US Government Offers $25,000 Prize For Inventing A Way To Secure IoT Devices

An anonymous reader writes: America's Federal Trade Commission has announced a $25,000 prize for whoever creates the best tool for securing consumers' IoT devices. The so-called "IoT Home Inspector Challenge" asks participants to create something that will work on current, already-on-the-market IoT devices, with extra points also awarded for scalability ad easy of use.

"Contestants have the option of adding features, such as those that would address hard-coded, factory default, or easy-to-guess passwords," according to the official site, but "The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software." The winning submission can't be just a policy (or legal) solution, and will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.
Computerworld points out that "This isn't the first time the FTC has offered cash for software tools. In 2015, it awarded $10,500 to developers of an app that could block robocalls."

Easy Solution - Hold Manufacturers Responsible

[sinij]

Easy Solution - Hold Manufacturers Responsible. Pass legislation that any IoT device must be maintained with security patches for 2 years past sale and any substantial deviation from industry best practices (e.g. hard coded credentials, open telnet) would lead to hefty penalty.

Treat these guys as you'd treat factories that dumped toxic waste into rivers.

Multi faceted approach

[JASegler]

There isn't going to be a magic wand for this. But a multifaceted approach would help.

1) Standards body to oversee the software and protocols.

2) Standard IOT base software stacks and protocols. Ideally run as an open source style project with companies encouraged to give back to the software stacks. Maybe protection from being sued for security problems found if they are using the certified software stacks. i.e. we were using the certified software stack in a certified way is a valid legal defense. If your modifications are the problem you lose that protection. Makes getting your modifications into the base stacks very appealing to the lawyers, etc.

3) Certification program that takes completed devices and runs them through tests. Penetration tests of the completed devices. Manual and automated review of the software. Should be easy to fast track the software reviews if your building on top of one of the approved IOT base software stacks.

4) Require a way to easily update the software of the devices. The reality is forced updates are going to have to be required because most won't manually update the devices.

5) Require that a fully functional software stack be put in escrow for each device and revision of software. The company must provide support for the device or the the software base is released. Lack of support for the device is decided by standards board not the company. Fully functional means that someone can take the stack, compile it and successfully install it on the device. No hidden BS boot encryption keys that are missing, etc. If there are encryption keys like that then they have to be put in escrow with the rest of the software stack.

6) Media campaign to get people to buy only certified IOT devices.

Probably plenty more things that are good ideas/best practices. But this would be a start.

Verry simple

[MeNeXT]

Unmaintained, unsupported or unpatched (say 30 days) products no longer benefit from copyright and patent law.

Re:The Backasswards solution

[Sarten-X]

Joseph Bramah's lock was considered secure for 67 years, until Alfred Charles Hobbs picked it after a 51-hour effort in 1851. Now, modern tools and techniques can pick such a lock in a matter of minutes.

So let's suppose you had purchased one of Bramah's locks in 1850, with a 65-year history of perfection. If you were robbed in 1853, who bears the liability? Is it Bramah (actually his sons who inherited the business) for making an insecure lock that was sold as being secure? Is it you, for not replacing the lock as soon as a picking technique had been proven? Or is it the thief who actually exploited the vulnerability and broke the law?