Scared to Near Death
What happens when your technology begins to terrorize you and the system meant to enhance life scares you to death? Well, a northern California family had to run for cover when the Nest security system was hijacked. Hackers made the family believe a missile was in mid-flight and they were likely victims when it hits.
The hacker sounded an alarm saying the U.S. was under a missile attack from North Korea. This pushed the family into full terror. The message blasted through their home and proclaimed there were ballistic missiles headed to three American cities and President Trump has been moved to a secure facility.
The Lyons family wasn’t the only victim of this spoofing opportunity. There was a family in Texas who were threatened by hackers using the same technique. The second family were told they would be kidnapped.
It was a frightening false alarm, that nest officials are quick to point out it was not a breach of their system. Nest explains that the responsibility is on the homeowner. There is a consistency we can clearly see in this incident and others with technology vendors. Vendors and device-makers are taking no responsibility for anything that occurs related to their products. As we look across Facebook with its privacy issue and medical devices susceptible to hacking, no one is stepping up to minimize these issues.
Sometimes the lack of security in a device enables the company to make more money. On other occasion selling and absolving themselves is a way to minimize liability. In all cases, walking away does not solve any issues. And, it seems like as long as the government stays out of the conversation, there is little incentive for technology companies to take responsibility.
The Federal Trade Commission (FTC) is the heavyweight in the room. Smart-television maker Vizio was fined by the FTC fairly recently. They were spying on over 10 million of their customers. Vizio captured information on every second of the viewers viewing habits, bundled the information and sold it to multiple third parties. Let’s just say the third-party buyer was not an advertiser but a criminal element. Those customers might have been targeted for exploitation or worse attacked in their homes. Vizio represents so many technology companies across the world. It always amazes me how brazen they are because just basic risk management says some employee is going to disclose these activities. When Vizio combined the captured info with gender, age and income, someone in the company was going to have an issue with the practice. They did and it was reported.
However, VIzio didn’t care about the fine because their profits far exceeded the pain of their loss. By performing practices which equate to data theft, the company still profited handsomely. Sales were way more than $3 billion dollars. The fine was $2.2 million. The fine probably accounted for an executive’s bonus and amounted to a small rounding error for the company.
Fines Are Fine
These small fines are no deterrence for large companies making billions of dollars per year. Google was recently fined $22.5 million by the FTC for data privacy infractions. The worst part of this government interaction is Google was a repeat offender. The company is so unaffected by these small fines that in any cost-benefit analysis the conclusion says do what you will. If you get caught pay the fine.
Another example of the weak regulatory environment can be seen with the do not call registry. The program is designed to protect people from nuisance call from telemarketers. If you’re on the list no company is supposed to call or harass you on your mobile devices. For them to reachout to you they are committing a crime.
Although the FTC claims they take actions against offenders, the results of the program tell a different story. There are more “robo” calls harassing people daily than any other issue one might have in their lives. One success story for the FTC is the case against Alliance Security, a home security system installation company. The company persisted in reaching out to potential customers until the FTC intervened. Again, the fine was a small deterrence and millions of people continue to receive unwanted telemarketing call daily.
NEST says that their company was not to blame but again it is your product so maybe additional user training is required. What happens when credit card companies pass the blame on to the user. The Nest customer appears to have had their credentials compromised. There does not appear to have been a breach of Nest’s network.
In Nest’s defense they have had two-factor Authentication for their systems since 2017. The two-factor authentication would have protected this family against the issue they suffered as a victim of a prankster. The password obtained by the hacker from another source and used to access the Nest camera system would have not been enough to get in the system. So, in this case Nest may not be the liable party or blame. However, Nest can and should use this example to push other customers to implement two-factor authentication. This expense would be minimal against the $3 billion in sales and probably good for business.