US Government Offers $25,000 Prize For Inventing A Way To Secure IoT Devices

An anonymous reader writes: America's Federal Trade Commission has announced a $25,000 prize for whoever creates the best tool for securing consumers' IoT devices. The so-called "IoT Home Inspector Challenge" asks participants to create something that will work on current, already-on-the-market IoT devices, with extra points also awarded for scalability ad easy of use.

"Contestants have the option of adding features, such as those that would address hard-coded, factory default, or easy-to-guess passwords," according to the official site, but "The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software." The winning submission can't be just a policy (or legal) solution, and will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.
Computerworld points out that "This isn't the first time the FTC has offered cash for software tools. In 2015, it awarded $10,500 to developers of an app that could block robocalls."

Solution

[Anonymous Coward]

Throw the IoT in the trash and get regular devices that do not connect to the internet.

Re: Solution

[Anonymous Coward]

Your check is in the mail - Uncle Sam

Re: Solution

[FatdogHaiku]

I liked this part near the bottom of the rules (12 f.) [ftc.gov]
"The Sponsor reserves the right to amend the terms and conditions of the official rules at any time, including the rights or obligations of the Contestants and the Sponsor.

So kids, Hurry and send in your multi-million dollar product in good working order and we'll give you a pittance and introduce you to the civil legal system!

Re: Solution

[nbauman]

I liked this part near the bottom of the rules (12 f.)
"The Sponsor reserves the right to amend the terms and conditions of the official rules at any time, including the rights or obligations of the Contestants and the Sponsor.

So kids, Hurry and send in your multi-million dollar product in good working order and we'll give you a pittance and introduce you to the civil legal system!

Your legal analysis is correct.

I once heard a freelance writer give a talk on writing contracts, and she described the worst contract (for the writer) she had ever seen. It was the Redbook "Writing contest."

Redbook readers were invited to submit short story manuscripts, the winners would get a pittance (and the honor of being the winner), and Redbook would own all the rights.

I realized that Redbook was basically asking people to submit stories on spec, in the hope that they would be chosen out of thousands of entries. If they were chosen, Redbook would own the work, and give them a small fee to print it.

That's what contests are. They ask you to work for nothing, compete with thousands of people, and if they like yours better than all the others, they'll own the work and give you a modest payment.

Spending 6 months or a year (or even a month) for $25,000 -- if they feel like it -- isn't a great deal.

If the FTC wants to secure IOT devices, let them hire a staff to work on it. Or let them award competitive grants.

Re:

[mikael]

Even if they do not connect to the public Internet, any home user who has their own private internet for their appliances (smart TV, fridge, toaster, router, garage door and smartphone with bluetooth connectivity) still has the problem of someone trying to guess passwords through repeated attempted connections to each device via wireless connections. How many articles have there been on somebody creating a gadget that simply cycles through every single possible passcode combination?

Even with a personal wifi

Re:

[mwvdlee]

Don't use passwords at all?

Perhaps store a strong encryption key on a memory card (i.e. a small microSD, but it could probably be a lot cheaper) that is set by inserting the cart in the router, then inserting it in the IoT-device. Yes, it'll be more expensive but it would eliminate human stupidity.

I'm sure much better, easier and cheaper system can be invented by security experts.

The problem won't be the technical solution, it will be getting hardware manufacturers to implement it.
There's no way to force co

Re:

[CaptainDork]

I'm sure much better, easier and cheaper system can be invented by security experts.

Apparently not.

... will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.

Re:

[rtb61]

The real problem is the whole current hardware software set, entirely too flexible and can never really be secured.

So to secure internet of devices, requires a new fresh start. An operating system and applications, running on device, that all are only capable of doing what they are designed to do. Every bit of flexibility taken out, if it is not neccesary for functionality it is not in the system, not in the OS, not in the application and not in the hardware.

Want a device to no do a thing, than make that

Re:

[Hognoxious]

Then the design is a bucket of shit. Home is inside the firewall, not in fucking Chennakajaiparayat.

Re:

[mark-t]

It is not infeasible to blacklist a MAC address from your wireless router after repeated password failure attempts over a short time. This could make automated brute-force password guessing from a device such as what you've described impractical.

Re:

[mark-t]

Why would the guesser know that they had been blocked? It could easily be set up so as far as they can tell, the password is just wrong... they may have no outwardly visible indication that the router has blacklisted their MAC address. For what it's worth, it could even be set up so that an incorrect password blocks *ALL* new wireless connection attempts for a period of, say, 1 second, regardless of the device. This would make it impossible to try more than a single guess every second, even if it were to

Re:

[currently_awake]

Make a dedicated IOT network chip, with VPN support built in. The IOT device would be forced to connect directly to its server, with no option to communicate with anyone or anything else. So long as the chip was done properly (common chip=massive economy of scale), it wouldn't matter how buggy the IOT device software is.

Re:

[xeoron]

Place IoT on a separate subnet or vlan with extra firewall filtering that includes only letting it speak to a whitelist of locations defined on the router.

Re:

[Darinbob]

No, we've had IoT devices before there was even the acronym. There are very secure IoT devices. They're not using passwords like it was just another exploitable wi-fi device but instead of PKI, and they're not purchased by consumers looking for a cool gadget to brag about. The best way to make IoT devices secure is to stop marketing them to hipsters. Nobody needs an internet connected thermostat so badly that they'd be willing to bypass all security and common sense.

Yes, some SCADA systems have security

Re:

[Hognoxious]

You're talking about industrial/warehouse kind of stuff?

Re:

[thegarbz]

Smarthomes didn't start with IoT either, and industrial/warehouse kind of stuff have adopted the IoT name for large sensor networks just like the home / retail market has. The only difference is in the level of security on devices not made by the cheapest bidder.

Re:

[account_deleted]

Comment removed based on user account deletion

Here's my way.

[Anonymous Coward]

Remove internet connectivity. There you go, pay me.

Re:

[aaarrrgggh]

Not enough-- look at the ransom attacks on Hue bulbs as an example.

This is no technical problem

[NotInHere]

This is no technical problem. You can't add security around insecure devices by default. Even if you did some firewall, the device still has to communicate with the internet one way or another, or it has to communicate via bluetooth, and these two paths can still be used for attacks.

The only proper solution is a policy.

Re:

[CaptainDork]

The solution is to ban all non-secure devices. They said no policy, so that means they aren't going to accept a solution that kicks the problem in the balls.

Re:

[JaredOfEuropa]

These devices do not have to communicate with "the internet", at worst they need to be able to connect a remote access gateway or cloud service (mothership). Those channels aren't all that easy to hack, and with a proper firewall, you can get your LAN reasonably secure without crippling well designed IoT devices. The devices might still be somewhat vulnerable to someone with physical access or access to your WiFi,but that leaves only a small percentage of attackers, and until the actual firewall is compro

Re:

[Bite The Pillow]

They want a software solution, so here it is. Software firewall that blocks outgoing data based on a public whitelist, and incoming connections on a whitelist based on local devices. If a severity threat is detected, disable internet.

Security threat detection function can do all kinds of heuristics, then return true.

Re:

[coofercat]

+1

If your networked product gets hacked and participates in a botnet, data leak, data ransom, etc, then you must provide mitigating solutions at your own expense to the owner for a period of 2* years after the date of purchase, or expect lawsuits from those customers or their representatives for non-compliance. In return for doing all this, we'll grant you a special marque you can put on your product and supporting materials to indicate your good internet citizenship to your customers. We'll be operating an

Easy Solution - Hold Manufacturers Responsible

[sinij]

Easy Solution - Hold Manufacturers Responsible. Pass legislation that any IoT device must be maintained with security patches for 2 years past sale and any substantial deviation from industry best practices (e.g. hard coded credentials, open telnet) would lead to hefty penalty.

Treat these guys as you'd treat factories that dumped toxic waste into rivers.

Re:

[jbmartin6]

Perhaps better would be to hold them liable for damages due to negligence, and nullify the absurd "as is" EULA. They can pay Brian Kreb's DDOS defense fees for the next ten years.

Doesn't work

[rsilvergun]

all that does is put a stop to the market and any new products. You end up in one of two scenarios:

a. Everybody stays out because the risk's too high.

b. Only a few big players who can afford insurance and/or to buy off exceptions for themselves can play. What little is available in the market is expensive and crummy.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[JaredOfEuropa]

Those are the downsides. Despite people who claim "I think my refrigerator doesn't have to be connected to the Internet, therefore the entire concept of the Internet of Things must be utterly worthless", there are plenty of useful ways devices can be improved by adding connectivity. Yes,security is a big concern,but that doesn't mean that the only winning move is not to play.

Re:

[sinij]

The only winning move it to play WITH security. We don't accept cars that suddenly explode, we don't accept phones that burst on fire, we shouldn't accept IoT that is hacked and used to bring parts of Internet down.

Re:

[sinij]

If every vendor that gets 0.01c per device spying on you decides to stays out of IoT - I will consider this consumer's win. For all worthwhile IoT, maintaining for 2 years won't be outside the expected norm.

Re: Doesn't work

[WarJolt]

I don't see a problem with that.

No one builds software from scratch. We leverage libraries, even with IoT. Most of them are open source. We just need to actually make security a priority in open source. This will reduce the cost for the little guy.

Security is is typically proven by showing that information can't be leaked out of a system. Let's look at the Linux kernel first. It has no proof of security. In fact we've had bugs in the last year that completely undermine the security of the system. IoT device

Security is a _lot_ harder than you think

[rsilvergun]

if it wasn't you'd be $25k richer right now, right?

Re:

[Minupla]

Easier solution: Unplug them, remove any batteries. Security. When do I get my cheque?

Re:

[wvmarle]

Two years? That's far too short. Even for regular PCs it'd be a too short time span - 20, 30 years ago the normal lifespan of a PC was considered to be about three years, now it's more like five. Many LTS releases of Linux get security fixes for at least five years. Debian releases maybe even longer, but that's more to do with the slow release cycle itself.

Anyway, here you're talking about devices that last easily a decade, such as fridges. My own fridge is older than that, should be about 12 years now. Our

Re:

[AmiMoJo]

Won't help with people buying cheap stuff from China on eBay.

Re:

[CaptainDork]

This.

And take note that we are acknowledging that the US government don't know bullshit from wild honey about security and is forced to crowdsource competence.

Re:

[currently_awake]

Having a government department responsible for computer security would help, they could do vulnerability scans on new hardware as part of the FCC certification, and force patches for weak devices. Extending FCC authority to cover internet devices might work, if you explicitly required a minimum level of security by law.

Re:

[CaptainDork]

I agree.

It's not a technical issue in the sense that IT has been recommending best practices for years, but local management's risk analysis proves that the expense is not necessary.

We are approaching a tipping point where deep pockets are going to start paying for minor manufacturing/implementation procedures.

I've argued for years that litigation is the answer, just as it created fire codes after enough lawsuits changed some risk analysts' minds.

Re:

[freeze128]

2 years?! Hell, I don't even change my old "Dumb" light bulbs that often. Make it 10 years!

Re:

[Darinbob]

The problem is often with the customer. Major industries aren't asking for security. Absolutely the home user doesn't even consider asking this question, they don't even know what security is or how to evaluate it. The same customer that doesn't hesitate to type in personal information to a smart tv is the wrong person to be judging whether or not a refrigerator needs to be on the internet. Why blame the manufacturer and their security when the customer does not even configure the device or its security

Re:

[superwiz]

Uhm... there is nothing to prevent them from being sold and shipped from China or Canada directly. Are you planning to extend US tort laws to China?

$25K for a Multimillion Dollar Solution?

[Anonymous Coward]

Ummm... okay. Good luck with that.

Re: $25K for a Multimillion Dollar Solution?

[thundercattt]

I was thinking the same. If I had that idea, that worked. 250 million minimum.

Re:

[0100010001010011]

See also the DARPA project.

Giving away award money is cheaper than paying for actual development.

Politically incorrect solution: free/open software

[davecb]

If the vendors are constrained to use a current Linux or BSD variant, then the customer can update whenever fixes are available. That probably makes lightbulbs too expensive, but for toasters on up, it's possible (;-))

Re:

[Sarten-X]

That's why all android devices automatically get updates, right? Even the decade-old ones that can't run new versions?

The OS doesn't matter. What's missing is the infrastructure to support patch development, testing, and delivery. Once the initial vendor goes out of business (or discontinues that product), there's no mechanism to continue development, no way to test the patch, and no way to get the new software into the devices.

An open-source mandate fixes the ability to develop new patches, but it becomes

Re:

[davecb]

The OS doesn't matter. What's missing is the infrastructure to support patch development, testing, and delivery. Once the initial vendor goes out of business (or discontinues that product), there's no mechanism to continue development, no way to test the patch, and no way to get the new software into the devices.

Some OSs, specifically including the WRT families, include the infrastructure. Others do not and never will, as their vendors are aiming at exceedingly low-cost "use and discard" devices... or, concersely, excessively expensive "planned obsolesence" devices like cars and cell-phones

Re:

[davecb]

Yes: we agree lightbulbs won't make it.

The Backasswards solution

[geekmux]

I have a better idea. How about the US Government fine companies 75% of their net profits every time they design and sell a product that's insecure to begin with.

That goes for everything, not just IoT. The future of autonomous vehicles scares the shit out of me because of the half-assed approach towards securing them.

Re: The Backasswards solution

[thundercattt]

I agree. My work cellphone, still running Android 4.4.1. Samsung has NEVER put an update out since I got it

Re:The Backasswards solution

[Sarten-X]

The problem is defining "secure" and "insecure". In the US, the standard is "perfect tender", where the company just has to produce a product that is perfect to the best of their ability, and acceptable to the customer. The product may have been insecure from the start, but nobody knew it, because the vulnerabilities weren't known yet.

Three years ago, we had no idea that the rowhammer effect could corrupt data. Two years ago, we didn't think it had security implications. Now we know better, but my desktop was built four years ago.

There are some vulnerabilities that can be resolved, like default passwords... but those are comparatively rare. For production and installation ease, the devices are usually shipped with a default password and the user is provided instructions to change the password. The problem is that the users don't read the instruction manual for their new lightbulbs. In this case, the product is designed and sold to be secure, but the user's inaction caused the insecurity.

Ultimately, the liability for an attack lies (legally) with the attacker. It's been that way for several thousand years, and is fundamental to the legal framework in this country. Trying to change that will have many unintended consequences.

Re:The Backasswards solution

[Sarten-X]

Joseph Bramah's lock was considered secure for 67 years, until Alfred Charles Hobbs picked it after a 51-hour effort in 1851. Now, modern tools and techniques can pick such a lock in a matter of minutes.

So let's suppose you had purchased one of Bramah's locks in 1850, with a 65-year history of perfection. If you were robbed in 1853, who bears the liability? Is it Bramah (actually his sons who inherited the business) for making an insecure lock that was sold as being secure? Is it you, for not replacing the lock as soon as a picking technique had been proven? Or is it the thief who actually exploited the vulnerability and broke the law?

Re:

[Darinbob]

How about requiring all customers to take a class in how to turn on security in their existing product and to configure it correctly? Or maybe a class in how to parse through bullshit in marketing and decide that maybe they don't need their toaster on the internet.

Re:

[AmiMoJo]

Because eBay and Banggood and AliExpress and all the other ways people import products from China. It's hard to fine companies in China when you are a US regulator. Even blocking their imports will fail as they will just re-brand faster than the US legal system can react.

Besides, there would be endless legal arguments over what counts as "insecure". If you did everything right but someone finds a previously unknown bug in OpenSSL that is part of your 8 year old product, how much responsibility can you have

Re:

[thegarbz]

design and sell a product that's insecure to begin with.

Define insecure? The PS3's DRM was about the best and strongest there was backed by a large profit motive and deep budgets, and yet that was eventually broken too.

With wording like yours whey not just slap a 75% income tax on every company that does business within the USA.

Re:

[geekmux]

design and sell a product that's insecure to begin with.

Define insecure? The PS3's DRM was about the best and strongest there was backed by a large profit motive and deep budgets, and yet that was eventually broken too.

With wording like yours whey not just slap a 75% income tax on every company that does business within the USA.

To clarify, my particular solution was meant to demonstrate an actual threat against companies that seem to practically enjoy creating and selling products that are utter shit from a Security perspective. If you prefer the current slap-on-the-wrist punishments that allow companies to continue to create and sell utter shit, then by all means, support the currently ineffective model of making "secure" products. If fines are too harsh, I'm all for jail time for CEOs too. Whatever ultimately works to achieve

Re:

[thegarbz]

Oh I agree, something needs to be done, but the problem with proposing any laws is that they either need to be well written, specific, enforceable, and realistic. Threatening companies for not doing a good enough job is the job of civil suits and the courts. Laws can not be written in that kind of way without introducing either loopholes that indemnify companies, or introduce enough uncertainty to make people challenge the laws.

This is a classic jump to conclusion without thinking if it's even possible. Thr

Re:

[geekmux]

Oh I agree, something needs to be done, but the problem with proposing any laws is that they either need to be well written, specific, enforceable, and realistic. Threatening companies for not doing a good enough job is the job of civil suits and the courts. Laws can not be written in that kind of way without introducing either loopholes that indemnify companies, or introduce enough uncertainty to make people challenge the laws.

This is a classic jump to conclusion without thinking if it's even possible. Throw a CEO in jail? For what? In most cases courts haven't even been able to prove direct negative effect on a victim to get them compensation. What do you propose? A law that can throw a CEO in jail at any time for any reason you see fit?

All I'm saying is ensure that the punishment is befitting of the crime.

The crime we see repeated over and over again is a company utterly ignoring sound security practice and development in favor of push-the-shit-product-out-the-door revenue demand. When identities are stolen due to poor security products designed to protect individuals, there is a cost involved. Just ask the purveyors of products like LifeLock. I'm certain they've formulated costs to justify their own products. What ends up in a court

Re:

[thegarbz]

All I'm saying is ensure that the punishment is befitting of the crime.

I'm asking how. We all want the same thing, but I'm waiting to hear a sane proposal that could work.

Re:

[geekmux]

All I'm saying is ensure that the punishment is befitting of the crime.

I'm asking how. We all want the same thing, but I'm waiting to hear a sane proposal that could work.

To find a solution that would work would imply the very companies who don't want to play fair would not wield the very lobbying power that enables them to not play fair. So perhaps the first step is to remove that bullshit loophole.

A fair solution to combat selling or making an insecure product is create a Federal standard, and enforce it by making all manufacturers who want to sell the the US market comply with it. Failure to do so means anything from being fined a considerable percentage of net profit t

Re:

[thegarbz]

No you're jumping the biggest problem. Ignore the lobbying, ignore the company's influence, and ignore enforcement, we didn't get that far.

First show me you're able to define a law, then we can talk about the rest.

Re:

[geekmux]

No you're jumping the biggest problem. Ignore the lobbying, ignore the company's influence, and ignore enforcement, we didn't get that far.

First show me you're able to define a law, then we can talk about the rest.

Speaking of jumping the biggest problem, what exactly is the point of defining yet another law when those with influence and lobbying power will simply ignore it, or lobby to be worthy of some bullshit Too-Big-To-Fail loophole?

We have plenty of anti-monopoly laws on the books, and yet monopolies are consuming the capitalist universe. Go figure as to how that shit happened.

As I stated before, our problem is not one of creating laws. Root cause analysis dictates we must remove the corruption that prohibits

Re:

[geekmux]

All such attempts would do is give money to some lawyers to write a better EULA. What? "My device is not insecure if used as intended, and I can't help it if consumers use it improperly".

First of all, these devices are insecure by default so the pathetic defense of "used as intended" isn't one, which would force manufacturers to do exactly what should be done; make them secure by default.

And if manufacturers don't want to do this, then they can enjoy increased legal fees with decreased sales numbers, as hackers would continue to target their weak-ass products and exploit them. At some point, one would hope Common F. Sense would join the Board and convince the manufacturer to do the right

Re:

[geekmux]

I have a better idea. How about the US Government fine companies 75% of their net profits every time they design and sell a product that's insecure to begin with.

Goodbye US technology industry. Hello imports. Hello trade deficit. Hello exploding the national debt. Hello poverty. Brilliant.

It's more like Goodbye Ignorance and Hello Security.

The US Government has had enough hacks themselves that they should wake the fuck up and quickly, rather than take your fuck-it-we-quit solution.

If I could secure IoT devices

[rsilvergun]

I could make a heck of alot more than $25k...

Re: If I could secure IoT devices

[thundercattt]

I thought the same thing when I saw 25k. Govt? I'd be selling them licenses at 25k a pop.

Multi faceted approach

[JASegler]

There isn't going to be a magic wand for this. But a multifaceted approach would help.

1) Standards body to oversee the software and protocols.

2) Standard IOT base software stacks and protocols. Ideally run as an open source style project with companies encouraged to give back to the software stacks. Maybe protection from being sued for security problems found if they are using the certified software stacks. i.e. we were using the certified software stack in a certified way is a valid legal defense. If your modifications are the problem you lose that protection. Makes getting your modifications into the base stacks very appealing to the lawyers, etc.

3) Certification program that takes completed devices and runs them through tests. Penetration tests of the completed devices. Manual and automated review of the software. Should be easy to fast track the software reviews if your building on top of one of the approved IOT base software stacks.

4) Require a way to easily update the software of the devices. The reality is forced updates are going to have to be required because most won't manually update the devices.

5) Require that a fully functional software stack be put in escrow for each device and revision of software. The company must provide support for the device or the the software base is released. Lack of support for the device is decided by standards board not the company. Fully functional means that someone can take the stack, compile it and successfully install it on the device. No hidden BS boot encryption keys that are missing, etc. If there are encryption keys like that then they have to be put in escrow with the rest of the software stack.

6) Media campaign to get people to buy only certified IOT devices.

Probably plenty more things that are good ideas/best practices. But this would be a start.

Re:

[aaarrrgggh]

Does a JTAG count as easy upgrade mechanism?

There are a huge range of devices out there in terms of capabilities and anticipated lifespans. I would be pissed if my refrigerator ended up having the same lifespan as my light bulbs due to firmware issues, as an example. The devices today that are the biggest problem are CCTV DVRs: essentially general purpose computers with poor security concepts and implementation.

Much of what really needs to happen is focusing on documenting the interface requirements for low

Re:

[Darinbob]

There are too many standards for IOT, mostly because it's a big new buzzwords that means immediately there are many competing marketing based standards groups trying to get everyone to side with them, which means competing security standards, and because it's being rushed we have ridiculous demands in the standards so that the members of the consortium don't have to redesign their products.

I work with devices for industry. They DO update without being forced. You can't force a customer who's giving you mi

Too little

[allo]

Sorry, the price is not high enough.

Thinking of a solution, you need to buy a lot Internet-of-Crap stuff, to test your solution and to dissect it to be able to find i.e. hardcoded passwords. This alone will cost you more than 25.000 if you're serious about it in a way, which will win you the 25.000.
The only option would be hoping, that you sell your device often enough, that you will make money from that. But you will realize, that nobody cares about his toaster being part of a dDoS attack.

Re:

[unixisc]

Enough responses like this, and they'll then ask some offshorer in India. Then there will be howls about work being offshored

Re:

[allo]

They can do whatever they want ... the question is, if they want to attract serious security experts. They won't with this offer. And the hobbyists are tempted to sell the 0-day for more than the "to be created" product wins. Without creating a product, just by collecting the issues.

$25K? That's insulting.

[azav]

The importance of this is high and $25K is an insult to the amount of effort required to perform to do this.

That number is so low, it's meaningless.

Hacking Firewall

[John.Banister]

Build a collection of easy device hacks, the way security companies collect virus signatures now, and have a firewall on the wide area connection that attempts to use the methods in the collection to gain access to the devices that want through. Devices that can be defeated by the firewall aren't allowed past it.

Gimme a break!

[jenningsthecat]

25 kilobucks???!!! WTF?? Realistically, such a solution would be worth AT LEAST seven figures. And anyone smart enough to come up with it shouldn't be dumb enough to sell it off for chump change, especially in an era where 'rounded corners' can not only be patented, but can almost be successfully defended against "infringement".

Do i win?

[Highdude702]

Use a Hammer!

Verry simple

[MeNeXT]

Unmaintained, unsupported or unpatched (say 30 days) products no longer benefit from copyright and patent law.

$25,000

[Hognoxious]

Boy, that's an expensive hammer! Even the DoD don't pay that much.

Easy (?)

[krray]

I'm trying to understand *how* this is happening.
First I always change the admin password. Manufacturers should require this, step 1, before the device will work. Problem 1 solved.

I use a router. UPnP is always disabled. Thus:
The IoT devices should also be configured to work "openly" (IMHO) if they're on 192.168, 169.254, or a 10. DHCP'd network. Are people plugging them into a ISP port directly giving it full inbound access from the Internet? I've never set one up that way. Only a router.

I guess now I expe

Just keep right on failing

[WaffleMonster]

The best way to secure "IoT" is for the industry to keep right on marching toward a not so distant future where "IoT" and "SMART" are widely viewed as toxic and undesirable.

At some point the consumer is going to ask themselves... do I REALLY want to pay $200 for fake FBI notices, ransom notes and advertising burned into my toast or can I get by with the $20 wall-e-mart special?

Do I really want to put up with a toaster that stops making toast whenever Internet is down, whenever original vendor goes out of business, wants me to buy a new one or no longer feels like "supporting" their creation? Can I get by with the $20 wall-e-mart special?

Do I want my appliances watching me stumbling about my kitchen and uploading my performances to James Clapper and criminal gangs or can I get by with the $20 wall-e-mart special?

Do I take members of US intelligence agencies seriously when they warn/gloat:

"Items of interest will be located, identified, monitored and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers and energy harvesters all connected to next-generation Internet using abundant, low-cost and high-power computing."

Or

"In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for
recruitment, or to gain access to networks or user credentials."

Perhaps I can get by with the $20 wall-e-mart special?

Innumeracy abounds

[uCallHimDrJ0NES]

$25,000? Why not $5? It would go just as far in this case, and would save taxpayers some money.

reward escalation

[epine]

In three years, $25,000,000. In ten years, $25,000,000,000.

Change the basic network protocol!

[SysEngineer]

the basic protocol should support network security isolation. The protocol should also support a cryptographic ID not just location and routing. Then for the "DHCP" us a Web of Trust (WoT), to Authenticate, Authorize and Audit (AAA) the local Things.

Re:

[gweihir]

That is about the most stupid idea, ever. Even trying this would break _everything_.

Absolutely worthless stunt

[gweihir]

If they were serious, they would spend money in a range where it could actually have some effect. Try at the very least 100x that, and more likely 1000x...10000x.

A Way To Secure IoT Devices

[khz6955]

How about putting a read-write switch that renders the core Operating System read-only except when you're updating it.

The simple steps

[AHuxley]

1. Secure your router or other network device with a new strong password thats not the default password or admin or user.
2. Run something like Avast Home Network Security https://www.avast.com/f-home-n... [avast.com] to see if any device still has issues.
Get OS makers in the US to scan the networks they are on to test if networked devices have default password and warn users to change them.
Most users will click past such warnings but its a simple step given the AV work the larger US OS brands now ship with their O

Re:

[Ol Olsoc]

1. Secure your router or other network device with a new strong password thats not the default password or admin or user.

Failed already. It isn't that your ideas are bad, but any solution that can be enabled, has to rely on the consumer doing absolutely nothing. Because that is what they are going to do. Absolutely nothing.

Simple

[Ol Olsoc]

Don't use IoT devices. Don't put WiFi and a webcam on my refrigerator or my water bottle.

While at it....

[XSportSeeker]

Also create a way to put backdoors into already available secure encryption systems without compromising them. I'll give you a buck for that.

Sad that they don't actually realize that they are asking for something impossible for some cheap change. If anyone could invent something like that, they'd sell it for millions a piece for every IoT company out there that could end up with class action lawsuits and recalls on their hands.

Disconnect them.

[mbone]

That's easy, just don't connect them to a network. Works every time.

I will waive any reward. They can donate it to the IETF.

a whole whopping $25,000?

[superwiz]

Why not $.25? Offer $25 million and you might get an answer. Actually, you'll get a lot of answers. Isn't this what the patent office should be doing instead of whatever it is doing? Making sure that inventors get paid?

Re:

[mikael]

A firewall around every single wi-fi/bluetooth connected device?

Re:

[unixisc]

No, every WiFi connected device has to be in a network - most likely, the one your WiFi router hosts. That's where the firewall would apply. Bluetooth - I thought that the latest Bluetooth protocol includes IPv6 support, I doubt that older Bluetooth would fall within IoT

Re:

[silas_moeckel]

The M&M theory, a firewall device that all communication must pass through if it needs to leave the building. It must be able to see all traffic so it's a https proxy and a scene to register all access a device needs and have it allowed by the user.

So get new IoT lightbulb plug it in connect to the IoT SSID. Register what you need to connect to and what data is passed allow users to allow/deny at a fine-grained level. All easily implemented on the wifi AP you already have and gives a place for update

Re:

[currently_awake]

And then someone from Russia hacks the WiFi router belonging to you neighbor, and it starts spoofing your router, and your devices all connect, and the next thing you know they are using your networked cameras to film a new reality tv show.

Re:

[silas_moeckel]

Yea because it's easy to guess some randomly generated SSID and wpa2 key? Noticing another AP with the same SSID is also pretty trivial.

There is only so far you can go to help existing crap devices. By nature it will be an M&M fix putting a smarter box in front and hoping nobody breaks the shell.

If your looking for a standard for new gear to comply with then you can add endpoint validation etc.

Re:

[superwiz]

It probably does if it needs to know about a hurricane coming your way.

Re:

[superwiz]

Security needs to be designed into the protocols from the start.

That's almost too cute. Except they need to be secure enough to be usable by consumers and not have en masse exposure to criminals who can come in physical contact with them. What protocols do you use to secure them during physical access?