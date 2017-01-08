Become a fan of Slashdot on Facebook

 


Posted by EditorDavid from the government-hackathons dept.
An anonymous reader writes: America's Federal Trade Commission has announced a $25,000 prize for whoever creates the best tool for securing consumers' IoT devices. The so-called "IoT Home Inspector Challenge" asks participants to create something that will work on current, already-on-the-market IoT devices, with extra points also awarded for scalability ad easy of use.

"Contestants have the option of adding features, such as those that would address hard-coded, factory default, or easy-to-guess passwords," according to the official site, but "The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software." The winning submission can't be just a policy (or legal) solution, and will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.
Computerworld points out that "This isn't the first time the FTC has offered cash for software tools. In 2015, it awarded $10,500 to developers of an app that could block robocalls."

  • Here's my way. (Score:1)

    by Anonymous Coward

    Remove internet connectivity. There you go, pay me.

  • This is no technical problem. You can't add security around insecure devices by default. Even if you did some firewall, the device still has to communicate with the internet one way or another, or it has to communicate via bluetooth, and these two paths can still be used for attacks.

    The only proper solution is a policy.

  • Easy Solution - Hold Manufacturers Responsible (Score:3)

    by sinij ( 911942 ) on Sunday January 08, 2017 @10:42AM (#53628253)
    Easy Solution - Hold Manufacturers Responsible. Pass legislation that any IoT device must be maintained with security patches for 2 years past sale and any substantial deviation from industry best practices (e.g. hard coded credentials, open telnet) would lead to hefty penalty.

    Treat these guys as you'd treat factories that dumped toxic waste into rivers.
    • Perhaps better would be to hold them liable for damages due to negligence, and nullify the absurd "as is" EULA. They can pay Brian Kreb's DDOS defense fees for the next ten years.
  • If the vendors are constrained to use a current Linux or BSD variant, then the customer can update whenever fixes are available. That probably makes lightbulbs too expensive, but for toasters on up, it's possible (;-))

  • I have a better idea. How about the US Government fine companies 75% of their net profits every time they design and sell a product that's insecure to begin with.

    That goes for everything, not just IoT. The future of autonomous vehicles scares the shit out of me because of the half-assed approach towards securing them.

