[thorwaway48583]

The responsibility remains squarely with the people who developed these devices and the people who give it FCC approval.

Devices shouldn’t malfunction and handle interference gracefully. It is an FCC certification requirement and that requirement includes any interference.

[CJefferson]

I don’t think that is either legally, or morally, true.

Sure, it would be better if devices weren’t broken by attack attempts, but if you are purposefully trying to attack something, you are to blame for your attack succeeding?

[crest]

There is a difference between tinkering with WiFi/Bluetooth and accidentally offing your neighbour with the faulty pacemaker and knowingly exploiting a 0day the Insulin pump of a politician to deliver the whole reservoir at once while short selling the manufacturer stock.

[omeid2]

> you are to blame for your attack succeeding?

Morally? A bit grey, but often when you dig into the details for the cases of businesses unlike individuals, it is a resounding "Yes".

Legally? Depends on the jurisdiction I suppose.

https://www.theguardian.com/australia-news/2022/oct/22/austr...

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...

This is for data breaches, but similar laws exists for all sort of conduct related to negligence in securing and adequately protecting privacy, safety, health, and so on.

[wpm]

>if you are purposefully trying to attack something, you are to blame for your attack succeeding?

Yes?

It is by definition an attack, a hostile action, something that should not be done.

Is it wise to harden systems to withstand attacks? Of course.

But when an attack works you don't victim blame. You use knowledge of how it worked to harden your systems better.

[k_roy]

Except this isn't anything special.

Literally anyone can do this with an MCU of some type and a 50 cent device. Bluetooth, RF, NFC, etc. This just makes is a nice little convenient package.

There is victim blaming and there is practicality.

A pacemaker that can't withstand random radio bursts is useless, as the first time you walk down the street you are dead.

So unless you are going to ban any sort of microcontroller, and very well documented and simple circuit designs, this is still not victim blaming.

[CJefferson]

Almost every residential building ever built can be broken into by throwing a brick through a window. We could use reinforced glass, but most people don’t. We still convict people for throwing bricks through people’s windows.

Generally speaking pacemakers aren’t failing from random radio signals, but if they fail if you specifically attack them, it’s your fault.

[k_roy]

And much like a brick, for every nefarious use, there are 10 valid uses.

Just like anything else, it's just a tool, and because a tool can do bad things doesn't mean the tool should be illegal.

[jsheard]

A device may be required to not malfunction due to interference, but it can't be required to function in the presence of interference because that's a technical impossibility if the interference is strong enough to overpower the intended signal. That's why there are laws which say that if you use something like the Flipper as an RF jammer (which is possible with custom firmware) then angry feds might show up at your house.

[wezdog1]

For medical devices, lack of function would be malfunction

[crest]

For any sane medical device radio interference should at most degrade non-essential functions e.g. uploading of medical data, inspecting the battery status from your phone. If such functions are important and unavailable for extended periods the device should give audible/visual alarms.

[wpm]

These devices do have FCC approval. It is why I can't send a garage door opener signal from my Flipper on the 315MHz band, because in the US, that isn't spectrum allocated to my fucking-about. I get a little message when I click send that says so.

All devices can be modified after the fact. Whether a manufacturer makes it easy, in the case of Flipper Zero, or hard, in the case of many other devices, to modify and install custom firmware that breaks FCC approvals, that lets it broadcast in frequencies it was not approved for, and allow the user to attack certain systems, is not really the manufacturers problem, anymore than Apple selling me a laptop I write malicious code on is Apple's fault, or the manufacturer of an IR blaster being responsible for me using it to mess with the TVs at the sports bar, or the Raspberry Pi Foundation for creating a device with a WiFi chipset that can be used to run deauth attacks, or the generic FM transmitter I could hardware hack to interfere with all sorts of stuff, or the RTL-SDR...or the ad infinitum

[Mountain_Skies]

Yes, in the early days of cell phones, it was easy to purchase a scanner from Radio Shack, cut a few resistors and then be able to listen in on phone calls. Radio Shack, the FCC, cell phone companies, and pretty much everyone else involved knew about this but it was allowed to continue because the scanners as sold were unable to eavesdrop, which was good enough for them to be legal.