Slashdot Mirror
MITRE Dangles $50,000 Prize For Spotting Rogue Internet of Things Devices (securityledger.com)
Long-time Slashdot reader chicksdaddy quotes Security Ledger:
MITRE Corporation, the non-profit corporation that helps tackle some of the trickiest technical and security challenges out there, is dangling a $50,000 prize for anyone who can develop a solution for spotting rogue devices within an Internet of Things network...saying that it's looking for ground breaking new approaches to securing diverse Internet of Things networks like those in connected homes.
"Network administrators need to know exactly what is in the environment, or the network -- including when an adversary has switched out one device for another. In other words, is the smart thermostat we see today the same one that was there yesterday? We are looking for a unique identifier or fingerprint to enable administrators to enumerate the IoT devices while passively observing the network... " Their registration form will be open through October, and the challenge will end after four weeks in November, or "whenever someone wins."
"Network administrators need to know exactly what is in the environment, or the network -- including when an adversary has switched out one device for another. In other words, is the smart thermostat we see today the same one that was there yesterday? We are looking for a unique identifier or fingerprint to enable administrators to enumerate the IoT devices while passively observing the network... " Their registration form will be open through October, and the challenge will end after four weeks in November, or "whenever someone wins."
So where do I collect my prize?
if (thing_is_iot) { rogue_device_probability_pct = 100; } else { rogue_device_probability_pct = 99; }
I'll build as many rogue devices as they need for that price!
Is the smart thermostat we see today the same one that was there yesterday?
I bet this can be demonstrated to be equivalent to the halting problem. The question should be really: here are the spcifications of a certain device (whether dictated by the manufacturer, or determined empirically): does the present device match them? With every query from here to eternity? Under all circumstances? That smells like the halting problem.
So, in other words, you can never be completely certain of the answer, only confident up to specific bounds. Maybe that's good enough, but $50K for that kind of work is not, and the amount of effort involved for the general case, is not. A good solution for the problem is going to be the sort of thing that would take a startup into a medium-to-large corporation.
But there are really much better ways to avoid the problem in the first place. I mean, to paraphrase a processor of mine, we don't need a microprocessor in every doorknob. Just don't use the damned things. Your fridge does not need to be on the net. Nor do your chairs. Nor each door in your house. Your washing machine works perfectly well without being on the net. So does your garage door. The risks of putting highly insecure interfaces on such items just does not justify the potential benefit.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
MITRE. These people I hold the highest respect for.
One of my former classmates from Worcester Polytechnic Institute (Who got FAR better grades that I ever did; and who was near the top of the Engineering class of 1976) is working for them.
I also met some former MITRE folks here in Bellingham whom I immediately knew were very smart in the security field.
If these folks are offering the prize; I know they will be very diligent in assessing the applications.
Most Respectfully Yours Mark Allyn Bellingham, Washington
that we expect to be present being hijacked for nefarious purposes. And even if I don't plug my TV set into my home network, what's to stop it from turning on its WiFi and establishing a mesh network through the neighbors' TV sets until it can reach some remote command server?
Have gnu, will travel.
Just watch the router and cable modem lights when they should be idle and make sure they aren't blinking away.
From what I've seen all IOT (more like IOSS "Internet Of Shit Security") devices are insecure.
So if you detect an IOT device it's pretty much guaranteed to be "rogue".
It's a compelte joke how piss poor the security is on these devices. It's 2016 and we've had decades of devices beign hacked over the internet. Adn the complete morons making this crap are *STILL* shipping them with default username and passwords, back doors, etc.
Personally I think the best way to get some focus on this shiot fest will be for a few huge class action lawsuits to head the way of the worst offenders who have helped create huge botnets of IOSS devices. The current situation is truly pathetic and gives the internet, coders and technology itself a 9well deserved bad name).
personally I've got zero IOSS devices in my house and will not be adding any until the security is made a key focus of the manufacturing process. Maybe an ISO standard also needs to be introduced and any devices that don;t pass it simply aren't legal for sale - with a suitable punishment for connecting one to the public internet (law varying by countries - a fine in Europe, America, the death penalty in Singapore :))
Sky subscribers are morons. They pay to be advertised at !
Are my Raspberry Pis considered iot devices?
Dumb User Answer: My PC is Windows, not MAC
Competent User Answer: My MAC address is blah-blah-blah...
l33t h@x0r d00d answer: My MAC adress? What do you want it to be?
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
If it comes from China and is a brand you never heard of. It's going to be a problem.
Or a famous quality brand name which you see sold new on Ebay for $3.50 from China with free shipping.
Star Trek transporters are just 3d printers.