoT becoming a focus in the PhySec space, the increase in liability for manufactures and integrators will only increase. There has always been tension in the retail market, with considerations for PCI compliance in the past, however, this could set a precedent that will affect many other systems connecting to the internet in virtually every vertical.
One of the big questions I have is, "who is really responsible?"
- The manufacture (ADT being both in this case)
- The Integrator
- IT departments
- End-user... etc.
As we become an increasingly connected society, the questions and challenges in front of us increase.
I do not want to re-hash the recent issues of manufactures vulnerabilities, however I would argue that all manufactures and integrators need to get a solid handle on how to respond to these issues, not just from a technical perspective, but also from a liability standpoint.
Create New Topic
Nick Giannakis
I asked this exact question to a discussion panel at SSN's TechSecSolutions conference earlier this year. The panel was an impressive collection of industry veterans and their response was a consensus that the responsibility is shared.
Create New Topic
Luis Carmona
That's going to have an interesting effect on the bean counters who measure cost of liability versus cost of eliminating the problem. The common theme being "If we only expect $1M in lawsuits, but fixing the problem costs $1.5M, best to just leave the problem alone". I think this is a curve ball to the way things normally go in this area, and that the justice system may be trying to curve that kind of thinking.
Create New Topic
Mick Brown
its about time the industry takes these matters seriously
someone should take a class action suit against hikvision and dahua
their products are too easily hackable
Create New Topic
Mick Brown
Britain may go to war with foreign states attempting cyber attack on UK, Defence Secretary warns
Create New Topic
Mick Brown
every business has a duty of care the security industry has been putting money first
hik and dahua are at fault here too
they know their products are floored
Create New Topic
Robert Baxter
I looked at a copy of the Kirchenbaum contract, which the relevant section is reproduced below:
In many cases providing managed video services we are providing the internet service, or the wireless service or connecting to the internet thru the customers equipment. I think these contracts need to address the different situations.
Create New Topic
Mick Brown
i dont know how hik and dahua get away with it
theirs has inherent problems and no one cares
Create New Topic