No Hack, Still Liable, Court Finds ADT

It's a very interesting read, but my interpretation is that any device that can ever, under any circumstances, be connected to the Internet must have a disclosure that it can be hacked.  This includes every PC ever built, routers/firewall, any "smart" product or IoT device, etc.  Back in the military they had a security rating for devices that a company providing computers was proud to claim, but they also noted that this security rating was immediately invalid if the computer was plugged into a network.

I see this as an unforgiveable omision in ADT sales strategy.  When I used to sell monitoring services in my country (Costa Rica) we stated clearly in contract - that had to be signed by cliente- that our burglar alarm system and monitoring service was not an insurance policy.  We offered service as a way to lower probability of an intrusion and left clear probability of such undesirable event was never zero.

This is huge. The industry has relied on that contract language as an ultimate get out of jail free card for years. 

I asked this exact question to a discussion panel at SSN's TechSecSolutions conference earlier this year. The panel was an impressive collection of industry veterans and their response was a consensus that the responsibility is shared. 

ADT countered by emphasizing no proof of actual hackings but the court rejected that, arguing that a consumer might not have bought the offering if they knew:

That's going to have an interesting effect on the bean counters who measure cost of liability versus cost of eliminating the problem. The common theme being "If we only expect $1M in lawsuits, but fixing the problem costs $1.5M, best to just leave the problem alone". I think this is a curve ball to the way things normally go in this area, and that the justice system may be trying to curve that kind of thinking.

Britain may go to war with foreign states attempting cyber attack on UK, Defence Secretary warns

I looked at a copy of the Kirchenbaum contract, which the relevant section is reproduced below:

9. WIRELESS AND INTERNET ACCESS CAPABILITIES: Subscriber is responsible for supplying high speed Internet access and or wireless services at Subscriber's premises. RADIUS does not provide Internet service, maintain Internet connection, wireless access or communication pathways, computer, smart phone, electric current connection or supply, or in all cases the remote video server.  In consideration of Subscriber making its monthly payments for remote access to the system RADIUS will authorize Subscriber access. RADIUS is not responsible for Subscriber's access to the Internet or any interruption of service or down time of remote access caused by loss of Internet service, radio or cellular or any other mode of communication used by Subscriber to access the system. Subscriber acknowledges that Subscriber's security system can be compromised if the codes or devices used for access are lost or accessed by others and RADIUS shall have no liability for such third party unauthorized access.  RADIUS is not responsible for the security or privacy of any wireless network system or router.   Wireless systems can be accessed by others, and it is the Subscriber's responsibility to secure access to the system with pass codes and lock out codes. RADIUS is not responsible for access to wireless networks or devices that may not be supported by communication carriers and upgrades to subscriber system will be at subscriber's expense.

In many cases providing managed video services we are providing the internet service, or the wireless service or connecting to the internet thru the customers equipment. I think these contracts need to address the different situations. 

i dont know how hik and dahua get away with it

theirs has inherent problems and no one cares