MITRE Dangles $50,000 Prize For Spotting Rogue Internet of Things Devices (securityledger.com)

← Back to Stories (view on slashdot.org)

MITRE Dangles $50,000 Prize For Spotting Rogue Internet of Things Devices (securityledger.com)

Posted by EditorDavid on Saturday October 8, 2016 @02:34AM from the mutinies-for-a-bounty dept.

Long-time Slashdot reader chicksdaddy quotes Security Ledger: MITRE Corporation, the non-profit corporation that helps tackle some of the trickiest technical and security challenges out there, is dangling a $50,000 prize for anyone who can develop a solution for spotting rogue devices within an Internet of Things network...saying that it's looking for ground breaking new approaches to securing diverse Internet of Things networks like those in connected homes.

"Network administrators need to know exactly what is in the environment, or the network -- including when an adversary has switched out one device for another. In other words, is the smart thermostat we see today the same one that was there yesterday? We are looking for a unique identifier or fingerprint to enable administrators to enumerate the IoT devices while passively observing the network... " Their registration form will be open through October, and the challenge will end after four weeks in November, or "whenever someone wins."

51 comments

Min score:

Reason:

Sort:

Select *.* by Anonymous Coward · 2016-10-08 02:37 · Score: 1

So where do I collect my prize?
1. Re:Select *.* by BarbaraHudson · 2016-10-08 02:41 · Score: 1
  
  So where do I collect my prize?
  That's pretty much it. IoT devices have to be cheap to be even remotely attractive, to make up for the obvious uselessness of many of them, Most of these devices have no real justification, or the hazards outweigh the benefits.
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
2. Re:Select *.* by ShanghaiBill · 2016-10-08 03:19 · Score: 1
  
  IoT devices have to be cheap to be even remotely attractive
  It is not an issue of cheapness. Security is can be done in a few kilobytes of firmware, which is a negligible additional cost. It is about convenience. When a customer plugs in a smart lightbulb, they want it to "just work" and they don't want to spend five minutes configuring it.
  Disclaimer: I have a Amazon Echo, a Wink Hub, and several connected IoT devices (lightbulbs, door locks, motion sensor, garage opener). Some features are useful, like opening the garage door with my cellphone, and using voice to control the kitchen light. But unless you are a geeky early adopter, I would recommend waiting a few years for the bugs to get ironed out.
3. Re:Select *.* by BarbaraHudson · 2016-10-08 05:37 · Score: 1
  
  Opening a garage door with your smartphone is stupid and dangerous when you're pulling into your driveway. Unlike a regular garage door remote, you can't do the smartphone purely by feel. Also, pretty much impossible when riding your bike, whereas again, it can be done by feel from 100 feet away, no problem. AND no internet needed.
  A regular remote, you have to be within range. An IoT remote, you can open someone's door from anywhere in the world. Really stupid. Your insurance is going to bitch about covering you when you get robbed repeatedly because some prankster wants to have fun and swatting you is too high-risk.
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
4. Re:Select *.* by Anonymous Coward · 2016-10-08 05:48 · Score: 1
  
  Dont put your garage door on the internet, just need to get to it off my x509 WiFi then setup a GeoFence task that if its paired with my car and just entered the fence, open the door.. and vice versa.. hands free, and considerably more secure than the garage door opener I was using with strong end-to-end crypto.
  Just pretend the I in IoT is a lowercase L and setup a Lan of Things.. then run a VPN Server on your router for remote access and dont buy anything thats 'Cloud' enabled or requires a subscription fee.
5. Re: Select *.* by Anonymous Coward · 2016-10-08 05:52 · Score: 0
  
  Good luck getting my grand mom and grand pops to do that.
6. Re:Select *.* by BarbaraHudson · 2016-10-08 08:00 · Score: 1
  
  Automatic doors and gates are real great, until you have pets and kids running around on the property.
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
7. Re:Select *.* by Anonymous Coward · 2016-10-08 09:32 · Score: 0
  
  Just dont give your pets and kids geo-aware mobile devices then
8. Re:Select *.* by BarbaraHudson · 2016-10-08 10:28 · Score: 1
  
  Don't be silly. If your dog is in the garage and your garage door automatically opens when you pull in the driveway, your dog is gone. Same with kids if they're in the back yard and the door leading to the garage is open.
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Because China by Anonymous Coward · 2016-10-08 02:40 · Score: 0

Want to bet these are all camera or "DVR"-type devices from China?
But the lefties love China, because Communist. Go China!!!
Dangle This by Anonymous Coward · 2016-10-08 02:40 · Score: 0

Oooooo, it's a challenge. Anyone smart enough to solve this problem isn't dumb enough to give it to MITRE for $50K.
The answer is simple by Anonymous Coward · 2016-10-08 02:52 · Score: 0

If it comes from China and is a brand you never heard of. It's going to be a problem.
1. Re:The answer is simple by gzuckier · 2016-10-10 06:14 · Score: 1
  
  If it comes from China and is a brand you never heard of. It's going to be a problem.
  Or a famous quality brand name which you see sold new on Ebay for $3.50 from China with free shipping.
  
  --
  Star Trek transporters are just 3d printers.
Solution by 110010001000 · 2016-10-08 02:53 · Score: 1

if (thing_is_iot) { rogue_device_probability_pct = 100; } else { rogue_device_probability_pct = 99; }
$50k? by Xenna · 2016-10-08 02:55 · Score: 1

I'll build as many rogue devices as they need for that price!
Halting Problem by pz · 2016-10-08 03:06 · Score: 1

Is the smart thermostat we see today the same one that was there yesterday?
I bet this can be demonstrated to be equivalent to the halting problem. The question should be really: here are the spcifications of a certain device (whether dictated by the manufacturer, or determined empirically): does the present device match them? With every query from here to eternity? Under all circumstances? That smells like the halting problem.
So, in other words, you can never be completely certain of the answer, only confident up to specific bounds. Maybe that's good enough, but $50K for that kind of work is not, and the amount of effort involved for the general case, is not. A good solution for the problem is going to be the sort of thing that would take a startup into a medium-to-large corporation.
But there are really much better ways to avoid the problem in the first place. I mean, to paraphrase a processor of mine, we don't need a microprocessor in every doorknob. Just don't use the damned things. Your fridge does not need to be on the net. Nor do your chairs. Nor each door in your house. Your washing machine works perfectly well without being on the net. So does your garage door. The risks of putting highly insecure interfaces on such items just does not justify the potential benefit.

--

Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
1. Re:Halting Problem by ArtemaOne · 2016-10-08 08:24 · Score: 1
  
  Shockingly, adding unnecessary things to common objects makes rich people pay more for them.
2. Re:Halting Problem by Anonymous Coward · 2016-10-08 09:23 · Score: 0
  
  A salesman actually tried to sell me a dishwashing machine with wifi. "You can start it from your smartphone!"
  "I, and how many others", was my answer to that. Bought another machine with better washing capability and no wifi.
  As for the smart thermostat, lets phase out anonymous network use. Wifi is like that already. Replace my "smart thermostat" with a rouge device - it won't have the wifi password and won't work. And of course we can raise the bar further with wpa2-enterprise (separate password for each "thing") as well as certificates. Many businesses won't allow devices on their network that aren't authorized to be there - no unknown/anonymous things. IEEE 8021.x (wpa enterprise) is done over cable too.
  This is mostly a solved problem. For 'homeowners' we also need an _easy_ way to get credentials (passwords, certificates, whatever) into each 'thing'. Plug in the 'homeowners USB master key' perhaps?
3. Re:Halting Problem by gzuckier · 2016-10-10 06:16 · Score: 1
  
  Is the smart thermostat we see today the same one that was there yesterday?
  I bet this can be demonstrated to be equivalent to the halting problem. The question should be really: here are the spcifications of a certain device (whether dictated by the manufacturer, or determined empirically): does the present device match them? With every query from here to eternity? Under all circumstances? That smells like the halting problem.
  So, in other words, you can never be completely certain of the answer, only confident up to specific bounds. Maybe that's good enough, but $50K for that kind of work is not, and the amount of effort involved for the general case, is not. A good solution for the problem is going to be the sort of thing that would take a startup into a medium-to-large corporation.
  But there are really much better ways to avoid the problem in the first place. I mean, to paraphrase a processor of mine, we don't need a microprocessor in every doorknob. Just don't use the damned things. Your fridge does not need to be on the net. Nor do your chairs. Nor each door in your house. Your washing machine works perfectly well without being on the net. So does your garage door. The risks of putting highly insecure interfaces on such items just does not justify the potential benefit.
  That used to be a cartoon: "In a fit of manic brilliance, network engineer Joe Blow wires the shredder into the office network".
  
  --
  Star Trek transporters are just 3d printers.
Highest Respect for MITRE by mallyn · 2016-10-08 03:16 · Score: 1

Folks:
MITRE. These people I hold the highest respect for.
One of my former classmates from Worcester Polytechnic Institute (Who got FAR better grades that I ever did; and who was near the top of the Engineering class of 1976) is working for them.
I also met some former MITRE folks here in Bellingham whom I immediately knew were very smart in the security field.
If these folks are offering the prize; I know they will be very diligent in assessing the applications.

--
Most Respectfully Yours Mark Allyn Bellingham, Washington
1. Re:Highest Respect for MITRE by Anonymous Coward · 2016-10-08 04:12 · Score: 0
  
  I have worked right across the street from MITRE in Bedford, MA, and also have a great respect for their technical kung-fu. (As well as the impressive array of communications equipment setup in a large field along Rt 62.)
  But I have to ask, if they are so smart, why are they paying for solutions instead of coming up with them on their own?
2. Re:Highest Respect for MITRE by Anonymous Coward · 2016-10-08 04:32 · Score: 0
  
  Wait, this is the same Mitre that's completed fucked up the CVE system to the point where people have given up on it and started forking it? That Mitre? The one that can't be trusted with the task of handing out a goddamned number?
  They're going to be "diligent in assessing the applications?!"
  Don't make me laugh.
3. Re:Highest Respect for MITRE by Anonymous Coward · 2016-10-08 04:36 · Score: 0
  
  why are they paying for solutions instead of coming up with them on their own?
  Who says they aren't working on the problem? Also what, $50K is half a man year for someone on their staff?
4. Re:Highest Respect for MITRE by Anonymous Coward · 2016-10-08 16:41 · Score: 0
  
  sure, fine answer, but the underlying gripe was why haven't they found an answer already years ago
That's gonna bankrupt someone by Anonymous Coward · 2016-10-08 03:17 · Score: 0

Either MITRE or the insurer for the contest...
Lord of the Rings by Anonymous Coward · 2016-10-08 03:19 · Score: 0

You're racist.
What exactly ... by PPH · 2016-10-08 03:42 · Score: 1

... is a rogue device?
that we expect to be present being hijacked for nefarious purposes. And even if I don't plug my TV set into my home network, what's to stop it from turning on its WiFi and establishing a mesh network through the neighbors' TV sets until it can reach some remote command server?

--
Have gnu, will travel.
1. Re:What exactly ... by Anonymous Coward · 2016-10-08 10:22 · Score: 0
  
  And even if I don't plug my TV set into my home network, what's to stop it from turning on its WiFi and establishing a mesh network through the neighbors' TV sets until it can reach some remote command server?
  Somehow I'm more afraid of TVs communicating over VHF than 802.11...
2. Re:What exactly ... by Anonymous Coward · 2016-10-08 12:49 · Score: 0
  
  I suppose it would be your neighbors choosing not to buy TVs that run open access points.
3. Re:What exactly ... by plover · 2016-10-09 00:59 · Score: 1
  
  I suppose it would be your neighbors choosing not to buy TVs that run open access points.
  My neighbors aren't that smart, and neither are yours.
  
  --
  John
4. Re:What exactly ... by PPH · 2016-10-09 07:39 · Score: 1
  
  So, something like this?
  I'm going to depend on my neighbors knowledge of secure IT systems to protect my privacy? Yeah, right. He works for Microsoft.
  
  --
  Have gnu, will travel.
5. Re:What exactly ... by gzuckier · 2016-10-10 06:19 · Score: 1
  
  ... is a rogue device?
  that we expect to be present being hijacked for nefarious purposes. And even if I don't plug my TV set into my home network, what's to stop it from turning on its WiFi and establishing a mesh network through the neighbors' TV sets until it can reach some remote command server?
  Like my Comcast wifi which now routinely offers unsecured Xfinity wifi to all passers by in the neighborhood (by design); and as a bonus, occasionally drops my secure wifi so that my devices switch over to the public Xfinity network, silently?
  
  --
  Star Trek transporters are just 3d printers.
Is it some cheap shit made in China? by Anonymous Coward · 2016-10-08 03:53 · Score: 0

Congratulations, you have identified a rogue device.
Watch the lights? by cdxta · 2016-10-08 03:59 · Score: 1

Just watch the router and cable modem lights when they should be idle and make sure they aren't blinking away.
1. Re:Watch the lights? by Zero__Kelvin · 2016-10-08 12:19 · Score: 1
  
  How, prey tell, do you know when they should and should not be idle?
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
if you ask me all IOT devices are "rogue" by TractorBarry · 2016-10-08 04:23 · Score: 1

From what I've seen all IOT (more like IOSS "Internet Of Shit Security") devices are insecure.
So if you detect an IOT device it's pretty much guaranteed to be "rogue".
It's a compelte joke how piss poor the security is on these devices. It's 2016 and we've had decades of devices beign hacked over the internet. Adn the complete morons making this crap are *STILL* shipping them with default username and passwords, back doors, etc.
Personally I think the best way to get some focus on this shiot fest will be for a few huge class action lawsuits to head the way of the worst offenders who have helped create huge botnets of IOSS devices. The current situation is truly pathetic and gives the internet, coders and technology itself a 9well deserved bad name).
personally I've got zero IOSS devices in my house and will not be adding any until the security is made a key focus of the manufacturing process. Maybe an ISO standard also needs to be introduced and any devices that don;t pass it simply aren't legal for sale - with a suitable punishment for connecting one to the public internet (law varying by countries - a fine in Europe, America, the death penalty in Singapore :))

--
Sky subscribers are morons. They pay to be advertised at !
Raspberry Pi by thinkwaitfast · 2016-10-08 04:33 · Score: 1

Are my Raspberry Pis considered iot devices?
1. Re:Raspberry Pi by Anonymous Coward · 2016-10-08 10:49 · Score: 0
  
  is a 'thing' connected to the internet at all like a 'server'?
Hot Issue by Anonymous Coward · 2016-10-08 04:41 · Score: 0

Why not just measure the onboard temperature? The manufacturer should know what reasonable load and resulting heat would be so a heat checksome or a heat average compared to current recent temps and user activity would seem to be a dead giveaway?
1. Re: Hot Issue by Anonymous Coward · 2016-10-08 05:56 · Score: 0
  
  They have to do that for EVERY device.
Do IoT devices not have MAC addresses? by Anonymous Coward · 2016-10-08 05:08 · Score: 0

Or am I missing something stupidly obvious?
1. Re:Do IoT devices not have MAC addresses? by knorthern+knight · 2016-10-08 15:46 · Score: 1
  
  Dumb User Answer: My PC is Windows, not MAC
  Competent User Answer: My MAC address is blah-blah-blah...
  l33t h@x0r d00d answer: My MAC adress? What do you want it to be?
  
  --
  
  I'm not repeating myself
  I'm an X window user; I'm an ex-Windows user
Activity Light by Anonymous Coward · 2016-10-08 05:26 · Score: 0

Look for the blinky light on the device. If your thermostat is really busy, there's probably something wrong.
rf recording? by Anonymous Coward · 2016-10-08 06:34 · Score: 0

I thought IOT meant 'Internet' of Things. Why is the challenge giving a 'recording' of RF data?
If you want the technology just buy it? by Anonymous Coward · 2016-10-08 07:50 · Score: 0

Any halfway decent engineer with an understanding of the implementation of network communications and a math degree can build you something that will tell you if anything changes on a network - even if it is an appliance that for all intensive purposes is the same but anaomolous.
Just hire someone and get them to build it. Why would anyone waste time building a solution for a chance at money?
nmap by Anonymous Coward · 2016-10-08 08:07 · Score: 0

And a kiddie script should do it.
We need downstream notification by Anonymous Coward · 2016-10-08 09:40 · Score: 0

Near the source, this traffic is fairly sparse and hard to detect. Of course it is easy to detect near the destination, that is the probelm.
What if the carriers could share info backwards. If one point is seeing excessive traffic, they could tell those that are getting it from that certain traffic is a problem. This could be propagated back to find the sources.
Eventually I would imagine that the large carriers would refuse to work with peers that did not participate in this and filter the incoming traffic.
ArqueoBit by ArqueoBit · 2016-10-08 10:46 · Score: 0

Consultora Arqueológica ArqueoBit: http://arqueobit.com/ : plan de rescate arqueológico Perú, proyectos de investigación arqueológica, plan de Monitoreo arqueológico, certificado de inexistencia de restos arqueológicos (CIRA) Perú, plan de monitoreo arqueológico Perú, turismo arqueológico y consultoría arqueológica, Consultoría Ambiental.
iNSAne by Anonymous Coward · 2016-10-08 11:43 · Score: 0

The NSA already knows all the threats from IoT devices (they put some of them there themselves) but they're keeping quiet about them until they can use them against the American people.
solved problem? by Anonymous Coward · 2016-10-09 23:44 · Score: 0

Isn't this a totally solved problem? You use a public/private key system.
Look how ssh works. Every host has a host key and that is used to authenticate the host when you connect. It's also used to encrypt the data so others can't listen in and so on. When someone replaces the host ssh will notice and complain.
And hey, it's a public/private key system. You can print the public key (fingerprint) on the device and in the manual. Make a QR code so you can scan it with your phone and be sure you will be talking to the thermostat you just scanned.