Cisco Offers $300,000 Prize For Internet of Things Security Apps

alphadogg writes "Cisco today kicked off a contest with $300,000 in prize money that challenges security experts around the world to put together ways to secure what's now called the 'Internet of Things,' the wide range of non-traditional computing devices used on the electric grid, in healthcare and many other industries. A Cisco SVP concluded his keynote at this week's RSA Conference by announcing what he called the 'Internet of Things Security Grand Challenge.' Christopher Young said the idea is 'a contest of experts around the world to submit blueprints' for how security issues created by the Internet of Things could be addressed. It's expected that up to six winning entries would be selected and the prize money awarded at the Internet of Things Forum in the fall."

I have the solution right here:

give up on the whole "internet of things" idea as it's a loser from the get-go.

You can donate my 300 large to the EFF.

Re:I have the solution right here:

[pla]

This.

I don't want my fridge online. I don't want my toaster online. I don't want my lights online. I don't want my toothbrush online. And dear Zeus but I sure as hell don't want my HVAC or oven or even my car online!

The "Internet of Things" doesn't even rate as a solution in need of a problem - More like a marketing gimmick in need of a thin excuse to get ever more personal data from us.

Dear Cisco - Go home, you've had too much to drink. Don't worry, your fridge says it has leftover mac&cheese for you to snack on.

Re:I have the solution right here:

[JaredOfEuropa]

There are plenty of good reasons to connect appliances to the Internet, or at least to a local home automation controller.
- HVAC? Hell yes. Having heating and AC automated and remotely controllable adds comfort (turning the heating on before we arrive home), convenience (no need to manage schedules, remote control from anywhere in the home), and saves money (by turning off heating automatically in unoccupied rooms).
- The toaster? Maybe not. I did connect a few other appliances like the fryer, which I don't want to remain on when we leave or go to bed.
- Locks... none in my home are connected, but I've heard from many owners of vacation rental properties that remotely operated locks can be a godsend.
- Washing machines & dryers? Not yet... but soon these devices will be able to negotiate with the grid to turn on at a time determined by the power company, in exchange for a lower rate. The water heater in my old flat already did that over 20 years ago (it had a nice clunky bakelite control box sitting next to it).

None of this is life-changing stuff, and much of the technology is still in its infancy (especially when it comes to security!), but the benefits already outweigh the risks by far.

Re:I have the solution right here:

[bjwest]

None of this crap needs to be directly connected to the internet with it's own IP address. None of it! Every house with internet access already has an address and all that's needed is a good router to route things where they need to go. Most homes with more than one device, be it multiple computers, DVD/Blu-Ray players, TV's, game systems or whatever, already use this system. My frigging refrigerator, whether it's intelligent or not, does not need it's own IP any more than each room in my house needs it's own street address.

We're trying to put too much crap on the internet directly. The only thing this is going to do is cause major security problems. Now, instead of one single point of entry to secure, we have to worry about each devise.

Re:I have the solution right here:

[K.+S.+Kyosuke]

The "Internet of Things" doesn't even rate as a solution in need of a problem

Hmph. Solutions in the shape of "everything should be/have X" seem to be frowned upon by many people (Smalltalk - everything should be an object!), but they seem to have proponents and detractors that without fault keep aligning themselves into two camps ("the unifying principle is more flexible!" vs. "I'm never going to need that"). On one hand, you may argue that you're never going to use that. On the other hand, if you had it, and you were installing a new alarm system, you wouldn't need to separately install wirings (and drill walls) to everything because there'd be a common control infrastructure already (for example, to control lights when you're away to confuse would-be burglars - the lights you don't want to control right now).

Re:I have the solution right here:

[K.+S.+Kyosuke]

None of this crap needs to be directly connected to the internet with it's own IP address.

The devices don't need to be accessible to everyone, but what's the harm in devices having addresses? Just because I know that Obama lives in the White House doesn't allow me to casually stroll into his bedroom.

and all that's needed is a good router to route things where they need to go

And guess what, that requires some kind of address that you can route to. Sounds familiar?

Now, instead of one single point of entry to secure, we have to worry about each devise.

Only because of crappy protocols and implementations, I assume, not as a matter of principle.

the one answer they won't find acceptable

I want to keep my devices secure. This means: Let me control them. Don't require them to phone home, or to be connected beyond my local network if I don't want. If they need to talk to a server, let me run that server on my own locked down box in my own house. Let me replace the OS on the "thing", if I want, because I won't be able to trust yours, because you have every incentive to sell me down the river.

Unless I control what software is run, and what it talks to, then there can be no security for my "internet of things".

But you won't, will you? You didn't really want to know I can keep my "internet of things" secure. What you really wanted to know was: how to present a facade of broken security while data-mining me to hell.

Cisco is looking for a few good genius morons

[Zero__Kelvin]

What kind of combination of genius and moron do you have to be to solve a major security issue like this and then give it to Cisco in exchange for virtually nothing?

me. I have to write the paper anyway.

[raymorris]

I may submit a paper. I have to spend a couple of months writing the paper anyway, for school. I see no reason that I wouldn't send the already-written paper to Cisco and see if they send me back $70,000 and the recognition from the conference.

IOT Security NOT

[jraff2]

Most devices that one would connect to the Internet of Things - IOT are mundane data, not peeps into ones life.
Temperature, humidity, wind, sun, rain, etc. None of these need security, so why bother?
Only the things that indicate some personal action, absence, presents like open/close door, walk down hall, would one want to be secret, use HTTPS.
Since most of the reporting will be mundane statistics the security is NOT needed, just us HTTP.

The monetizers demand data

[swb]

The whole drive behind IOT isn't convenience, it's monetization of information.

The marginal cost of a "smart" device is much more than the marginal return selling such a device on its own merits. Either you jack up the price of the device to cover the gee-whiz features or you don't, but the only reason they don't is because they have figured out how to sell this info to someone else.

The Nest is a great example. I think the last 7 day programmable thermostat I bought might have been $50; the Nest is $249 from their online store. What, exactly, does the Nest do that my Honeywell model not do for $200? It may be able to vaguely predict occupancy and make adjustments, but the "dumb" Honeywell model pretty much covers this -- we get up, we leave the house, we come home, we go to bed at about the same time. There's so few use cases where automagic adjustment would make any sense (and many where it wouldn't work).

A smart fridge is one where there's almost no use cases that don't involve product/marketing tie-ins -- selling my use of tagged products to marketers.

The only way you're going to get IOT is if you either pay the freight for the intelligence or let the device sell your info.

citation? 80% I checked didn't claim copyright

[raymorris]

Thanks for mentioning that. I'll check my school's policy.

I just looked at the policies for five universities. Four of the five explicitly acknowledged that students own their work. The fifth had a "copyright assignment" form that I didn't read, so that school may have tried to get copyright assigned for student works, or it may be like Yale, where SOME works be employees, done as part of their employment, is owned by the university.

SOOO simple

[slashmydots]

This is really simple. If you have a smartfridge, don't install Android or Windows on it. Make it a device that would barely qualify as an ASIC that only does what it does. When was the last time someone said their handheld calculator got hacked? If all you need to do is list an inventory of things in your fridge and set temperatures of drawers, make an electronic device that does that and only that. DO NOT just use a pre-existing platform because it's easier. It's a guaranteed way to get hacked.

Re:SOOO simple

[tapspace]

Embedded and security are my things. I do automotive, so I am used to an industry that will happily incur half a million dollars of engineering cost to save ten cents in per part cost. The thing is, an ASIC is expensive. A microcontroller is cheap. Unfortunately, an ASIC does, by definition one thing and a micro does everything. If you get "root" on the micro, you can run whatever software you want. The people that make these decisions mostly care about per part cost, regardless of security implications. So, restricting it to an ASIC is a really clean engineering solution that your boss will (possibly, rightly) shoot down. And, he's probably under pressure to put this thing (fridge) on the internet. EVERYBODY'S DOING IT! And the customer doesn't give two shits about security principles. It's a real mess we've got cooking...