By Jeremy Siegel
The “Internet of Things” – the catch-all term that describes all the internet-based devices we use and their “smart” capabilities– is a part of all of our daily lives. We rely on smart wearable devices, medical devices, home devices like Amazon’s “Alexa”, and even vehicles to make our lives easier. These devices, complete with certain sensors and software designed to make our lives inherently better, are also often plagued with sub-par security, leaving the users of these devices open to hacks and data breaches.
Researchers at MIT are trying to cease that, and they have recently created a new wireless transmitter that frequency hops in microseconds, able to stop even the fastest hackers. The simplest way to break down this dense language is to first look into what “frequency hopping” even is.
Frequency hopping is how these devices are currently protected – frequency hopping sends data packets that contain thousands of individual bits on random and unique radio frequency channels, which are difficult for hackers to find since they can’t pin down a single packet. However, hackers can still use an attack called “selective jamming”, where they can sneakily intercept a data packet from one single device while leaving other devices in the area untouched. These attacks are very difficult to identify.
Current frequency hopping allows for a data packet to be sent in around 612 microseconds. Sounds pretty fast, right? It is, but hackers can locate the channel it’s being sent on within the first microsecond, allowing them to compromise the data. MIT’s researchers have created a system that not only is fast, but is also highly random, allowing for an attacker to never be able to guess what channel the information will be sent on, and not be able to detect it because of how fast it is going. Essentially, this randomization process relies on picking channels randomly in such a way that there is no fixed frequency offset; meaning, the hacker will never know what bit is going to be on what channel.
What does this mean for the consumer? This kind of technology can be incorporated into our own individual devices, but also has potential on a larger scale. Medical devices for example, that may be implanted in someone’s body and give them a controlled dosage of medicine, are vulnerable to cyber attacks. So are devices that are used to control air traffic controllers, or which control how streetlights operate in our major cities. This technology has the potential to be bought and sold to consumers, but does it totally eliminate the possibility of data hacks/breaches?
The short answer is no – it is widely acknowledged that hacks will never truly go away. This does bring up issues about the liability, and who should be held responsible for any attacks, despite using this new technology.
A pharmaceutical company, let’s say, Pfizer, may decide to implement this technology into a pacemaker device to give the device better security. If the patient who uses the device for heart rate regulation is hacked, causing serious injury, and the patient decides to pursue a cause of action, should Pfizer be liable? Or should the company that developed the technology that was the cause of the breach be held responsible? Does it matter where the information is stored, or who is actually holding it?
What would likely happen, is that Pfizer would likely be storing the pacemaker data through a cloud service provider, such as Amazon Web Services. Data Security Clauses are very common in modern contracts, which may also have provisions that show requirements for how data will be stored, how consumers will be notified if their information is breached, and the general security requirements. Amazon would have such a contract with Pfizer, eliminating Pfizer’s liability. If the injured consumer tries to sue Pfizer, potentially under a breach of contract claim or negligence, it would be difficult for them to win. Courts have been unwilling to let a company’s security practices be the sole basis to find a breach of contract. A negligence cause of action may be a little easier, but attempting to prove actual causation would come up against Pfizer bringing in the software company to show that it was their faulty technology leading to the breach, not Pzier itself.
Ultimately, the number of variables at play with this hypothetical are endless. Current federal legislation is not very comprehensive, and state laws vary in terms of how data security should be handled. Hopefully, the United States adopts legislation similar to the General Data Protection Regulation (“GDPR”) recently enacted in the European Union, which gives strict guidelines for how victims of security breaches should be compensated. Until then, consumers should make sure they are using best practices to keep themselves safe – using different passwords for their devices/accounts, and being wary of what information they are sending online.
Student Bio: Jeremy Siegel is a 2L at Suffolk University Law School and is a staff member on the Journal of High Technology Law. He holds a Bachelor of Science in Business Management from Roger Williams University.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.