A couple of years ago, I was heavily involved in analysing and reporting on the massive VTech hack, the one where millions of records were exposed including kids' names, genders, ages, photos and the relationship to parents' records which included their home address. Part of this data was collected via an IoT device called the InnoTab which is a wifi connected tablet designed for young kids; think Fisher Price designing an iPad... then totally screwing up the security.
Anyway, I read a piece today about VTech asking the court to drop an ongoing lawsuit that came about after the hack. In that story, the writer recalled how VTech has updated their terms and conditions after the attack in an attempt to absolve them of any future responsibility in subsequent attacks. So I gave VTech a suggestion:
Hey @vtechtoys, how about put this warning on the box so it can be seen before purchasing? Yeah, didn’t think so... https://t.co/erdFdUp4jS pic.twitter.com/qRUUCmz1SY
— Troy Hunt (@troyhunt) October 12, 2017
Now that may have been (a bit) tongue in cheek, but it got me thinking - what would this actually look like? I mean if they're saying the product might not be safe, how would that look if they literally put it on the box? As it turns out, we know exactly how to put warnings on dangerous products down here in Australia because we've been doing it for years with cigarettes:
So how would warning labels on IoT devices that have had serious security vulnerabilities look? Well VTech is the obvious place to start:
Would you still buy it? Exactly.
But let's not stop there because in fairness to VTech, it's not like they're the only ones to have had serious issues in their IoT toys. For example, there was CloudPets earlier this year and frankly, I think we can be a lot less "legal-speak" and a lot more honest about the real world risks of IoT devices like these:
Speaking of pets, you know what real pets love? Food. You know what they hate? When they don't get fed because the IoT feeder is down:
Let's move onto something bigger - cars. Last year, there was a little hiccup with the Nissan LEAF when it turned out they were using the VIN number of the car to pull back data and control features of it via the mobile app:
The problem in many of these cases is that we're taking everyday consumer goods and adding internet for no apparent good reason. You know, like when you add a web server to a dishwasher which then exposes you to exactly the sorts of risks we've come to expect from web servers:
Now you may be thinking "why would you connect many of these things", and you'd be entirely correct in lamenting that. But that's not what the makers of the LIXIL Satis thought when they connected a toilet which, of course, then had a security advisory issued due to a hard-coded default PIN:
And while we're in that general region, how about taking your most intimate moments and digitising them with a connected vibrator that then records your bedroom habits. Yeah, that shit should definitely come with a warning:
Welcome to the future, where pointless IoT stuff meets warnings labels on everything!