Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Government Offers $25,000 Prize For Inventing A Way To Secure IoT Devices (ftc.gov)

Posted by EditorDavid on from the government-hackathons dept.

An anonymous reader writes: America's Federal Trade Commission has announced a $25,000 prize for whoever creates the best tool for securing consumers' IoT devices. The so-called "IoT Home Inspector Challenge" asks participants to create something that will work on current, already-on-the-market IoT devices, with extra points also awarded for scalability ad easy of use.

"Contestants have the option of adding features, such as those that would address hard-coded, factory default, or easy-to-guess passwords," according to the official site, but "The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software." The winning submission can't be just a policy (or legal) solution, and will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.
Computerworld points out that "This isn't the first time the FTC has offered cash for software tools. In 2015, it awarded $10,500 to developers of an app that could block robocalls."

7 of 196 comments (clear)

  1. Solution by Anonymous Coward · · Score: 5, Insightful

    Throw the IoT in the trash and get regular devices that do not connect to the internet.

  2. Here's my way. by Anonymous Coward · · Score: 2, Insightful

    Remove internet connectivity. There you go, pay me.

  3. $25K for a Multimillion Dollar Solution? by Anonymous Coward · · Score: 2, Insightful

    Ummm... okay. Good luck with that.

  4. The Backasswards solution by geekmux · · Score: 4, Insightful

    I have a better idea. How about the US Government fine companies 75% of their net profits every time they design and sell a product that's insecure to begin with.

    That goes for everything, not just IoT. The future of autonomous vehicles scares the shit out of me because of the half-assed approach towards securing them.

    1. Re:The Backasswards solution by Sarten-X · · Score: 3, Insightful

      The problem is defining "secure" and "insecure". In the US, the standard is "perfect tender", where the company just has to produce a product that is perfect to the best of their ability, and acceptable to the customer. The product may have been insecure from the start, but nobody knew it, because the vulnerabilities weren't known yet.

      Three years ago, we had no idea that the rowhammer effect could corrupt data. Two years ago, we didn't think it had security implications. Now we know better, but my desktop was built four years ago.

      There are some vulnerabilities that can be resolved, like default passwords... but those are comparatively rare. For production and installation ease, the devices are usually shipped with a default password and the user is provided instructions to change the password. The problem is that the users don't read the instruction manual for their new lightbulbs. In this case, the product is designed and sold to be secure, but the user's inaction caused the insecurity.

      Ultimately, the liability for an attack lies (legally) with the attacker. It's been that way for several thousand years, and is fundamental to the legal framework in this country. Trying to change that will have many unintended consequences.

      --
      You do not have a moral or legal right to do absolutely anything you want.
  5. If I could secure IoT devices by rsilvergun · · Score: 3, Insightful

    I could make a heck of alot more than $25k...

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  6. Solution! by Anonymous Coward · · Score: 0, Insightful

    Disconnect them. Problem solved.