Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
United States Networking Security Wireless Networking

US Government Offers $25,000 Prize For Inventing A Way To Secure IoT Devices (ftc.gov) 196

An anonymous reader writes: America's Federal Trade Commission has announced a $25,000 prize for whoever creates the best tool for securing consumers' IoT devices. The so-called "IoT Home Inspector Challenge" asks participants to create something that will work on current, already-on-the-market IoT devices, with extra points also awarded for scalability ad easy of use.

"Contestants have the option of adding features, such as those that would address hard-coded, factory default, or easy-to-guess passwords," according to the official site, but "The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software." The winning submission can't be just a policy (or legal) solution, and will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.

Computerworld points out that "This isn't the first time the FTC has offered cash for software tools. In 2015, it awarded $10,500 to developers of an app that could block robocalls."
This discussion has been archived. No new comments can be posted.

US Government Offers $25,000 Prize For Inventing A Way To Secure IoT Devices

Comments Filter:
  • Solution (Score:5, Insightful)

    by Anonymous Coward on Sunday January 08, 2017 @10:36AM (#53628229)

    Throw the IoT in the trash and get regular devices that do not connect to the internet.

    • by Anonymous Coward

      Your check is in the mail - Uncle Sam

      • Re: Solution (Score:5, Informative)

        by FatdogHaiku ( 978357 ) on Sunday January 08, 2017 @12:16PM (#53628699)
        I liked this part near the bottom of the rules (12 f.) [ftc.gov]
        "The Sponsor reserves the right to amend the terms and conditions of the official rules at any time, including the rights or obligations of the Contestants and the Sponsor.

        So kids, Hurry and send in your multi-million dollar product in good working order and we'll give you a pittance and introduce you to the civil legal system!
        • Re: Solution (Score:5, Informative)

          by nbauman ( 624611 ) on Sunday January 08, 2017 @01:12PM (#53628991) Homepage Journal

          I liked this part near the bottom of the rules (12 f.)
          "The Sponsor reserves the right to amend the terms and conditions of the official rules at any time, including the rights or obligations of the Contestants and the Sponsor.

          So kids, Hurry and send in your multi-million dollar product in good working order and we'll give you a pittance and introduce you to the civil legal system!

          Your legal analysis is correct.

          I once heard a freelance writer give a talk on writing contracts, and she described the worst contract (for the writer) she had ever seen. It was the Redbook "Writing contest."

          Redbook readers were invited to submit short story manuscripts, the winners would get a pittance (and the honor of being the winner), and Redbook would own all the rights.

          I realized that Redbook was basically asking people to submit stories on spec, in the hope that they would be chosen out of thousands of entries. If they were chosen, Redbook would own the work, and give them a small fee to print it.

          That's what contests are. They ask you to work for nothing, compete with thousands of people, and if they like yours better than all the others, they'll own the work and give you a modest payment.

          Spending 6 months or a year (or even a month) for $25,000 -- if they feel like it -- isn't a great deal.

          If the FTC wants to secure IOT devices, let them hire a staff to work on it. Or let them award competitive grants.

    • by mikael ( 484 )

      Even if they do not connect to the public Internet, any home user who has their own private internet for their appliances (smart TV, fridge, toaster, router, garage door and smartphone with bluetooth connectivity) still has the problem of someone trying to guess passwords through repeated attempted connections to each device via wireless connections. How many articles have there been on somebody creating a gadget that simply cycles through every single possible passcode combination?

      Even with a personal wifi

      • by mwvdlee ( 775178 )

        Don't use passwords at all?

        Perhaps store a strong encryption key on a memory card (i.e. a small microSD, but it could probably be a lot cheaper) that is set by inserting the cart in the router, then inserting it in the IoT-device. Yes, it'll be more expensive but it would eliminate human stupidity.

        I'm sure much better, easier and cheaper system can be invented by security experts.

        The problem won't be the technical solution, it will be getting hardware manufacturers to implement it.
        There's no way to force co

        • I'm sure much better, easier and cheaper system can be invented by security experts.

          Apparently not.

          ... will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.

        • by rtb61 ( 674572 )

          The real problem is the whole current hardware software set, entirely too flexible and can never really be secured.

          So to secure internet of devices, requires a new fresh start. An operating system and applications, running on device, that all are only capable of doing what they are designed to do. Every bit of flexibility taken out, if it is not neccesary for functionality it is not in the system, not in the OS, not in the application and not in the hardware.

          Want a device to no do a thing, than make that

      • by mark-t ( 151149 )
        It is not infeasible to blacklist a MAC address from your wireless router after repeated password failure attempts over a short time. This could make automated brute-force password guessing from a device such as what you've described impractical.
    • Make a dedicated IOT network chip, with VPN support built in. The IOT device would be forced to connect directly to its server, with no option to communicate with anyone or anything else. So long as the chip was done properly (common chip=massive economy of scale), it wouldn't matter how buggy the IOT device software is.
    • by xeoron ( 639412 )
      Place IoT on a separate subnet or vlan with extra firewall filtering that includes only letting it speak to a whitelist of locations defined on the router.
    • No, we've had IoT devices before there was even the acronym. There are very secure IoT devices. They're not using passwords like it was just another exploitable wi-fi device but instead of PKI, and they're not purchased by consumers looking for a cool gadget to brag about. The best way to make IoT devices secure is to stop marketing them to hipsters. Nobody needs an internet connected thermostat so badly that they'd be willing to bypass all security and common sense.

      Yes, some SCADA systems have security

      • You're talking about industrial/warehouse kind of stuff?

        • Smarthomes didn't start with IoT either, and industrial/warehouse kind of stuff have adopted the IoT name for large sensor networks just like the home / retail market has. The only difference is in the level of security on devices not made by the cheapest bidder.

  • Here's my way. (Score:2, Insightful)

    by Anonymous Coward

    Remove internet connectivity. There you go, pay me.

  • This is no technical problem. You can't add security around insecure devices by default. Even if you did some firewall, the device still has to communicate with the internet one way or another, or it has to communicate via bluetooth, and these two paths can still be used for attacks.

    The only proper solution is a policy.

    • The solution is to ban all non-secure devices. They said no policy, so that means they aren't going to accept a solution that kicks the problem in the balls.

    • These devices do not have to communicate with "the internet", at worst they need to be able to connect a remote access gateway or cloud service (mothership). Those channels aren't all that easy to hack, and with a proper firewall, you can get your LAN reasonably secure without crippling well designed IoT devices. The devices might still be somewhat vulnerable to someone with physical access or access to your WiFi,but that leaves only a small percentage of attackers, and until the actual firewall is compro
    • They want a software solution, so here it is. Software firewall that blocks outgoing data based on a public whitelist, and incoming connections on a whitelist based on local devices. If a severity threat is detected, disable internet.

      Security threat detection function can do all kinds of heuristics, then return true.

    • +1

      If your networked product gets hacked and participates in a botnet, data leak, data ransom, etc, then you must provide mitigating solutions at your own expense to the owner for a period of 2* years after the date of purchase, or expect lawsuits from those customers or their representatives for non-compliance. In return for doing all this, we'll grant you a special marque you can put on your product and supporting materials to indicate your good internet citizenship to your customers. We'll be operating an

  • by sinij ( 911942 ) on Sunday January 08, 2017 @10:42AM (#53628253)
    Easy Solution - Hold Manufacturers Responsible. Pass legislation that any IoT device must be maintained with security patches for 2 years past sale and any substantial deviation from industry best practices (e.g. hard coded credentials, open telnet) would lead to hefty penalty.

    Treat these guys as you'd treat factories that dumped toxic waste into rivers.
    • Perhaps better would be to hold them liable for damages due to negligence, and nullify the absurd "as is" EULA. They can pay Brian Kreb's DDOS defense fees for the next ten years.
    • all that does is put a stop to the market and any new products. You end up in one of two scenarios:

      a. Everybody stays out because the risk's too high.

      b. Only a few big players who can afford insurance and/or to buy off exceptions for themselves can play. What little is available in the market is expensive and crummy.
      • Comment removed based on user account deletion
        • Those are the downsides. Despite people who claim "I think my refrigerator doesn't have to be connected to the Internet, therefore the entire concept of the Internet of Things must be utterly worthless", there are plenty of useful ways devices can be improved by adding connectivity. Yes,security is a big concern,but that doesn't mean that the only winning move is not to play.
          • by sinij ( 911942 )
            The only winning move it to play WITH security. We don't accept cars that suddenly explode, we don't accept phones that burst on fire, we shouldn't accept IoT that is hacked and used to bring parts of Internet down.
      • by sinij ( 911942 )
        If every vendor that gets 0.01c per device spying on you decides to stays out of IoT - I will consider this consumer's win. For all worthwhile IoT, maintaining for 2 years won't be outside the expected norm.
    • by Minupla ( 62455 )

      Easier solution: Unplug them, remove any batteries. Security. When do I get my cheque?

    • Two years? That's far too short. Even for regular PCs it'd be a too short time span - 20, 30 years ago the normal lifespan of a PC was considered to be about three years, now it's more like five. Many LTS releases of Linux get security fixes for at least five years. Debian releases maybe even longer, but that's more to do with the slow release cycle itself.

      Anyway, here you're talking about devices that last easily a decade, such as fridges. My own fridge is older than that, should be about 12 years now. Our

    • by AmiMoJo ( 196126 )

      Won't help with people buying cheap stuff from China on eBay.

    • This.

      And take note that we are acknowledging that the US government don't know bullshit from wild honey about security and is forced to crowdsource competence.

      • Having a government department responsible for computer security would help, they could do vulnerability scans on new hardware as part of the FCC certification, and force patches for weak devices. Extending FCC authority to cover internet devices might work, if you explicitly required a minimum level of security by law.
        • I agree.

          It's not a technical issue in the sense that IT has been recommending best practices for years, but local management's risk analysis proves that the expense is not necessary.

          We are approaching a tipping point where deep pockets are going to start paying for minor manufacturing/implementation procedures.

          I've argued for years that litigation is the answer, just as it created fire codes after enough lawsuits changed some risk analysts' minds.

    • 2 years?! Hell, I don't even change my old "Dumb" light bulbs that often. Make it 10 years!
    • The problem is often with the customer. Major industries aren't asking for security. Absolutely the home user doesn't even consider asking this question, they don't even know what security is or how to evaluate it. The same customer that doesn't hesitate to type in personal information to a smart tv is the wrong person to be judging whether or not a refrigerator needs to be on the internet. Why blame the manufacturer and their security when the customer does not even configure the device or its security

    • Uhm... there is nothing to prevent them from being sold and shipped from China or Canada directly. Are you planning to extend US tort laws to China?
  • by Anonymous Coward

    Ummm... okay. Good luck with that.

  • If the vendors are constrained to use a current Linux or BSD variant, then the customer can update whenever fixes are available. That probably makes lightbulbs too expensive, but for toasters on up, it's possible (;-))
    • That's why all android devices automatically get updates, right? Even the decade-old ones that can't run new versions?

      The OS doesn't matter. What's missing is the infrastructure to support patch development, testing, and delivery. Once the initial vendor goes out of business (or discontinues that product), there's no mechanism to continue development, no way to test the patch, and no way to get the new software into the devices.

      An open-source mandate fixes the ability to develop new patches, but it becomes

      • by davecb ( 6526 )

        The OS doesn't matter. What's missing is the infrastructure to support patch development, testing, and delivery. Once the initial vendor goes out of business (or discontinues that product), there's no mechanism to continue development, no way to test the patch, and no way to get the new software into the devices.

        Some OSs, specifically including the WRT families, include the infrastructure. Others do not and never will, as their vendors are aiming at exceedingly low-cost "use and discard" devices... or, concersely, excessively expensive "planned obsolesence" devices like cars and cell-phones

  • by geekmux ( 1040042 ) on Sunday January 08, 2017 @10:48AM (#53628281)

    I have a better idea. How about the US Government fine companies 75% of their net profits every time they design and sell a product that's insecure to begin with.

    That goes for everything, not just IoT. The future of autonomous vehicles scares the shit out of me because of the half-assed approach towards securing them.

    • I agree. My work cellphone, still running Android 4.4.1. Samsung has NEVER put an update out since I got it
    • by Sarten-X ( 1102295 ) on Sunday January 08, 2017 @11:29AM (#53628477) Homepage

      The problem is defining "secure" and "insecure". In the US, the standard is "perfect tender", where the company just has to produce a product that is perfect to the best of their ability, and acceptable to the customer. The product may have been insecure from the start, but nobody knew it, because the vulnerabilities weren't known yet.

      Three years ago, we had no idea that the rowhammer effect could corrupt data. Two years ago, we didn't think it had security implications. Now we know better, but my desktop was built four years ago.

      There are some vulnerabilities that can be resolved, like default passwords... but those are comparatively rare. For production and installation ease, the devices are usually shipped with a default password and the user is provided instructions to change the password. The problem is that the users don't read the instruction manual for their new lightbulbs. In this case, the product is designed and sold to be secure, but the user's inaction caused the insecurity.

      Ultimately, the liability for an attack lies (legally) with the attacker. It's been that way for several thousand years, and is fundamental to the legal framework in this country. Trying to change that will have many unintended consequences.

    • How about requiring all customers to take a class in how to turn on security in their existing product and to configure it correctly? Or maybe a class in how to parse through bullshit in marketing and decide that maybe they don't need their toaster on the internet.

    • by AmiMoJo ( 196126 )

      Because eBay and Banggood and AliExpress and all the other ways people import products from China. It's hard to fine companies in China when you are a US regulator. Even blocking their imports will fail as they will just re-brand faster than the US legal system can react.

      Besides, there would be endless legal arguments over what counts as "insecure". If you did everything right but someone finds a previously unknown bug in OpenSSL that is part of your 8 year old product, how much responsibility can you have

    • design and sell a product that's insecure to begin with.

      Define insecure? The PS3's DRM was about the best and strongest there was backed by a large profit motive and deep budgets, and yet that was eventually broken too.

      With wording like yours whey not just slap a 75% income tax on every company that does business within the USA.

      • design and sell a product that's insecure to begin with.

        Define insecure? The PS3's DRM was about the best and strongest there was backed by a large profit motive and deep budgets, and yet that was eventually broken too.

        With wording like yours whey not just slap a 75% income tax on every company that does business within the USA.

        To clarify, my particular solution was meant to demonstrate an actual threat against companies that seem to practically enjoy creating and selling products that are utter shit from a Security perspective. If you prefer the current slap-on-the-wrist punishments that allow companies to continue to create and sell utter shit, then by all means, support the currently ineffective model of making "secure" products. If fines are too harsh, I'm all for jail time for CEOs too. Whatever ultimately works to achieve

        • Oh I agree, something needs to be done, but the problem with proposing any laws is that they either need to be well written, specific, enforceable, and realistic. Threatening companies for not doing a good enough job is the job of civil suits and the courts. Laws can not be written in that kind of way without introducing either loopholes that indemnify companies, or introduce enough uncertainty to make people challenge the laws.

          This is a classic jump to conclusion without thinking if it's even possible. Thr

          • Oh I agree, something needs to be done, but the problem with proposing any laws is that they either need to be well written, specific, enforceable, and realistic. Threatening companies for not doing a good enough job is the job of civil suits and the courts. Laws can not be written in that kind of way without introducing either loopholes that indemnify companies, or introduce enough uncertainty to make people challenge the laws.

            This is a classic jump to conclusion without thinking if it's even possible. Throw a CEO in jail? For what? In most cases courts haven't even been able to prove direct negative effect on a victim to get them compensation. What do you propose? A law that can throw a CEO in jail at any time for any reason you see fit?

            All I'm saying is ensure that the punishment is befitting of the crime.

            The crime we see repeated over and over again is a company utterly ignoring sound security practice and development in favor of push-the-shit-product-out-the-door revenue demand. When identities are stolen due to poor security products designed to protect individuals, there is a cost involved. Just ask the purveyors of products like LifeLock. I'm certain they've formulated costs to justify their own products. What ends up in a court

            • All I'm saying is ensure that the punishment is befitting of the crime.

              I'm asking how. We all want the same thing, but I'm waiting to hear a sane proposal that could work.

              • All I'm saying is ensure that the punishment is befitting of the crime.

                I'm asking how. We all want the same thing, but I'm waiting to hear a sane proposal that could work.

                To find a solution that would work would imply the very companies who don't want to play fair would not wield the very lobbying power that enables them to not play fair. So perhaps the first step is to remove that bullshit loophole.

                A fair solution to combat selling or making an insecure product is create a Federal standard, and enforce it by making all manufacturers who want to sell the the US market comply with it. Failure to do so means anything from being fined a considerable percentage of net profit t

                • No you're jumping the biggest problem. Ignore the lobbying, ignore the company's influence, and ignore enforcement, we didn't get that far.

                  First show me you're able to define a law, then we can talk about the rest.

                  • No you're jumping the biggest problem. Ignore the lobbying, ignore the company's influence, and ignore enforcement, we didn't get that far.

                    First show me you're able to define a law, then we can talk about the rest.

                    Speaking of jumping the biggest problem, what exactly is the point of defining yet another law when those with influence and lobbying power will simply ignore it, or lobby to be worthy of some bullshit Too-Big-To-Fail loophole?

                    We have plenty of anti-monopoly laws on the books, and yet monopolies are consuming the capitalist universe. Go figure as to how that shit happened.

                    As I stated before, our problem is not one of creating laws. Root cause analysis dictates we must remove the corruption that prohibits

  • by rsilvergun ( 571051 ) on Sunday January 08, 2017 @10:53AM (#53628301)
    I could make a heck of alot more than $25k...
  • by JASegler ( 2913 ) <jasegler@gmail.cNETBSDom minus bsd> on Sunday January 08, 2017 @11:08AM (#53628395)

    There isn't going to be a magic wand for this. But a multifaceted approach would help.

    1) Standards body to oversee the software and protocols.

    2) Standard IOT base software stacks and protocols. Ideally run as an open source style project with companies encouraged to give back to the software stacks. Maybe protection from being sued for security problems found if they are using the certified software stacks. i.e. we were using the certified software stack in a certified way is a valid legal defense. If your modifications are the problem you lose that protection. Makes getting your modifications into the base stacks very appealing to the lawyers, etc.

    3) Certification program that takes completed devices and runs them through tests. Penetration tests of the completed devices. Manual and automated review of the software. Should be easy to fast track the software reviews if your building on top of one of the approved IOT base software stacks.

    4) Require a way to easily update the software of the devices. The reality is forced updates are going to have to be required because most won't manually update the devices.

    5) Require that a fully functional software stack be put in escrow for each device and revision of software. The company must provide support for the device or the the software base is released. Lack of support for the device is decided by standards board not the company. Fully functional means that someone can take the stack, compile it and successfully install it on the device. No hidden BS boot encryption keys that are missing, etc. If there are encryption keys like that then they have to be put in escrow with the rest of the software stack.

    6) Media campaign to get people to buy only certified IOT devices.

    Probably plenty more things that are good ideas/best practices. But this would be a start.

    • Does a JTAG count as easy upgrade mechanism?

      There are a huge range of devices out there in terms of capabilities and anticipated lifespans. I would be pissed if my refrigerator ended up having the same lifespan as my light bulbs due to firmware issues, as an example. The devices today that are the biggest problem are CCTV DVRs: essentially general purpose computers with poor security concepts and implementation.

      Much of what really needs to happen is focusing on documenting the interface requirements for low
    • There are too many standards for IOT, mostly because it's a big new buzzwords that means immediately there are many competing marketing based standards groups trying to get everyone to side with them, which means competing security standards, and because it's being rushed we have ridiculous demands in the standards so that the members of the consortium don't have to redesign their products.

      I work with devices for industry. They DO update without being forced. You can't force a customer who's giving you mi

  • Sorry, the price is not high enough.

    Thinking of a solution, you need to buy a lot Internet-of-Crap stuff, to test your solution and to dissect it to be able to find i.e. hardcoded passwords. This alone will cost you more than 25.000 if you're serious about it in a way, which will win you the 25.000.
    The only option would be hoping, that you sell your device often enough, that you will make money from that. But you will realize, that nobody cares about his toaster being part of a dDoS attack.

    • Enough responses like this, and they'll then ask some offshorer in India. Then there will be howls about work being offshored
      • by allo ( 1728082 )

        They can do whatever they want ... the question is, if they want to attract serious security experts. They won't with this offer. And the hobbyists are tempted to sell the 0-day for more than the "to be created" product wins. Without creating a product, just by collecting the issues.

  • by azav ( 469988 ) on Sunday January 08, 2017 @11:14AM (#53628413) Homepage Journal

    The importance of this is high and $25K is an insult to the amount of effort required to perform to do this.

    That number is so low, it's meaningless.

  • Build a collection of easy device hacks, the way security companies collect virus signatures now, and have a firewall on the wide area connection that attempts to use the methods in the collection to gain access to the devices that want through. Devices that can be defeated by the firewall aren't allowed past it.
  • by jenningsthecat ( 1525947 ) on Sunday January 08, 2017 @11:37AM (#53628511)

    25 kilobucks???!!! WTF?? Realistically, such a solution would be worth AT LEAST seven figures. And anyone smart enough to come up with it shouldn't be dumb enough to sell it off for chump change, especially in an era where 'rounded corners' can not only be patented, but can almost be successfully defended against "infringement".

  • Use a Hammer!
  • Verry simple (Score:4, Interesting)

    by MeNeXT ( 200840 ) on Sunday January 08, 2017 @01:03PM (#53628941)

    Unmaintained, unsupported or unpatched (say 30 days) products no longer benefit from copyright and patent law.

  • Boy, that's an expensive hammer! Even the DoD don't pay that much.

  • I'm trying to understand *how* this is happening.
    First I always change the admin password. Manufacturers should require this, step 1, before the device will work. Problem 1 solved.

    I use a router. UPnP is always disabled. Thus:
    The IoT devices should also be configured to work "openly" (IMHO) if they're on 192.168, 169.254, or a 10. DHCP'd network. Are people plugging them into a ISP port directly giving it full inbound access from the Internet? I've never set one up that way. Only a router.

    I guess now I expe

  • by WaffleMonster ( 969671 ) on Sunday January 08, 2017 @02:26PM (#53629315)

    The best way to secure "IoT" is for the industry to keep right on marching toward a not so distant future where "IoT" and "SMART" are widely viewed as toxic and undesirable.

    At some point the consumer is going to ask themselves... do I REALLY want to pay $200 for fake FBI notices, ransom notes and advertising burned into my toast or can I get by with the $20 wall-e-mart special?

    Do I really want to put up with a toaster that stops making toast whenever Internet is down, whenever original vendor goes out of business, wants me to buy a new one or no longer feels like "supporting" their creation? Can I get by with the $20 wall-e-mart special?

    Do I want my appliances watching me stumbling about my kitchen and uploading my performances to James Clapper and criminal gangs or can I get by with the $20 wall-e-mart special?

    Do I take members of US intelligence agencies seriously when they warn/gloat:

    "Items of interest will be located, identified, monitored and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers and energy harvesters all connected to next-generation Internet using abundant, low-cost and high-power computing."

    Or

    "In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for
    recruitment, or to gain access to networks or user credentials."

    Perhaps I can get by with the $20 wall-e-mart special?

  • $25,000? Why not $5? It would go just as far in this case, and would save taxpayers some money.

  • In three years, $25,000,000. In ten years, $25,000,000,000.

  • the basic protocol should support network security isolation. The protocol should also support a cryptographic ID not just location and routing. Then for the "DHCP" us a Web of Trust (WoT), to Authenticate, Authorize and Audit (AAA) the local Things.
  • If they were serious, they would spend money in a range where it could actually have some effect. Try at the very least 100x that, and more likely 1000x...10000x.

  • by khz6955 ( 4502517 ) on Sunday January 08, 2017 @06:21PM (#53630313)
    How about putting a read-write switch that renders the core Operating System read-only except when you're updating it.
  • 1. Secure your router or other network device with a new strong password thats not the default password or admin or user.
    2. Run something like Avast Home Network Security https://www.avast.com/f-home-n... [avast.com] to see if any device still has issues.
    Get OS makers in the US to scan the networks they are on to test if networked devices have default password and warn users to change them.
    Most users will click past such warnings but its a simple step given the AV work the larger US OS brands now ship with their O
    • 1. Secure your router or other network device with a new strong password thats not the default password or admin or user.

      Failed already. It isn't that your ideas are bad, but any solution that can be enabled, has to rely on the consumer doing absolutely nothing. Because that is what they are going to do. Absolutely nothing.

  • Don't use IoT devices. Don't put WiFi and a webcam on my refrigerator or my water bottle.
  • Also create a way to put backdoors into already available secure encryption systems without compromising them. I'll give you a buck for that.

    Sad that they don't actually realize that they are asking for something impossible for some cheap change. If anyone could invent something like that, they'd sell it for millions a piece for every IoT company out there that could end up with class action lawsuits and recalls on their hands.

  • That's easy, just don't connect them to a network. Works every time.

    I will waive any reward. They can donate it to the IETF.

  • Why not $.25? Offer $25 million and you might get an answer. Actually, you'll get a lot of answers. Isn't this what the patent office should be doing instead of whatever it is doing? Making sure that inventors get paid?

If all else fails, lower your standards.

Working...