US Government Offers $25,000 Prize For Inventing A Way To Secure IoT Devices (ftc.gov) 53
An anonymous reader writes: America's Federal Trade Commission has announced a $25,000 prize for whoever creates the best tool for securing consumers' IoT devices. The so-called "IoT Home Inspector Challenge" asks participants to create something that will work on current, already-on-the-market IoT devices, with extra points also awarded for scalability ad easy of use.
"Contestants have the option of adding features, such as those that would address hard-coded, factory default, or easy-to-guess passwords," according to the official site, but "The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software." The winning submission can't be just a policy (or legal) solution, and will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.
Computerworld points out that "This isn't the first time the FTC has offered cash for software tools. In 2015, it awarded $10,500 to developers of an app that could block robocalls."
Your check is in the mail - Uncle Sam
Even if they do not connect to the public Internet, any home user who has their own private internet for their appliances (smart TV, fridge, toaster, router, garage door and smartphone with bluetooth connectivity) still has the problem of someone trying to guess passwords through repeated attempted connections to each device via wireless connections. How many articles have there been on somebody creating a gadget that simply cycles through every single possible passcode combination?
Don't use passwords at all?
Perhaps store a strong encryption key on a memory card (i.e. a small microSD, but it could probably be a lot cheaper) that is set by inserting the cart in the router, then inserting it in the IoT-device. Yes, it'll be more expensive but it would eliminate human stupidity.
I'm sure much better, easier and cheaper system can be invented by security experts.
The problem won't be the technical solution, it will be getting hardware manufacturers to implement it.
I'm sure much better, easier and cheaper system can be invented by security experts.
Apparently not.
... will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.
Remove internet connectivity. There you go, pay me.
This is no technical problem. You can't add security around insecure devices by default. Even if you did some firewall, the device still has to communicate with the internet one way or another, or it has to communicate via bluetooth, and these two paths can still be used for attacks.
The only proper solution is a policy.
The solution is to ban all non-secure devices. They said no policy, so that means they aren't going to accept a solution that kicks the problem in the balls.
Easy Solution - Hold Manufacturers Responsible (Score:5, Interesting)
Treat these guys as you'd treat factories that dumped toxic waste into rivers.
a. Everybody stays out because the risk's too high.
b. Only a few big players who can afford insurance and/or to buy off exceptions for themselves can play. What little is available in the market is expensive and crummy.
I would like to know if there are any downsides.
Easier solution: Unplug them, remove any batteries. Security. When do I get my cheque?
Two years? That's far too short. Even for regular PCs it'd be a too short time span - 20, 30 years ago the normal lifespan of a PC was considered to be about three years, now it's more like five. Many LTS releases of Linux get security fixes for at least five years. Debian releases maybe even longer, but that's more to do with the slow release cycle itself.
Anyway, here you're talking about devices that last easily a decade, such as fridges. My own fridge is older than that, should be about 12 years now. Our
Won't help with people buying cheap stuff from China on eBay.
Ummm... okay. Good luck with that.
See also the DARPA project.
Giving away award money is cheaper than paying for actual development.
Politically incorrect solution: free/open software (Score:2)
That's why all android devices automatically get updates, right? Even the decade-old ones that can't run new versions?
The OS doesn't matter. What's missing is the infrastructure to support patch development, testing, and delivery. Once the initial vendor goes out of business (or discontinues that product), there's no mechanism to continue development, no way to test the patch, and no way to get the new software into the devices.
An open-source mandate fixes the ability to develop new patches, but it becomes
I have a better idea. How about the US Government fine companies 75% of their net profits every time they design and sell a product that's insecure to begin with.
That goes for everything, not just IoT. The future of autonomous vehicles scares the shit out of me because of the half-assed approach towards securing them.
But Android is OpenSource! Fix your own Bugs! OPEN SOURCE. All you need to do is setup a full development stack and compile Marshmallow for yourself!
What was the last version of iOS the same vintage iPhone got?
The problem is defining "secure" and "insecure". In the US, the standard is "perfect tender", where the company just has to produce a product that is perfect to the best of their ability, and acceptable to the customer. The product may have been insecure from the start, but nobody knew it, because the vulnerabilities weren't known yet.
Three years ago, we had no idea that the rowhammer effect could corrupt data. Two years ago, we didn't think it had security implications. Now we know better, but my desktop w
A firewall around every single wi-fi/bluetooth connected device?
If I could secure IoT devices (Score:2)
The M&M theory, a firewall device that all communication must pass through if it needs to leave the building. It must be able to see all traffic so it's a https proxy and a scene to register all access a device needs and have it allowed by the user.
So get new IoT lightbulb plug it in connect to the IoT SSID. Register what you need to connect to and what data is passed allow users to allow/deny at a fine-grained level. All easily implemented on the wifi AP you already have and gives a place for update
There isn't going to be a magic wand for this. But a multifaceted approach would help.
1) Standards body to oversee the software and protocols.
2) Standard IOT base software stacks and protocols. Ideally run as an open source style project with companies encouraged to give back to the software stacks. Maybe protection from being sued for security problems found if they are using the certified software stacks. i.e. we were using the certified software stack in a certified way is a valid legal defense. If
Sorry, the price is not high enough.
Thinking of a solution, you need to buy a lot Internet-of-Crap stuff, to test your solution and to dissect it to be able to find i.e. hardcoded passwords. This alone will cost you more than 25.000 if you're serious about it in a way, which will win you the 25.000.
The only option would be hoping, that you sell your device often enough, that you will make money from that. But you will realize, that nobody cares about his toaster being part of a dDoS attack.
The importance of this is high and $25K is an insult to the amount of effort required to perform to do this.
That number is so low, it's meaningless.
