IoT: the connected things as weapons

13th December 2016 by Marie-Claire Péroux LL.M and Mauro Verderosa

The first two laws of robotics: 1) A robot may not injure a human being or, through inaction, allow a human being to come to harm. 2) A robot must obey the orders given it by human beings except where such orders would conflict with the First Law: could the IoT violate one of the Asimov's laws?

The facts [1]: at dawn on the 6th of December 2016, a car thief found the keys of a BMW still connected to the dashboard of the car and he decided to steal the car.

Hours after, just before 5 AM, the owner, detected that the car was stolen and she decided to contact the police, who asked to BMW to track the vehicle and to remotely lock it.

At 5.45 AM, the BMW employee was able to remotely lock the car's doors, trapping the suspect inside while from the speaker of the car was hissed a sound like "I’m not locked in here with you, you‘re locked in here with me”. The car was recovered and the thief got arrested.

This case of the use of a feature, offered by a connected BMW, poses several problems. Nowhere in the description of the event do I see that the use of the privation of movement, triggered by a private company, was ordered by a judge.

A measure of deprivation of the freedom of movement was directly asked by the police to a private company managing a private connected device on a suspected theft without infraction of the car. At the time it was ordered, the police had no other indication than the story of a person complaining her car was stolen. It was not triggered by a police investigation.

The allegation of the owner of the car proved in that case right, but what if the person in the car was not the actual thief but a random person trying for instance to find out inside who is the owner of this car maybe parked in front his garage and blocking it?

All of a sudden, a perfectly honest person might be prevented from her freedom of movement and harassed by a “connected thing” threatening her with a digital voice.

What if that same innocent person had a heart attack from the extreme stress of the situation and was trapped in that car?

These are not completely impossible examples especially with the multiplication of connected objects directly controlling our physical body like self-driving cars or implanted medical devices, the responsibility of the police or of the private company controlling the device would be clearly engaged.

What if the overriding of the car key command had not been ordered by the police but by a threatening cyber-hacker asking a ransom?

What if the carrier of a connected pacemaker was all of a sudden threatened by his own device under a cyber-attack?

With the multiplication of IoT devices that we use to measure some of the parameters that could give an estimation of our health, from a phone to a watch, from a bracelet to a pendant, in which we put literally our physical life at stake and not just a gimmick on our wrist to see how much calories we have burned in a day, the level of security must be considerably raised.

It has been proven that cars could be controlled by hackers [2], it has been proven that a connected peacemaker can be hacked, any other device controlling, sustaining our body functions is an open door to malicious hackers. What if through the multiplication of IoT installed in the heart of our own home we put the life of our family at stake? Is it really science fiction to imagine us one day realising that we have put our very physical well beings and our life in the hands of just “things”?

Article by Marie-Claire Péroux LL.M and Mauro Verderosa

[1] http://spdblotter.seattle.gov/2016/11/30/car-thief-foiled-by-police-nap-power-door-locks/

[2] https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/