This student article is written by Sheikha Al-Yaqoubi, Law Student at Sultan Qaboos University College of Law, under the supervision of Dr Saleh Al-Barashdi. This article is part of a series of student articles published on Decree in collaboration with Sultan Qaboos University College of Law to showcase the legal academic writing of Omani law students.
The Internet-of-Things (IoT) is a term used to refer to “physical objects embedded with sensors and software that connect them to other devices and systems over the internet.”[1] Using the Internet of Things (IoT) reduces the burden of managing the household manually.[2] One of the most common households IoT devices are cleaning devices which can be defined as “machines that dispense cleaning agents automatically and adjust the quantities according to different factors (e.g., dirtiness, weight) and allow remote switching on or off.”[3] Unfortunately, as cleaning devices become more common and develop faster, the pace of developing protection techniques is not always able to keep up with the pace of the development of cleaning devices, which can result in an increased risk in cyber threats including cyberattacks.[4]
This article will explore cyberattacks carried through smart cleaning devices, the methods that the hackers can use to breach an online system, some tips to improve the safety of cleaning devices, and finally the regulation of cyberattacks in Omani law.
The Causes of Cyberattacks Through Cleaning Devices
The use of smart cleaning devices or any other smart devices in general has become more widespread, and the chances of cyberattacks are increasing overtime because of the behaviour of the users themselves.[5] Users usually just connect the devices to the network without being aware of the technology, which can allow easy unauthorized access to the network.[6] The most common reasons that may cause a cyberattack are:
Lack of Users Technical Knowledge
As mentioned previously, the lack of users’ knowledge affects the cybersecurity of cleaning devices, but sometimes the cyberattacks happen because the users themselves do not care about the consequences of their behaviours.[7] For example, many users set a weak password (such as 1234 or 1111), and do not install software updates, all of this makes it easy for the hackers to access the system of the cleaning device.[8] Also, the secondary use of data is one of the habits that the users do because of their lack of technical knowledge. This habit indicates when the users purchase and set up a new cleaning device, they usually agree to allow their data to be used in another manner that is not related to the purpose of using the cleaning device.[9] For example, some cleaning devices use allow the users to interact with it vocally, and then this voice sample could be used by the manufacturer to improve the voice recognition software of the device.[10]
Lack of Manufacturer Technical Knowledge
Many cleaning devices manufacturers are new to the cybersecurity sector, and they do not have prior experience with cybersecurity issues, and accordingly they add connectivity features and software to the devices without paying attention to cybersecurity.[11] On the other hand, some manufacturers have the needed knowledge, but they do not have the incentives to improve the cybersecurity in these devices, because the market prioritizes low cost over security.[12]
Sheikha Al-Yaqoubi
Law Student
College of Law
Sultan Qaboos University
Methods of Hacking Used for Cyberattacks
A good knowledge in hacking methods could increase the awareness of smart homeowners as more than 40% of the smart homeowners had faced a cyberattack.[13] Cleaning devices are connected to the Internet-of-Things (IoT), and the latter is divided into four layers of application, with each layer enabling a different method of hacking.[14] The most popular methods are:
Denial of Service (DoS)
Here the hacker uses the resources of the device to affect the service availability and make it unresponsive.[15] The cleaning devices are most likely to be affected by this method due to its low processing capabilities.[16]
Access Attack/Advanced Persistent Threat (APT)
This attack enables the unauthorized person to obtain access to the network using improper ways.[17]Moreover, this method is usually used for stealing information since the hacker can stay in the network for a long time.[18]
Flooding (FLD)
In this method, the hacker sends a huge number of requests to the network of the cleaning device until the device become overwhelmed and accordingly affects its performance.[19]
Injection
The hacker uses this method to modify the data of the cleaning devices to inject malicious content, and accordingly causing the devices to leak personal information or destroy the whole system.[20]
Prevention of Cyberattacks
Nowadays, a huge number of researchers consider smart devices security as the most important thing in a smart home, as they are used by individuals on a daily basis.[21] As a result, there is an increase in research to tackle the security challenges that the users of cleaning devices may face.[22]
Applying user configurations is one of the primary ways to enhance the awareness of the users of cleaning devices and to protect the whole network.[23] This method means that the user first should create a unique name for each cleaning device that he owns, because this step will help in providing the user with the device’s name that got hacked, by sending alerts using this unique name that the user created for that device.[24] Also, the user should check if there is another device connected with the cleaning device as it can be controlled by this device (e.g., smart camera connected to the cleaning device).[25] Moreover, users should create a strong and unique password, and they should answer the challenge questions without storing them in plain text form, due to the easy access of a malicious actor to such a form.[26]
Keeping the cleaning devices up to date by upgrading the most recent version of the operating system can also provide more security features in comparison to a previous version.[27] Furthermore, the owner of cleaning devices can update these devices either by enabling automatic updates, or by contracting with a trusted vendor if the previous method is not possible.[28]
Implementing wireless network segmentation on the network of the cleaning devices can also keep the wireless communication safe and secure, because it will keep the guest Wi-Fi, primary Wi-Fi, and the cleaning devices Wi-Fi separate from each other, and consequently keep the cleaning devices away from the less secure devices that may be connected to the guest or the primary Wi-Fi network.[29]
The Regulation of Cyberattacks in the Omani Law
Since cyber threats are increasing and changing over time, a lot of countries have issued legislation to control such threats, and Oman is one of the countries that issued a cybercrimes law.[30] The Omani Cybercrime Law was promulgated by Royal Decree 12/2011, and this law applies to cybercrimes even if they are committed wholly or partially outside Oman, provided that such a crime threatens the interest of Oman, and when the outcomes of the crime take place in Oman, or are intended to take place in Oman.[31]
Article 3 of the Omani Cybercrime Law is probably the most relevant to cyberattacks resulting from hacking cleaning devices as it stipulates in its first paragraph that “Whoever wilfully and without a legitimate basis accesses an electronic site, information system, information technology means, or part of it, exceeds the access he is authorised, or continues such access after being aware of this, shall be punished with imprisonment for a period no less than a month and not exceeding six months, and a fine no less than one hundred Rial Omani and not exceeding five hundred Rial Omani, or one of those two punishments. […]”[32]
The punishment is also increased if the access results in the deletion, alteration, or modification of the data as indicated in the second paragraph of this same article stipulating that “If the acts mentioned in the first paragraph result in the deletion, alteration, modification, defacement, corruption, duplication, destruction, publication, or republication of the electronic data or information stored in the information system or the information technology means; the destruction of that system, information technology means, or the information network; or causing damage to users or beneficiaries, the punishment shall be imprisonment for a period no less than six months and not exceeding a year, and a fine no less than five hundred Rial Omani and not exceeding a thousand Rial Omani, or one of those two punishments.“
The third paragraph of article 3 also provides greater punishments if the incident involves personal data as it stipulates that “If the data or information stipulated in the second paragraph is personal, the punishment shall be imprisonment for a period no less than a year and not exceeding three years, and a fine no less than one thousand Rial Omani and not exceeding three thousand Rial Omani, or one of those two punishments.”[33]
Conclusion
This article highlights the causes that may lead to a cyberattacks using cleaning devices, such as the lack of user technical knowledge and the lack of manufacturer technical knowledge. As mentioned previously, the hackers can access the system using a variety of methods such as the denial of service (DoS), access attack/advanced persistent threat (APT), flooding (FLD), and injection. Also, this articles provided a number of tips that may be used by the user to reduce the risk of cyberattacks such as utilising user configurations including using strong passwords, updating the system of the cleaning device, and implementing wireless network segmentation. Furthermore, the article highlighted the relevant articles in the Oman Cybercrime Law addressing the hacking of such devices, namely article 3 of the Cybercrime Law.
[1] Buil-Gil D., Kemp S., Kuenzel S., Coventry L., Zakhary S., Tilley D., & Nicholson J., “The digital harms of smart home devices: a systematic literature review”, Computers in Human Behavior 145, (2023), p 1.
[2] Saunders T.,” Cybersecurity challenges of the IoT-enabled home automation technology: A security by design perspective”, (2021), p 24.
[3] Nemec Zlatolas L., Feher N., & Hölbl M., “Security perception of IoT devices in smart homes”, Journal of Cybersecurity and Privacy, (2022), p 66.
[4] Ibid
[5] Hall F., Maglaras L., Aivaliotis T., Xagoraris L., Kantzavelou I., “Smart homes: security challenges and privacy concerns”, (2020), p 3.
[6] Ibid., at 3-4.
[7] Heuvel K., “Securing the Smart Home : A study on cybersecurity problems in smart home devices: does European product liability law offer meaningful legal solutions for consumers?”, Bibliotheek – Universiteit van Amsterdam, (2018), p 45.
[8] Ibid
[9] Hall, Maglaras, Aivaliotis, Xagoraris, Kantzavelou, above, at 4.
[10] Ibid
[11] Heuvel, above, at 45
[12] Ibid
[13] Ratkovic, N., “Improving Home Security Using Blockchain”, International Journal of Computations, Information and Manufacturing (IJCIM), (2022), 2(1), p 28.
[14] Hassija V., Chamola V., Saxena V., Jain D., Goyal P., Goyal B. A., “A Survey on IoT Security: Application Areas, Security Threats, and Solution Architectures,”, vol. 7, (2019), p 82725.
[15] Xhafa F., “Internet of things: engineering cyber physical human systems”, Internet of Things, (2018), p 3.
[16] Ibid
[17] Hassija, Chamola, Saxena, Jain, Goyal, Goyal, above, at 82727.
[18] Ibid
[19] Xhafa, above, at 3.
[20] Ibid, at 4
[21] Mazwa K., Mazri T., “Review on the security of smart homes in the internet of things”, (2019), p 706.
[22] Pillai MM., Helberg A., “Improving Security in Smart Home Networks through user-defined device interaction rules,” 2021 IEEE AFRICON, Arusha, Tanzania, United Republic, (2021), p 2.
[23] Ibid, at 3.
[24] Ibid
[25] Ibid
[26] National Security Agency., “Best practices for securing your home network”, Cybersecurity advisories & guidance, (2023), p 4.
[27] Ibid, at 2.
[28] Ibid
[29] Ibid, at 3.
[30] Shad H., “An overview of the sultanate’s cyber crimes law”, Oman Observer, (2017).
[31] Ibid
[32] Oman Cybercrime Law (The Cyber Crime Law 2011, Royal Decree 12/2011, Article (3).
[33] Ibid