Slashdot Mirror
US Government Offers $25,000 Prize For Inventing A Way To Secure IoT Devices (ftc.gov)
An anonymous reader writes:
America's Federal Trade Commission has announced a $25,000 prize for whoever creates the best tool for securing consumers' IoT devices. The so-called "IoT Home Inspector Challenge" asks participants to create something that will work on current, already-on-the-market IoT devices, with extra points also awarded for scalability ad easy of use.
"Contestants have the option of adding features, such as those that would address hard-coded, factory default, or easy-to-guess passwords," according to the official site, but "The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software." The winning submission can't be just a policy (or legal) solution, and will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.
Computerworld points out that "This isn't the first time the FTC has offered cash for software tools. In 2015, it awarded $10,500 to developers of an app that could block robocalls."
"Contestants have the option of adding features, such as those that would address hard-coded, factory default, or easy-to-guess passwords," according to the official site, but "The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software." The winning submission can't be just a policy (or legal) solution, and will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.
Computerworld points out that "This isn't the first time the FTC has offered cash for software tools. In 2015, it awarded $10,500 to developers of an app that could block robocalls."
Throw the IoT in the trash and get regular devices that do not connect to the internet.
Remove internet connectivity. There you go, pay me.
A simple pair of wirecutters will make any network device secure. Does your thermostat and lightbulb really need to communicate with the mothership Google to work?
This is no technical problem. You can't add security around insecure devices by default. Even if you did some firewall, the device still has to communicate with the internet one way or another, or it has to communicate via bluetooth, and these two paths can still be used for attacks.
The only proper solution is a policy.
Voila!
Security needs to be designed into the protocols from the start.
This is what scares me about the fast track mandate for vehicle-to-vehicle (V2V) communications. There is no time to be sure the new standard is secure.
Easy Solution - Hold Manufacturers Responsible. Pass legislation that any IoT device must be maintained with security patches for 2 years past sale and any substantial deviation from industry best practices (e.g. hard coded credentials, open telnet) would lead to hefty penalty.
Treat these guys as you'd treat factories that dumped toxic waste into rivers.
Why does the media act like hacking is a problem? It isn't. Per Donald Trump.
Ummm... okay. Good luck with that.
If the vendors are constrained to use a current Linux or BSD variant, then the customer can update whenever fixes are available. That probably makes lightbulbs too expensive, but for toasters on up, it's possible (;-))
davecb@spamcop.net
I have a better idea. How about the US Government fine companies 75% of their net profits every time they design and sell a product that's insecure to begin with.
That goes for everything, not just IoT. The future of autonomous vehicles scares the shit out of me because of the half-assed approach towards securing them.
Isn't the solution essentially known?
Write a highly audited, formally proven hypervisor enforcing the capability security model with help of hardware features in the CPU, recreate our entire commodity software stack, as needed for IoT devices, implementing said capability security model.
With that approach I believe there is at least a formal proof that full security is at least fundamentally achievable, something I believe has not been proven for our currently employed programming model.
There is of course the not so nice aspect of recreating the entire software stack, and that it would provide security from all, including the Alphabet Soup Guys.
It's called a firewall. I'll take my prize in unmarked bills please.
I could make a heck of alot more than $25k...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
We have a way.
Don't use a default username password. Figure a way of hashing a hardware id/MAC address.
Don't accept updates over unauthenticated protocols.
Don't accept updates that aren't signed by a securely held signing key.
Don't release with 'debug mode' backdoors in place.
Don't run services as root when less privileged users would work fine.
Don't reveal/accept changes to configuration details to the world at large.
Don't slurp user data and store it indefinitely back at the corporate mothership.
Seriously, none of this is rocket science that needs a government initiative to promote. There isn't an 'invention' that can magically secure IoT devices. Just don't write shit code in the first place.
Sorry, but that's less than 3 months salary for me. Developing an easily portable solution that can secure IoT devices is going to take more than three months effort. Why would I take a pay cut?
all that does is put a stop to the market and any new products. You end up in one of two scenarios:
a. Everybody stays out because the risk's too high.
b. Only a few big players who can afford insurance and/or to buy off exceptions for themselves can play. What little is available in the market is expensive and crummy.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The 'invention' could be a device(s) that is updated with the latest found vulnerabiltys that scans for and updates insecure devices.
The Magic Fix Box!
Only three easy payments of $59.95
Since all the programmers doing the software for this IoT stuff believe that 'coding' is dragging ready-made blocks around in a Visio-like interface, someone just has to make a "security" block for them. They don't need/care to know what goes on inside the block, as long as it's called security. Because code reuse is cool, or something.
Most of the devices have anything from an AVR8/PIC to a mid-spec ARM Cortex-M4 with insufficient memory to run either in the system. This is because of cost concerns. BoM costs should be around 1-5 dollars or so for the "smart" bulbs out there- and that equates to very few opportunities for an advanced OS and full-tilt reflash being built into the devices.
The lightbulbs out there use either WiFi (LIFX, any of the UPnP devices), ZigBee (Philips, GE, Cree, Osram, most of the others), or Bluetooth (Some small players, Samsung's shown some mesh solutions at CES last and this year). All of them are dodgy at best for upgrading. LIFX has been designed that way since they use WiFi and AllJoyn, which while it doesn't use Linux, etc. is up the foodchain high enough that it can do firmware update, etc.
The FBI and NSA are offering full-time jobs with easily three times that reward in yearly salary to anyone who designs total backdoors into each of these devices, as well as integrating cameras to the devices without one to maximize the "national security" in their pants
This is a classic "silver bullet" approach. The FTC literally thinks there's some magical device that could be invented to solve the problem. It's a fundamental misunderstanding of the problem.
Obviously these things need to be designed to be secure in the first place, and need to be maintained like any other piece of software that connects to a network. A scanner, a firewall, or whatever isn't going to fix that problem. Even if it COULD somehow do that, the vast, vast majority of people are never going to buy "magical device" to secure their washing machine.. because they don't care or see the problem with someone breaking into their washing machine.
Whatever comes out of this will be the wrong solution to the right problem.
That's why all android devices automatically get updates, right? Even the decade-old ones that can't run new versions?
The OS doesn't matter. What's missing is the infrastructure to support patch development, testing, and delivery. Once the initial vendor goes out of business (or discontinues that product), there's no mechanism to continue development, no way to test the patch, and no way to get the new software into the devices.
An open-source mandate fixes the ability to develop new patches, but it becomes much more difficult to thoroughly test on all versions of affected devices, and there's no easy channel to get the new software to the end users.
You do not have a moral or legal right to do absolutely anything you want.
It should be secured
Information should always be locally accessible to the user without any cloud login, so he or she has access to his own personal information.
If information is stored on the cloud, the user should be warned of the potential risks.
It should be stored encrypted on the cloud with only the user having access to personal information.
And if the company does want the user personal information it should ask permission. Since most people in my surroundings does not realise the are giving away their personal info with al these new smart gadgets by just using them. Also informing the user which data is sold or used and in what way.
It should be easy to update locally.
If the company got sold/bankrupt or decides to stop support, the have open source their code. Such that the community can at least give some support.
There probably more :-)
The should make it a law with a hefty fine for any company violating this. Like $10.000 per user information illegally sold or lost, and 2% of the gross revenue.
The US Government can do this easily... making it a law... would change the industry in a day, and protect the people which the government should be all about.
But then again... offering $25.000 :-) It seems the bug bounty programs are finally reaching the US government institutions.
There isn't going to be a magic wand for this. But a multifaceted approach would help.
1) Standards body to oversee the software and protocols.
2) Standard IOT base software stacks and protocols. Ideally run as an open source style project with companies encouraged to give back to the software stacks. Maybe protection from being sued for security problems found if they are using the certified software stacks. i.e. we were using the certified software stack in a certified way is a valid legal defense. If your modifications are the problem you lose that protection. Makes getting your modifications into the base stacks very appealing to the lawyers, etc.
3) Certification program that takes completed devices and runs them through tests. Penetration tests of the completed devices. Manual and automated review of the software. Should be easy to fast track the software reviews if your building on top of one of the approved IOT base software stacks.
4) Require a way to easily update the software of the devices. The reality is forced updates are going to have to be required because most won't manually update the devices.
5) Require that a fully functional software stack be put in escrow for each device and revision of software. The company must provide support for the device or the the software base is released. Lack of support for the device is decided by standards board not the company. Fully functional means that someone can take the stack, compile it and successfully install it on the device. No hidden BS boot encryption keys that are missing, etc. If there are encryption keys like that then they have to be put in escrow with the rest of the software stack.
6) Media campaign to get people to buy only certified IOT devices.
Probably plenty more things that are good ideas/best practices. But this would be a start.
No text
Sorry, the price is not high enough.
Thinking of a solution, you need to buy a lot Internet-of-Crap stuff, to test your solution and to dissect it to be able to find i.e. hardcoded passwords. This alone will cost you more than 25.000 if you're serious about it in a way, which will win you the 25.000.
The only option would be hoping, that you sell your device often enough, that you will make money from that. But you will realize, that nobody cares about his toaster being part of a dDoS attack.
The importance of this is high and $25K is an insult to the amount of effort required to perform to do this.
That number is so low, it's meaningless.
- Zav - Imagine a Beowulf cluster of insensitive clods...
Someone finds a solution, is paid $25K. Solution passed on to NSA, who'll modify it so it can be used for their nefarious purposes.
Build a collection of easy device hacks, the way security companies collect virus signatures now, and have a firewall on the wide area connection that attempts to use the methods in the collection to gain access to the devices that want through. Devices that can be defeated by the firewall aren't allowed past it.
very funny, government, very funny
25 kilobucks???!!! WTF?? Realistically, such a solution would be worth AT LEAST seven figures. And anyone smart enough to come up with it shouldn't be dumb enough to sell it off for chump change, especially in an era where 'rounded corners' can not only be patented, but can almost be successfully defended against "infringement".
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
Use a Hammer!
Stupid. All this would do is provide a nice barrier to entry that all the big players (Apple, Google, Microsoft) would love. The comparison to dumping toxic waste into a river is absurd.
All such attempts would do is give money to some lawyers to write a better EULA. What? "My device is not insecure if used as intended, and I can't help it if consumers use it improperly".
A solution for that problem its worth a few billions.
Here's my take on this issue: [There's no new firewall or NAT devices needed.]
Require all Point of Sale to enable the IoT and connect to merchants PC to change the root or admin name and passwd right in front of the buyer before the buyer pays for the product. Write the new root name and new passwd on receipt, ensure passwd was not copied to the second receipt by a carbon paper.
[for techie buyers] Connect then portscan the device from your PC to check if other ports were open. While you're at it, check the passwd file if there are other registered users in addition to the new root name.
IoT should have hardware and factory reset switch.
IoT should store 3 to 5 different device M.A.C. which is securely hashed, probably sha256 or longer ones. Each login attempt of a device should require the correct port [possibly using port knocking] and then forwarding the MAC of the requesting machine, then IoT verifies the MAC with its hashed database if it has rights to modify the config settings. This is in addition to the root username and passwd.
IoT firmware source code in Java or C++ should be included, so that any vulnerability can be fixed by owner or his IT friends in FB.
Thanks I don't need cash, just forward my $25,000 cheque to the any cancer research foundation.
Disconnect them. Problem solved.
Yes: we agree lightbulbs won't make it.
davecb@spamcop.net
The OS doesn't matter. What's missing is the infrastructure to support patch development, testing, and delivery. Once the initial vendor goes out of business (or discontinues that product), there's no mechanism to continue development, no way to test the patch, and no way to get the new software into the devices.
Some OSs, specifically including the WRT families, include the infrastructure. Others do not and never will, as their vendors are aiming at exceedingly low-cost "use and discard" devices... or, concersely, excessively expensive "planned obsolesence" devices like cars and cell-phones
davecb@spamcop.net
Unmaintained, unsupported or unpatched (say 30 days) products no longer benefit from copyright and patent law.
DRM? No thanks, I'll just get it somewhere else...
Boy, that's an expensive hammer! Even the DoD don't pay that much.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
It wouldn't be if 'things' were designed with safety in mind.
"Trump!!", the new Godwin.
Submit it! (after March 1st).
Irresponsible disclosure is responsible
You could license your tech to the industry and make tens of millions. Sorry US gov, your offer is way too low.
First you need to identify people in a secure fashion so that you can control access to the IoT. Further, you need a more secure method than just something like SSN (in the US) which is an outdated protocol - something like IPv6 addresses might be sufficiently complex and mappable but perhaps the security certificate model but for people (e.g. a public key literally printed on a business card) might be better. But, in any case, base it on existing binary protocol and a BIG namespace - current human-readable usernames or SSNs are unsustainable, over time, if you want to avoid collisions in the namespace in the future. Finally, since such an code/private certificate/address would be impossible to memorize, you would want to encode it in something like a QR barcode that you could either keep with yourself at all times, or even tattoo on yourself. That QR code could then be used to access your IoT devices. I'm thinking of calling it the Binary Extensible Authentication and Security Token, and the QR tattoo could be referred to as ... okay long setup for a joke.
I'm trying to understand *how* this is happening.
First I always change the admin password. Manufacturers should require this, step 1, before the device will work. Problem 1 solved.
I use a router. UPnP is always disabled. Thus:
The IoT devices should also be configured to work "openly" (IMHO) if they're on 192.168, 169.254, or a 10. DHCP'd network. Are people plugging them into a ISP port directly giving it full inbound access from the Internet? I've never set one up that way. Only a router.
I guess now I expect people to know which port and how to open it up. I'm paranoid enough to not do that even directly -- ie: all video sources are aggregated to a server which *is* open on one https port. I know to except my self-signed certificate. Yeah, I guess this should be easier if security is required (it should be).
I won't use Comcast to check / open my garage door remotely. I wrote my own program. The idea of using *any* service provider with access to my cameras isn't going to happen.
What users need is a touch-screen router with easy setup buttons for user specific settings (port, type, etc), and a menu for known IoT devices: ie swipe to find Frigidaire milk cam, enter admin password. Configured.
Only the router goes to the ISP.
There, IOT is secure, where's my money?
The best way to secure "IoT" is for the industry to keep right on marching toward a not so distant future where "IoT" and "SMART" are widely viewed as toxic and undesirable.
At some point the consumer is going to ask themselves... do I REALLY want to pay $200 for fake FBI notices, ransom notes and advertising burned into my toast or can I get by with the $20 wall-e-mart special?
Do I really want to put up with a toaster that stops making toast whenever Internet is down, whenever original vendor goes out of business, wants me to buy a new one or no longer feels like "supporting" their creation? Can I get by with the $20 wall-e-mart special?
Do I want my appliances watching me stumbling about my kitchen and uploading my performances to James Clapper and criminal gangs or can I get by with the $20 wall-e-mart special?
Do I take members of US intelligence agencies seriously when they warn/gloat:
"Items of interest will be located, identified, monitored and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers and energy harvesters all connected to next-generation Internet using abundant, low-cost and high-power computing."
Or
"In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for
recruitment, or to gain access to networks or user credentials."
Perhaps I can get by with the $20 wall-e-mart special?
$25,000? Why not $5? It would go just as far in this case, and would save taxpayers some money.
Cloudiot: A person who does not see offsite storage as a way to lose control over access to his or her own data.
Most crap has no business of being connected to anything. Fuck this utterly idiotic IoT idea and fanatics, who keep promoting this shit.
So you secure millions of devices, make the online world a safer place, and all you get is $25,000?
just toss OpenVPN on a Raspberry Pi with a very simple WebUI and then claim your $25k, easy as pie.
If you fail to change the default password of your new IP camera, or other device, I come to your house and smack you upside the head.
Where do I collect my money?
Here's my solution. I don't like parts of it, like having to pay a provider, but it is somewhat realistic.
1) Open source all IoT devices. Open source is necessary to be able to find the problems.
2) Put them behind a filtered network. The filter device much also be open sources. The purpose of the filter device is to provide a single point that can, if need be replaced more frequently as attacks adapt.
3) The filtered network must only allow approved IoT devices on it. The gateway device likely will limit how you can externally control those devices.
4) Pay $Provider a continuous monthly fee to maintain and improve the security of IoT devices. Seriously, you just can't just pay $25 bucks for a router and expect it to be secure forever.
5) The provider needs to continually investigate the devices they support for security issues.
7) Maintain lists of the devices that have been shown to be the most secure. In fact, a truly secure design does not just become insecure because time passes. Those devices might be sold at $25 a pop.
8) Don't just stick any new device on the list of secure devices. If you have a known proven secure device such as a thermostat or something. Stick with it. If you want to stay with your security provider you can't just go buy the new shiny.
9) Devices may be composed of secure modules, such that newer devices can be provably secure by using the secure module as the basis. Again, the goal of security is to be sure, not to have the most features. More features = more possible security holes.
10) Pass laws that prevent the government from inserting back doors in these devices. Yes, I know it won't really stop them, but it is better than nothing.
Security is a process not something that can be solved for a pittance, though if they want to donate the $25k now, they can send it to NPR or heck Bruce Schneier for that matter. People do know he has a mailing list right?
Is probably worth paying billions for if zero-day
... use crystallographic authentication and limit what can talk to what.
For example, if a "black box" at my electric company needs to talk to my electric meter over a public IP network (why? I don't know, but suppose it does), put a firewall on the electric meter that won't even acknowledge an connection unless it is encrypted specifically for that particular electric meter and signed by that particular "black box." Likewise, the "black box" will not continue the conversation unless the electric meter responds not only with an encrypted, signed message, but it also follows other handshaking protocols to the letter.
The specific keys and protocols for the electric meter were installed in the device prior to installation.
Now, as for consumer devices where the consumer will want to access the device from his phone, or for devices which will need to change who they talk to over the life of the device, well, that is left as an exercise for the reader.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
... use crystallographic authentication and limit what can talk to what.
Obviously, the cryptographic authentication on my spell-checking IoT device wasn't working right and the device got hacked. GRRR.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I could make a heck of alot more than $25k...
IOT being newer and less numerous is a waste of time for this kind of initiative. The world is still waiting for this magical one-size-fits-all solution to secure computers in general --the basic paradigm has existed for more than 50 years. Where is the solution for that old "devil you know", and why does the government suddenly think they can solve the harder problem of a newer and more unstable paradigm that lacks common standards like CPUs, operating systems and command/control guidelines?
Better yet, the only proposed solution^W service we can expect for the IoT problem someone will come up with a silly pay-to-go antivirus-threadmil. I mean, that was the solution we all accepted for PCs in the eighties, right? Microsoft has done no better in their long reign against in-security. They only made (MS Antispyware or whatever it's called today) virus definitions "free" to activated users --at the cost of keeping Windows Updates running faithfully and eventually hooking you all with telemetry even if you skipped on Windows 10.
In three years, $25,000,000. In ten years, $25,000,000,000.
the basic protocol should support network security isolation. The protocol should also support a cryptographic ID not just location and routing. Then for the "DHCP" us a Web of Trust (WoT), to Authenticate, Authorize and Audit (AAA) the local Things.
if it wasn't you'd be $25k richer right now, right?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
How are so many of these things accessible from the outside network?
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Pay me, Bitch!
If they were serious, they would spend money in a range where it could actually have some effect. Try at the very least 100x that, and more likely 1000x...10000x.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
How about putting a read-write switch that renders the core Operating System read-only except when you're updating it.
1. Secure your router or other network device with a new strong password thats not the default password or admin or user.
2. Run something like Avast Home Network Security https://www.avast.com/f-home-n... to see if any device still has issues.
Get OS makers in the US to scan the networks they are on to test if networked devices have default password and warn users to change them.
Most users will click past such warnings but its a simple step given the AV work the larger US OS brands now ship with their OS.
3. If you have some CCTV like device that has a network alert, use a dedicated cell network to send that image out to your cell phone.
Lots of cheap devices don't need to be internet facing and have the ability to connect.
4. Don't connect your "tv" display, refrigerator, dishwasher, lights, heater, AC to the internet. Use a cell phone network or think back to a next gen pager that only has one secure link to that user for devices that have to alert a user.
5. Use ethernet if possible so other users cant try and access your wifi network.
6. Empower the FCC to secure US networked communications consumer products. Not just interference but basic password security as sold too.
You buy a router in the USA, it ships with its own random strong password and username unique to that device not "password" for entire generations of devices...
Domestic spying is now "Benign Information Gathering"
Don't use IoT devices. Don't put WiFi and a webcam on my refrigerator or my water bottle.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Also create a way to put backdoors into already available secure encryption systems without compromising them. I'll give you a buck for that.
Sad that they don't actually realize that they are asking for something impossible for some cheap change. If anyone could invent something like that, they'd sell it for millions a piece for every IoT company out there that could end up with class action lawsuits and recalls on their hands.
That's easy, just don't connect them to a network. Works every time.
I will waive any reward. They can donate it to the IETF.
Why not $.25? Offer $25 million and you might get an answer. Actually, you'll get a lot of answers. Isn't this what the patent office should be doing instead of whatever it is doing? Making sure that inventors get paid?
Any guest worker system is indistinguishable from indentured servitude.
If the price is just $25K, what is the point of inventing the solution? Because of the price, the person won't be able to patent or license the product.
Besides ... the simple solution is the best solution. STOP PUTTING EVERYTHING ON THE NET.
Don't buy one. If you have no choice, then use a Faraday Cage to prevent it from communicating with anything, and pliers to remove the nasty bits.
It is worth noting that another possibility is to make the device simple enough it can be properly validated. For instance consider an IoT thermostat. The IoT thermostat connects to an HVAC system. It has a core system that does one ting and one thing only, it makes sure the temperature stays between 65 and 85 degrees when the thermostat power is on. The core system listens to one serial communications stream. It listens to this for one thing, a new temperature set value. If it is outside the expected range it ignores it. If it is inside it sets that as the target temperature and attempts to attain it. Doing so, it must follow its program rules as to the time it must wait between changing between heat and cool and the time it must wait before reactivating heat or cool. The core system has no options for upgrade. It cannot be forced to go above 85 or below 65 because those limits were burned in at the factory and there is no user options to change this.
The core system is connected to the lower security user interface. The interface accepts wifi connections and allows all kinds of functionality. It also has a separate thermistor so it doesn't need to bother the core system. It has one serial connection to the core system.
Could this design be hacked? Absolutely. The lower security system might have been designed with all kinds of back doors and crappy code. It could be sending your current temperature back to china, russia, and well lots of other people that care about such things.
The key is to design the system so at its heart the damage by hacking can be limited and contained. Now that doesn't apply to every system, but where it can apply, it needs to be at least considered. No IoT refrigerator should ever be able to be told to go outside of safe refrigeration ranges unless someone physically turns it off from inside the refrigerator. No IoT enabled camera should be able to activate without a blinking light. etc. etc..
You mean a firewall ?
gee..i think wire cutters were invented a long time ago