US Government Offers $25,000 Prize For Inventing A Way To Secure IoT Devices

An anonymous reader writes: America's Federal Trade Commission has announced a $25,000 prize for whoever creates the best tool for securing consumers' IoT devices. The so-called "IoT Home Inspector Challenge" asks participants to create something that will work on current, already-on-the-market IoT devices, with extra points also awarded for scalability ad easy of use.

"Contestants have the option of adding features, such as those that would address hard-coded, factory default, or easy-to-guess passwords," according to the official site, but "The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software." The winning submission can't be just a policy (or legal) solution, and will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.
Computerworld points out that "This isn't the first time the FTC has offered cash for software tools. In 2015, it awarded $10,500 to developers of an app that could block robocalls."

Solution

Throw the IoT in the trash and get regular devices that do not connect to the internet.

Re: Solution

Your check is in the mail - Uncle Sam

Re: Solution

[wanfuse123]

Better idea. Build a mini firewall in just a couple kb space and use an accurate clock, an encrption algorithm, to implement shimmer with a neural net behind it, trained with attack data replays and only have them connect to a central web location with a static ip using ip6 over ip4 tunneling and secure the shit out of the central server.

Re:Solution

[mikael]

Even if they do not connect to the public Internet, any home user who has their own private internet for their appliances (smart TV, fridge, toaster, router, garage door and smartphone with bluetooth connectivity) still has the problem of someone trying to guess passwords through repeated attempted connections to each device via wireless connections. How many articles have there been on somebody creating a gadget that simply cycles through every single possible passcode combination?

Even with a personal wifi router, it seems crazy that every device including smartphones should only need to know the one wi-fi password, and that's likely to be backed up somewhere to a Samsung, Sony or Google server somewhere.

Re:Solution

[mwvdlee]

Don't use passwords at all?

Perhaps store a strong encryption key on a memory card (i.e. a small microSD, but it could probably be a lot cheaper) that is set by inserting the cart in the router, then inserting it in the IoT-device. Yes, it'll be more expensive but it would eliminate human stupidity.

I'm sure much better, easier and cheaper system can be invented by security experts.

The problem won't be the technical solution, it will be getting hardware manufacturers to implement it.
There's no way to force compliance through any technical means, so all we're left with is laws and regulations, which would likely be too ambiguous to provide any real security.

Re:Solution

[CaptainDork]

I'm sure much better, easier and cheaper system can be invented by security experts.

Apparently not.

... will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.

Re: Solution

[wanfuse123]

Oh one more thing. Majority of shimmer code needs to be implemented in userspace not kernel mode unlike most current linux shimmer like implementation available.

Re: Solution

[FatdogHaiku]

I liked this part near the bottom of the rules (12 f.)
"The Sponsor reserves the right to amend the terms and conditions of the official rules at any time, including the rights or obligations of the Contestants and the Sponsor.

So kids, Hurry and send in your multi-million dollar product in good working order and we'll give you a pittance and introduce you to the civil legal system!

Re:Solution

[currently_awake]

Make a dedicated IOT network chip, with VPN support built in. The IOT device would be forced to connect directly to its server, with no option to communicate with anyone or anything else. So long as the chip was done properly (common chip=massive economy of scale), it wouldn't matter how buggy the IOT device software is.

Re:Solution

[xeoron]

Place IoT on a separate subnet or vlan with extra firewall filtering that includes only letting it speak to a whitelist of locations defined on the router.

Re:Solution

[Darinbob]

No, we've had IoT devices before there was even the acronym. There are very secure IoT devices. They're not using passwords like it was just another exploitable wi-fi device but instead of PKI, and they're not purchased by consumers looking for a cool gadget to brag about. The best way to make IoT devices secure is to stop marketing them to hipsters. Nobody needs an internet connected thermostat so badly that they'd be willing to bypass all security and common sense.

Yes, some SCADA systems have security problems, usually from the same sort of short sighted thinking but often because owners don't plan on keeping them up to date after purchase. Sometimes the same problem as home gadget lovers, they don't have the capability to properly assess security and instead just believe the marketing (marketing is just a long word that means lying).

Re:Solution

[mark-t]

It is not infeasible to blacklist a MAC address from your wireless router after repeated password failure attempts over a short time. This could make automated brute-force password guessing from a device such as what you've described impractical.

Re: Solution

[nbauman]

I liked this part near the bottom of the rules (12 f.)
"The Sponsor reserves the right to amend the terms and conditions of the official rules at any time, including the rights or obligations of the Contestants and the Sponsor.

So kids, Hurry and send in your multi-million dollar product in good working order and we'll give you a pittance and introduce you to the civil legal system!

Your legal analysis is correct.

I once heard a freelance writer give a talk on writing contracts, and she described the worst contract (for the writer) she had ever seen. It was the Redbook "Writing contest."

Redbook readers were invited to submit short story manuscripts, the winners would get a pittance (and the honor of being the winner), and Redbook would own all the rights.

I realized that Redbook was basically asking people to submit stories on spec, in the hope that they would be chosen out of thousands of entries. If they were chosen, Redbook would own the work, and give them a small fee to print it.

That's what contests are. They ask you to work for nothing, compete with thousands of people, and if they like yours better than all the others, they'll own the work and give you a modest payment.

Spending 6 months or a year (or even a month) for $25,000 -- if they feel like it -- isn't a great deal.

If the FTC wants to secure IOT devices, let them hire a staff to work on it. Or let them award competitive grants.

Re:Solution

[Hognoxious]

You're talking about industrial/warehouse kind of stuff?

Re: Solution

[wanfuse123]

Its easier to secure a server with lots of resources than a small IoT device, there can be successful attacks against it but if you use virtualization, minimalization of software with trust to hardware, advanced firewalls, IDS, and much too much to list here you can be relatively secure not only that but you can update central infrastructure easier. Also on the internet as a whole force implementation of a few protocols that for the life of me I cant remember that minimizes fake traffic and minimizes attack surface( will post them if I remember them).

Re: Solution

[wanfuse123]

Its possible to fool a neural net of course, but there is a lot of attack vectors known. Recently there was a contest where systems competed to attack one another. They were able to successfully countermeasure, but required lots of computer hardware. Part of the development of the systems was done by training them to recognize attack vectors. The combination of shimmer, timing, and limited destination, along with the userspace implementation and the neural net ( whos purpose would be to detect false traffic and packet rewites as well as crafting of traffic to crash shimmer) should make it inherently more secure. I cant give it a proof but am sure someone could prove or disprove mathmatically the idea. If I could do it I wouldnt be posting it here. Save that for the really smart people.

Re: Solution

[wanfuse123]

Its been proven by people smarter than me that using an encrption algorithm with a large enough key will foil long term traffic analysis, more over dont forget each home has its own IoT gateway and encrption algorith key so it would be a lot of work to take over one device.

Re:Solution

[thegarbz]

Smarthomes didn't start with IoT either, and industrial/warehouse kind of stuff have adopted the IoT name for large sensor networks just like the home / retail market has. The only difference is in the level of security on devices not made by the cheapest bidder.

Re:Solution

[Hognoxious]

Then the design is a bucket of shit. Home is inside the firewall, not in fucking Chennakajaiparayat.

Re:Solution

[rtb61]

The real problem is the whole current hardware software set, entirely too flexible and can never really be secured.

So to secure internet of devices, requires a new fresh start. An operating system and applications, running on device, that all are only capable of doing what they are designed to do. Every bit of flexibility taken out, if it is not neccesary for functionality it is not in the system, not in the OS, not in the application and not in the hardware.

Want a device to no do a thing, than make that thing impossible to do. So a new custom hugely simplified modular operating system, that can only do what it is designed to do, not one bit more, running on simplified hardware that can only do what it is designed to do. So it is all about not being able to do stuff than attempting to control stuff it is capable of doing but you do not want it to do, which when you think about it, is really dumb.

The whole idea is to get away from blocking bad stuff, too only allowing good stuff and everything else, absolutely everything else is blocked. Early step would be to create a library of allowed traffic data transmissions and then only allow those transmissions through, everything else is ignored, not even processed, just binned.

Re: Solution

[ememisya]

There already is a great candidate for at least the iPhone 6, I'm not sure the authors would be able to get the prize though. link: https://www.pubpub.org/pub/dir...

Re: Solution

That's what contests are.

It's worth noting that even when the prize is substantial, and the contest-runner doesn't own the work, "contests" are still a very destructive form of competition. See: hackaday prize.

Re:Solution

[mark-t]

Why would the guesser know that they had been blocked? It could easily be set up so as far as they can tell, the password is just wrong... they may have no outwardly visible indication that the router has blacklisted their MAC address. For what it's worth, it could even be set up so that an incorrect password blocks *ALL* new wireless connection attempts for a period of, say, 1 second, regardless of the device. This would make it impossible to try more than a single guess every second, even if it were to cycle mac addresses or try and clone one your existing ones, and would make any automated attempts at brute-forcing a password infeasible. In practice, this would not hinder a human being attempting to connect who had got the password wrong because they would be manually correcting it and trying again anyways.

Here's my way.

Remove internet connectivity. There you go, pay me.

Re:Here's my way.

[aaarrrgggh]

Not enough-- look at the ransom attacks on Hue bulbs as an example.

Wirecutters

A simple pair of wirecutters will make any network device secure. Does your thermostat and lightbulb really need to communicate with the mothership Google to work?

Re:Wirecutters

[superwiz]

It probably does if it needs to know about a hurricane coming your way.

This is no technical problem

[NotInHere]

This is no technical problem. You can't add security around insecure devices by default. Even if you did some firewall, the device still has to communicate with the internet one way or another, or it has to communicate via bluetooth, and these two paths can still be used for attacks.

The only proper solution is a policy.

Re:This is no technical problem

[CaptainDork]

The solution is to ban all non-secure devices. They said no policy, so that means they aren't going to accept a solution that kicks the problem in the balls.

Re:This is no technical problem

[JaredOfEuropa]

These devices do not have to communicate with "the internet", at worst they need to be able to connect a remote access gateway or cloud service (mothership). Those channels aren't all that easy to hack, and with a proper firewall, you can get your LAN reasonably secure without crippling well designed IoT devices. The devices might still be somewhat vulnerable to someone with physical access or access to your WiFi,but that leaves only a small percentage of attackers, and until the actual firewall is compromised, it can still serve to provide intrusion detection.

What some have proposed to make IoT more secure is a firewall that's on by default,with which IoT devices are "paired" using a standardised request, i.e. the device does a one-off request to the firewall to open some holes (preferably to specific addresses, outbound only, etc), and permission to connect to certain local devices (for example a home automation hub), which the user approves using a simple interface. Attempts by the device to contact other stuff on the intranet or to access an unsanctioned internet address result in an intrusion warning.

Re:This is no technical problem

[Bite+The+Pillow]

They want a software solution, so here it is. Software firewall that blocks outgoing data based on a public whitelist, and incoming connections on a whitelist based on local devices. If a severity threat is detected, disable internet.

Security threat detection function can do all kinds of heuristics, then return true.

Re:This is no technical problem

[coofercat]

+1

If your networked product gets hacked and participates in a botnet, data leak, data ransom, etc, then you must provide mitigating solutions at your own expense to the owner for a period of 2* years after the date of purchase, or expect lawsuits from those customers or their representatives for non-compliance. In return for doing all this, we'll grant you a special marque you can put on your product and supporting materials to indicate your good internet citizenship to your customers. We'll be operating an on-line database of all the products which have the qualifying marque so consumers can verify manufacturers claims and have the means to report any non-compliance.

* I realise 2 years isn't actually that long for something like a fridge or even a TV, so maybe it needs longer for for more 'permanent' products. I figure 2 years is already way more than a lot of manufacturers actually provide on things like routers and webcams that asking for this would already be a huge improvement in a lot of cases.

Either way, just pop my $25,000 in the post please ;-)

Smash them with a hammer

Voila!

Easy Solution - Hold Manufacturers Responsible

[sinij]

Easy Solution - Hold Manufacturers Responsible. Pass legislation that any IoT device must be maintained with security patches for 2 years past sale and any substantial deviation from industry best practices (e.g. hard coded credentials, open telnet) would lead to hefty penalty.

Treat these guys as you'd treat factories that dumped toxic waste into rivers.

Re:Easy Solution - Hold Manufacturers Responsible

[jbmartin6]

Perhaps better would be to hold them liable for damages due to negligence, and nullify the absurd "as is" EULA. They can pay Brian Kreb's DDOS defense fees for the next ten years.

Re:Easy Solution - Hold Manufacturers Responsible

[Minupla]

Easier solution: Unplug them, remove any batteries. Security. When do I get my cheque?

Re:Easy Solution - Hold Manufacturers Responsible

[wvmarle]

Two years? That's far too short. Even for regular PCs it'd be a too short time span - 20, 30 years ago the normal lifespan of a PC was considered to be about three years, now it's more like five. Many LTS releases of Linux get security fixes for at least five years. Debian releases maybe even longer, but that's more to do with the slow release cycle itself.

Anyway, here you're talking about devices that last easily a decade, such as fridges. My own fridge is older than that, should be about 12 years now. Our TV is nearing 3 years now, the one before that we had for 8-9 years at least. Manufacturers will have to provide support for 10, 15 years. At the very least. Otherwise you either have to deal with "planned obsolescence" (something we at /. love to hate), where you have to replace your expensive devices every two years. Expensive, and very bad from an environmental perspective.

Now with these support periods there are all kinds of practical and maybe even technical challenges - such as keeping people employed that actually know how to work with that old technology and companies going out of business.

Re:Easy Solution - Hold Manufacturers Responsible

[AmiMoJo]

Won't help with people buying cheap stuff from China on eBay.

Re:Easy Solution - Hold Manufacturers Responsible

[CaptainDork]

This.

And take note that we are acknowledging that the US government don't know bullshit from wild honey about security and is forced to crowdsource competence.

Re:Easy Solution - Hold Manufacturers Responsible

[freeze128]

2 years?! Hell, I don't even change my old "Dumb" light bulbs that often. Make it 10 years!

Re:Easy Solution - Hold Manufacturers Responsible

[currently_awake]

Having a government department responsible for computer security would help, they could do vulnerability scans on new hardware as part of the FCC certification, and force patches for weak devices. Extending FCC authority to cover internet devices might work, if you explicitly required a minimum level of security by law.

Re:Easy Solution - Hold Manufacturers Responsible

[Darinbob]

The problem is often with the customer. Major industries aren't asking for security. Absolutely the home user doesn't even consider asking this question, they don't even know what security is or how to evaluate it. The same customer that doesn't hesitate to type in personal information to a smart tv is the wrong person to be judging whether or not a refrigerator needs to be on the internet. Why blame the manufacturer and their security when the customer does not even configure the device or its security?

Re:Easy Solution - Hold Manufacturers Responsible

[CaptainDork]

I agree.

It's not a technical issue in the sense that IT has been recommending best practices for years, but local management's risk analysis proves that the expense is not necessary.

We are approaching a tipping point where deep pockets are going to start paying for minor manufacturing/implementation procedures.

I've argued for years that litigation is the answer, just as it created fire codes after enough lawsuits changed some risk analysts' minds.

Re:Easy Solution - Hold Manufacturers Responsible

[slashrio]

Then leave the customer out of the loop.
Program a communication protocol into the big corp's internet modems/routers and into the IoT-Devices which will communicate with each other.
They will negotiate firewall rules for in the modem/router which 'will keep us safe' against everybody that attacks us 'because they are jealous of our lifestyle and democracy' (ugh).

Re:Easy Solution - Hold Manufacturers Responsible

[superwiz]

Uhm... there is nothing to prevent them from being sold and shipped from China or Canada directly. Are you planning to extend US tort laws to China?

$25K for a Multimillion Dollar Solution?

Ummm... okay. Good luck with that.

Re: $25K for a Multimillion Dollar Solution?

[thundercattt]

I was thinking the same. If I had that idea, that worked. 250 million minimum.

Re:$25K for a Multimillion Dollar Solution?

[0100010001010011]

See also the DARPA project.

Giving away award money is cheaper than paying for actual development.

Politically incorrect solution: free/open software

[davecb]

If the vendors are constrained to use a current Linux or BSD variant, then the customer can update whenever fixes are available. That probably makes lightbulbs too expensive, but for toasters on up, it's possible (;-))

The Backasswards solution

[geekmux]

I have a better idea. How about the US Government fine companies 75% of their net profits every time they design and sell a product that's insecure to begin with.

That goes for everything, not just IoT. The future of autonomous vehicles scares the shit out of me because of the half-assed approach towards securing them.

Re: The Backasswards solution

[thundercattt]

I agree. My work cellphone, still running Android 4.4.1. Samsung has NEVER put an update out since I got it

Re:The Backasswards solution

[Sarten-X]

The problem is defining "secure" and "insecure". In the US, the standard is "perfect tender", where the company just has to produce a product that is perfect to the best of their ability, and acceptable to the customer. The product may have been insecure from the start, but nobody knew it, because the vulnerabilities weren't known yet.

Three years ago, we had no idea that the rowhammer effect could corrupt data. Two years ago, we didn't think it had security implications. Now we know better, but my desktop was built four years ago.

There are some vulnerabilities that can be resolved, like default passwords... but those are comparatively rare. For production and installation ease, the devices are usually shipped with a default password and the user is provided instructions to change the password. The problem is that the users don't read the instruction manual for their new lightbulbs. In this case, the product is designed and sold to be secure, but the user's inaction caused the insecurity.

Ultimately, the liability for an attack lies (legally) with the attacker. It's been that way for several thousand years, and is fundamental to the legal framework in this country. Trying to change that will have many unintended consequences.

Re:The Backasswards solution

[Darinbob]

How about requiring all customers to take a class in how to turn on security in their existing product and to configure it correctly? Or maybe a class in how to parse through bullshit in marketing and decide that maybe they don't need their toaster on the internet.

Re:The Backasswards solution

[XparXnoiaX]

I favor that approach. When was the last time a company asked you (during a sprint or otherwise) to look at the code and make sure it was secure?

Re:The Backasswards solution

[AmiMoJo]

Because eBay and Banggood and AliExpress and all the other ways people import products from China. It's hard to fine companies in China when you are a US regulator. Even blocking their imports will fail as they will just re-brand faster than the US legal system can react.

Besides, there would be endless legal arguments over what counts as "insecure". If you did everything right but someone finds a previously unknown bug in OpenSSL that is part of your 8 year old product, how much responsibility can you have for maintaining update servers and making sure all the remaining products out there get patched? Would it be okay to just mail everyone a letter saying "don't use this product any more, here is a $1.50 coupon for a newer model"?

It needs a technical solution. One which doesn't involve trusting or requiring manufacturers to do a good job.

Re:The Backasswards solution

[thegarbz]

design and sell a product that's insecure to begin with.

Define insecure? The PS3's DRM was about the best and strongest there was backed by a large profit motive and deep budgets, and yet that was eventually broken too.

With wording like yours whey not just slap a 75% income tax on every company that does business within the USA.

Re:The Backasswards solution

[Sarten-X]

Joseph Bramah's lock was considered secure for 67 years, until Alfred Charles Hobbs picked it after a 51-hour effort in 1851. Now, modern tools and techniques can pick such a lock in a matter of minutes.

So let's suppose you had purchased one of Bramah's locks in 1850, with a 65-year history of perfection. If you were robbed in 1853, who bears the liability? Is it Bramah (actually his sons who inherited the business) for making an insecure lock that was sold as being secure? Is it you, for not replacing the lock as soon as a picking technique had been proven? Or is it the thief who actually exploited the vulnerability and broke the law?

Re:The Backasswards solution

[geekmux]

I have a better idea. How about the US Government fine companies 75% of their net profits every time they design and sell a product that's insecure to begin with.

Goodbye US technology industry. Hello imports. Hello trade deficit. Hello exploding the national debt. Hello poverty. Brilliant.

It's more like Goodbye Ignorance and Hello Security.

The US Government has had enough hacks themselves that they should wake the fuck up and quickly, rather than take your fuck-it-we-quit solution.

Re:The Backasswards solution

[geekmux]

design and sell a product that's insecure to begin with.

Define insecure? The PS3's DRM was about the best and strongest there was backed by a large profit motive and deep budgets, and yet that was eventually broken too.

With wording like yours whey not just slap a 75% income tax on every company that does business within the USA.

To clarify, my particular solution was meant to demonstrate an actual threat against companies that seem to practically enjoy creating and selling products that are utter shit from a Security perspective. If you prefer the current slap-on-the-wrist punishments that allow companies to continue to create and sell utter shit, then by all means, support the currently ineffective model of making "secure" products. If fines are too harsh, I'm all for jail time for CEOs too. Whatever ultimately works to achieve the end goal of disrupting the utter shit model.

The purpose of Security is important too. Sony likely knew from the beginning their DRM was going to eventually be broken. It served as an effective deterrent until it was. Maintaining a legal army of jackbooted thugs to threaten pirates is another way to effect deterrence.

The threat to an insecure model protecting other products comes at a LOT higher cost than a stolen game. Hacking autonomous vehicles can cost human lives.

Bottom line is we need to punish harder and reward more when it comes to Security. The proposed $25,000 reward is a fucking joke, especially given the benefit of a secure solution could affect billions.

Re:The Backasswards solution

[thegarbz]

Oh I agree, something needs to be done, but the problem with proposing any laws is that they either need to be well written, specific, enforceable, and realistic. Threatening companies for not doing a good enough job is the job of civil suits and the courts. Laws can not be written in that kind of way without introducing either loopholes that indemnify companies, or introduce enough uncertainty to make people challenge the laws.

This is a classic jump to conclusion without thinking if it's even possible. Throw a CEO in jail? For what? In most cases courts haven't even been able to prove direct negative effect on a victim to get them compensation. What do you propose? A law that can throw a CEO in jail at any time for any reason you see fit?

Re:The Backasswards solution

[geekmux]

Oh I agree, something needs to be done, but the problem with proposing any laws is that they either need to be well written, specific, enforceable, and realistic. Threatening companies for not doing a good enough job is the job of civil suits and the courts. Laws can not be written in that kind of way without introducing either loopholes that indemnify companies, or introduce enough uncertainty to make people challenge the laws.

This is a classic jump to conclusion without thinking if it's even possible. Throw a CEO in jail? For what? In most cases courts haven't even been able to prove direct negative effect on a victim to get them compensation. What do you propose? A law that can throw a CEO in jail at any time for any reason you see fit?

All I'm saying is ensure that the punishment is befitting of the crime.

The crime we see repeated over and over again is a company utterly ignoring sound security practice and development in favor of push-the-shit-product-out-the-door revenue demand. When identities are stolen due to poor security products designed to protect individuals, there is a cost involved. Just ask the purveyors of products like LifeLock. I'm certain they've formulated costs to justify their own products. What ends up in a courtroom today is nothing more than a slap on the financial wrist for the companies who then continue with the push-the-shit-product-out-the-door revenue model, because the slap-on-the-wrist punishment is worth it every time.

When the secure product is designed to directly protect a human life, the risk and associated costs is much higher, and loopholes should be removed, not merely tightened. In the cases of repeat offenders, yes, perhaps jail time is necessary to push Security to the financial forefront where it should be.

Re:The Backasswards solution

[thegarbz]

All I'm saying is ensure that the punishment is befitting of the crime.

I'm asking how. We all want the same thing, but I'm waiting to hear a sane proposal that could work.

Re:The Backasswards solution

[geekmux]

All I'm saying is ensure that the punishment is befitting of the crime.

I'm asking how. We all want the same thing, but I'm waiting to hear a sane proposal that could work.

To find a solution that would work would imply the very companies who don't want to play fair would not wield the very lobbying power that enables them to not play fair. So perhaps the first step is to remove that bullshit loophole.

A fair solution to combat selling or making an insecure product is create a Federal standard, and enforce it by making all manufacturers who want to sell the the US market comply with it. Failure to do so means anything from being fined a considerable percentage of net profit to banning the product outright from sale. The US market is still a large and highly profitable one, so compliance would be worth the effort.

And when I say enforce I mean fucking enforce it. No loopholes. No lobbyists. No breaks. No fucking greased palm deals. No bullshit.

Of course, this is a hell of a lot harder to actually do when we can't even get Too-Big-To-Fail companies to pay their fucking share of taxes.

Re:The Backasswards solution

[thegarbz]

No you're jumping the biggest problem. Ignore the lobbying, ignore the company's influence, and ignore enforcement, we didn't get that far.

First show me you're able to define a law, then we can talk about the rest.

Re:The Backasswards solution

[geekmux]

No you're jumping the biggest problem. Ignore the lobbying, ignore the company's influence, and ignore enforcement, we didn't get that far.

First show me you're able to define a law, then we can talk about the rest.

Speaking of jumping the biggest problem, what exactly is the point of defining yet another law when those with influence and lobbying power will simply ignore it, or lobby to be worthy of some bullshit Too-Big-To-Fail loophole?

We have plenty of anti-monopoly laws on the books, and yet monopolies are consuming the capitalist universe. Go figure as to how that shit happened.

As I stated before, our problem is not one of creating laws. Root cause analysis dictates we must remove the corruption that prohibits enforcement first.

Creating a Federal standard (read: mandate) for product Security is not a difficult thing to do. Obviously the requirements would vary based on risk (e.g. human life at risk vs. lesser risk), but Security must first be held to a standard where companies cannot get away with making a product that's "good enough". No bullshit graded rating system. It's either pass or fail. As an example, UL ratings have become a rather universal safety standard that works mainly because it is a pass or fail grading system and it is enforced.

Re:The Backasswards solution

[thegarbz]

Speaking of jumping the biggest problem, what exactly is the point of defining yet another law

You tell me, it was your idea. You're the one saying we should fine companies for delivering insecure products. I'm just asking you to put that into clear words that a company can legally abide by without loop holes.

We have plenty of anti-monopoly laws on the books

Actually no we don't. There's nothing illegal about monopolys. We have anti-trust laws on the books. They are different, and in many countries companies get pulled up for shits they do while they have monopoly status.

Creating a Federal standard (read: mandate) for product Security is not a difficult thing to do.

So far we haven't even gotten past the word "secure". If you want to define a standard start with actually defining clearly the main subject in the title. I can tell you've never sat on a standard committee before. There are some truly simple things to define and put in a standard yet even those can take years depending on vested interests, pedantry, and just differing opinions on scope.

Re:The Backasswards solution

[geekmux]

Speaking of jumping the biggest problem, what exactly is the point of defining yet another law

You tell me, it was your idea. You're the one saying we should fine companies for delivering insecure products. I'm just asking you to put that into clear words that a company can legally abide by without loop holes.

I stated long ago change is needed because the current system is ineffective and fails to properly punish offenders. Enforcement still stands as a primary challenge regardless of what a committee decides regarding a secure standard. Fines need to be increased to create the deterrent they were designed to be. If we can fine a vehicle manufacturer for making an unsafe product, we can figure out a way to do the same thing when it comes to other manufacturers making insecure products.

As far as defining a standard, ISO, NIST, and other related orgs have managed to clearly define Security standards for years, and now auditors are using them more and more to define and rate organizations Cybersecurity stance. Let's not be ignorant and act like committees have never managed to come together and finalize a single fucking decision before due to politics and "vested interests". It can happen. It has happened.

I'm done here, due to regurgitating.

Re:The Backasswards solution

[thegarbz]

Yes you're really regurgitating your side points without ever addressing the original question.

Re:The Backasswards solution

[geekmux]

Yes you're really regurgitating your side points without ever addressing the original question.

You want an answer to defining insecure? Perfect security is a fucking illusion. You either accept that fact and design products to be as secure as possible and prepare a mitigation strategy to prepare for the inevitable, or don't bother making products.

And "insecure" in this particular example is addressing utter shit like hard-coded default passwords, and allowing devices to connect to the internet without first going through a lock-down process that removes all default authentication. Devices with out-of-date software become disabled until the consumer updates it. Don't allow utterly pathetic passwords to be used. Correcting those common and obvious fuck-ups isn't rocket science, so enough with the pointless harping on it.

If I could secure IoT devices

[rsilvergun]

I could make a heck of alot more than $25k...

Re: If I could secure IoT devices

[thundercattt]

I thought the same thing when I saw 25k. Govt? I'd be selling them licenses at 25k a pop.

Doesn't work

[rsilvergun]

all that does is put a stop to the market and any new products. You end up in one of two scenarios:

a. Everybody stays out because the risk's too high.

b. Only a few big players who can afford insurance and/or to buy off exceptions for themselves can play. What little is available in the market is expensive and crummy.

Re:Doesn't work

[houghi]

I would like to know if there are any downsides.

Re:Doesn't work

[JaredOfEuropa]

Those are the downsides. Despite people who claim "I think my refrigerator doesn't have to be connected to the Internet, therefore the entire concept of the Internet of Things must be utterly worthless", there are plenty of useful ways devices can be improved by adding connectivity. Yes,security is a big concern,but that doesn't mean that the only winning move is not to play.

Re: Doesn't work

[WarJolt]

I don't see a problem with that.

No one builds software from scratch. We leverage libraries, even with IoT. Most of them are open source. We just need to actually make security a priority in open source. This will reduce the cost for the little guy.

Security is is typically proven by showing that information can't be leaked out of a system. Let's look at the Linux kernel first. It has no proof of security. In fact we've had bugs in the last year that completely undermine the security of the system. IoT devices can be made simple. I'd argue the Linux kernel is overkill for such a device. Especially when there are open source alternatives with formal proofs of security. If the IoT device is simply measuring the temperature in your home or brewing some tea then I think you can justify the expense of formally proving it's secure; even as a little guy.

Re:Doesn't work

[sinij]

If every vendor that gets 0.01c per device spying on you decides to stays out of IoT - I will consider this consumer's win. For all worthwhile IoT, maintaining for 2 years won't be outside the expected norm.

Re:Doesn't work

[sinij]

The only winning move it to play WITH security. We don't accept cars that suddenly explode, we don't accept phones that burst on fire, we shouldn't accept IoT that is hacked and used to bring parts of Internet down.

Code blocks

[kugeln]

Since all the programmers doing the software for this IoT stuff believe that 'coding' is dragging ready-made blocks around in a Visio-like interface, someone just has to make a "security" block for them. They don't need/care to know what goes on inside the block, as long as it's called security. Because code reuse is cool, or something.

Re:Politically incorrect solution: free/open softw

[Sarten-X]

That's why all android devices automatically get updates, right? Even the decade-old ones that can't run new versions?

The OS doesn't matter. What's missing is the infrastructure to support patch development, testing, and delivery. Once the initial vendor goes out of business (or discontinues that product), there's no mechanism to continue development, no way to test the patch, and no way to get the new software into the devices.

An open-source mandate fixes the ability to develop new patches, but it becomes much more difficult to thoroughly test on all versions of affected devices, and there's no easy channel to get the new software to the end users.

Re:pfsense

[mikael]

A firewall around every single wi-fi/bluetooth connected device?

Multi faceted approach

[JASegler]

There isn't going to be a magic wand for this. But a multifaceted approach would help.

1) Standards body to oversee the software and protocols.

2) Standard IOT base software stacks and protocols. Ideally run as an open source style project with companies encouraged to give back to the software stacks. Maybe protection from being sued for security problems found if they are using the certified software stacks. i.e. we were using the certified software stack in a certified way is a valid legal defense. If your modifications are the problem you lose that protection. Makes getting your modifications into the base stacks very appealing to the lawyers, etc.

3) Certification program that takes completed devices and runs them through tests. Penetration tests of the completed devices. Manual and automated review of the software. Should be easy to fast track the software reviews if your building on top of one of the approved IOT base software stacks.

4) Require a way to easily update the software of the devices. The reality is forced updates are going to have to be required because most won't manually update the devices.

5) Require that a fully functional software stack be put in escrow for each device and revision of software. The company must provide support for the device or the the software base is released. Lack of support for the device is decided by standards board not the company. Fully functional means that someone can take the stack, compile it and successfully install it on the device. No hidden BS boot encryption keys that are missing, etc. If there are encryption keys like that then they have to be put in escrow with the rest of the software stack.

6) Media campaign to get people to buy only certified IOT devices.

Probably plenty more things that are good ideas/best practices. But this would be a start.

Re:Multi faceted approach

[aaarrrgggh]

Does a JTAG count as easy upgrade mechanism?

There are a huge range of devices out there in terms of capabilities and anticipated lifespans. I would be pissed if my refrigerator ended up having the same lifespan as my light bulbs due to firmware issues, as an example. The devices today that are the biggest problem are CCTV DVRs: essentially general purpose computers with poor security concepts and implementation.

Much of what really needs to happen is focusing on documenting the interface requirements for low power devices and setting security guidelines for more powerful devices.

Re:Multi faceted approach

[Darinbob]

There are too many standards for IOT, mostly because it's a big new buzzwords that means immediately there are many competing marketing based standards groups trying to get everyone to side with them, which means competing security standards, and because it's being rushed we have ridiculous demands in the standards so that the members of the consortium don't have to redesign their products.

I work with devices for industry. They DO update without being forced. You can't force a customer who's giving you millions of dollars to have an automatic update (especially with security as it might brick and lock them out). The customers spend months evaluating new releases before upgrading. But that is for professional devices, not the TOYS for the home consumers, for those toys you must blame the consumer for being dumb enough to buy the products in the first place.

Too little

[allo]

Sorry, the price is not high enough.

Thinking of a solution, you need to buy a lot Internet-of-Crap stuff, to test your solution and to dissect it to be able to find i.e. hardcoded passwords. This alone will cost you more than 25.000 if you're serious about it in a way, which will win you the 25.000.
The only option would be hoping, that you sell your device often enough, that you will make money from that. But you will realize, that nobody cares about his toaster being part of a dDoS attack.

Re:Too little

[unixisc]

Enough responses like this, and they'll then ask some offshorer in India. Then there will be howls about work being offshored

Re:Too little

[allo]

They can do whatever they want ... the question is, if they want to attract serious security experts. They won't with this offer. And the hobbyists are tempted to sell the 0-day for more than the "to be created" product wins. Without creating a product, just by collecting the issues.

$25K? That's insulting.

[azav]

The importance of this is high and $25K is an insult to the amount of effort required to perform to do this.

That number is so low, it's meaningless.

Hacking Firewall

[John.Banister]

Build a collection of easy device hacks, the way security companies collect virus signatures now, and have a firewall on the wide area connection that attempts to use the methods in the collection to gain access to the devices that want through. Devices that can be defeated by the firewall aren't allowed past it.

HAHAHHAHAH 25,000$

[elcor]

very funny, government, very funny

Re:Personal IoT Standard

[silas_moeckel]

The M&M theory, a firewall device that all communication must pass through if it needs to leave the building. It must be able to see all traffic so it's a https proxy and a scene to register all access a device needs and have it allowed by the user.

So get new IoT lightbulb plug it in connect to the IoT SSID. Register what you need to connect to and what data is passed allow users to allow/deny at a fine-grained level. All easily implemented on the wifi AP you already have and gives a place for updates etc add different radios as required.

Oddly similar to a vera or other zwave hub because that's an actual standard that's reasonably well secured.

Gimme a break!

[jenningsthecat]

25 kilobucks???!!! WTF?? Realistically, such a solution would be worth AT LEAST seven figures. And anyone smart enough to come up with it shouldn't be dumb enough to sell it off for chump change, especially in an era where 'rounded corners' can not only be patented, but can almost be successfully defended against "infringement".

Do i win?

[Highdude702]

Use a Hammer!

Re:pfsense

[unixisc]

No, every WiFi connected device has to be in a network - most likely, the one your WiFi router hosts. That's where the firewall would apply. Bluetooth - I thought that the latest Bluetooth protocol includes IPv6 support, I doubt that older Bluetooth would fall within IoT

Re:Politically incorrect solution: free/open softw

[davecb]

Yes: we agree lightbulbs won't make it.

Re:Personal IoT Standard

[currently_awake]

And then someone from Russia hacks the WiFi router belonging to you neighbor, and it starts spoofing your router, and your devices all connect, and the next thing you know they are using your networked cameras to film a new reality tv show.

Re:Politically incorrect solution: free/open softw

[davecb]

The OS doesn't matter. What's missing is the infrastructure to support patch development, testing, and delivery. Once the initial vendor goes out of business (or discontinues that product), there's no mechanism to continue development, no way to test the patch, and no way to get the new software into the devices.

Some OSs, specifically including the WRT families, include the infrastructure. Others do not and never will, as their vendors are aiming at exceedingly low-cost "use and discard" devices... or, concersely, excessively expensive "planned obsolesence" devices like cars and cell-phones

Verry simple

[MeNeXT]

Unmaintained, unsupported or unpatched (say 30 days) products no longer benefit from copyright and patent law.

$25,000

[Hognoxious]

Boy, that's an expensive hammer! Even the DoD don't pay that much.

Re: like hacking is a problem?

[slashrio]

It wouldn't be if 'things' were designed with safety in mind.

Re:Done And Done

[XparXnoiaX]

Submit it! (after March 1st).

Easy (?)

[krray]

I'm trying to understand *how* this is happening.
First I always change the admin password. Manufacturers should require this, step 1, before the device will work. Problem 1 solved.

I use a router. UPnP is always disabled. Thus:
The IoT devices should also be configured to work "openly" (IMHO) if they're on 192.168, 169.254, or a 10. DHCP'd network. Are people plugging them into a ISP port directly giving it full inbound access from the Internet? I've never set one up that way. Only a router.

I guess now I expect people to know which port and how to open it up. I'm paranoid enough to not do that even directly -- ie: all video sources are aggregated to a server which *is* open on one https port. I know to except my self-signed certificate. Yeah, I guess this should be easier if security is required (it should be).

I won't use Comcast to check / open my garage door remotely. I wrote my own program. The idea of using *any* service provider with access to my cameras isn't going to happen.

What users need is a touch-screen router with easy setup buttons for user specific settings (port, type, etc), and a menu for known IoT devices: ie swipe to find Frigidaire milk cam, enter admin password. Configured.

Only the router goes to the ISP.

Just keep right on failing

[WaffleMonster]

The best way to secure "IoT" is for the industry to keep right on marching toward a not so distant future where "IoT" and "SMART" are widely viewed as toxic and undesirable.

At some point the consumer is going to ask themselves... do I REALLY want to pay $200 for fake FBI notices, ransom notes and advertising burned into my toast or can I get by with the $20 wall-e-mart special?

Do I really want to put up with a toaster that stops making toast whenever Internet is down, whenever original vendor goes out of business, wants me to buy a new one or no longer feels like "supporting" their creation? Can I get by with the $20 wall-e-mart special?

Do I want my appliances watching me stumbling about my kitchen and uploading my performances to James Clapper and criminal gangs or can I get by with the $20 wall-e-mart special?

Do I take members of US intelligence agencies seriously when they warn/gloat:

"Items of interest will be located, identified, monitored and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers and energy harvesters all connected to next-generation Internet using abundant, low-cost and high-power computing."

Or

"In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for
recruitment, or to gain access to networks or user credentials."

Perhaps I can get by with the $20 wall-e-mart special?

Innumeracy abounds

[uCallHimDrJ0NES]

$25,000? Why not $5? It would go just as far in this case, and would save taxpayers some money.

A quick smack upside the head?

[Timothy2.0]

If you fail to change the default password of your new IP camera, or other device, I come to your house and smack you upside the head.

Where do I collect my money?

Re:Personal IoT Standard

[silas_moeckel]

Yea because it's easy to guess some randomly generated SSID and wpa2 key? Noticing another AP with the same SSID is also pretty trivial.

There is only so far you can go to help existing crap devices. By nature it will be an M&M fix putting a smarter box in front and hoping nobody breaks the shell.

If your looking for a standard for new gear to comply with then you can add endpoint validation etc.

For "thing-to-thing" commucation ...

[davidwr]

... use crystallographic authentication and limit what can talk to what.

For example, if a "black box" at my electric company needs to talk to my electric meter over a public IP network (why? I don't know, but suppose it does), put a firewall on the electric meter that won't even acknowledge an connection unless it is encrypted specifically for that particular electric meter and signed by that particular "black box." Likewise, the "black box" will not continue the conversation unless the electric meter responds not only with an encrypted, signed message, but it also follows other handshaking protocols to the letter.

The specific keys and protocols for the electric meter were installed in the device prior to installation.

Now, as for consumer devices where the consumer will want to access the device from his phone, or for devices which will need to change who they talk to over the life of the device, well, that is left as an exercise for the reader.

DAMMIT autokorrekt gone haywire

[davidwr]

... use crystallographic authentication and limit what can talk to what.

Obviously, the cryptographic authentication on my spell-checking IoT device wasn't working right and the device got hacked. GRRR.

reward escalation

[epine]

In three years, $25,000,000. In ten years, $25,000,000,000.

Change the basic network protocol!

[SysEngineer]

the basic protocol should support network security isolation. The protocol should also support a cryptographic ID not just location and routing. Then for the "DHCP" us a Web of Trust (WoT), to Authenticate, Authorize and Audit (AAA) the local Things.

Re:Change the basic network protocol!

[gweihir]

That is about the most stupid idea, ever. Even trying this would break _everything_.

Security is a _lot_ harder than you think

[rsilvergun]

if it wasn't you'd be $25k richer right now, right?

Absolutely worthless stunt

[gweihir]

If they were serious, they would spend money in a range where it could actually have some effect. Try at the very least 100x that, and more likely 1000x...10000x.

A Way To Secure IoT Devices

[khz6955]

How about putting a read-write switch that renders the core Operating System read-only except when you're updating it.

The simple steps

[AHuxley]

1. Secure your router or other network device with a new strong password thats not the default password or admin or user.
2. Run something like Avast Home Network Security https://www.avast.com/f-home-n... to see if any device still has issues.
Get OS makers in the US to scan the networks they are on to test if networked devices have default password and warn users to change them.
Most users will click past such warnings but its a simple step given the AV work the larger US OS brands now ship with their OS.
3. If you have some CCTV like device that has a network alert, use a dedicated cell network to send that image out to your cell phone.
Lots of cheap devices don't need to be internet facing and have the ability to connect.
4. Don't connect your "tv" display, refrigerator, dishwasher, lights, heater, AC to the internet. Use a cell phone network or think back to a next gen pager that only has one secure link to that user for devices that have to alert a user.
5. Use ethernet if possible so other users cant try and access your wifi network.
6. Empower the FCC to secure US networked communications consumer products. Not just interference but basic password security as sold too.
You buy a router in the USA, it ships with its own random strong password and username unique to that device not "password" for entire generations of devices...

Re:The simple steps

[Ol+Olsoc]

1. Secure your router or other network device with a new strong password thats not the default password or admin or user.

Failed already. It isn't that your ideas are bad, but any solution that can be enabled, has to rely on the consumer doing absolutely nothing. Because that is what they are going to do. Absolutely nothing.

Simple

[Ol+Olsoc]

Don't use IoT devices. Don't put WiFi and a webcam on my refrigerator or my water bottle.

While at it....

[XSportSeeker]

Also create a way to put backdoors into already available secure encryption systems without compromising them. I'll give you a buck for that.

Sad that they don't actually realize that they are asking for something impossible for some cheap change. If anyone could invent something like that, they'd sell it for millions a piece for every IoT company out there that could end up with class action lawsuits and recalls on their hands.

Disconnect them.

[mbone]

That's easy, just don't connect them to a network. Works every time.

I will waive any reward. They can donate it to the IETF.

a whole whopping $25,000?

[superwiz]

Why not $.25? Offer $25 million and you might get an answer. Actually, you'll get a lot of answers. Isn't this what the patent office should be doing instead of whatever it is doing? Making sure that inventors get paid?

Re:Fix Cluelessness

[superwiz]

Security needs to be designed into the protocols from the start.

That's almost too cute. Except they need to be secure enough to be usable by consumers and not have en masse exposure to criminals who can come in physical contact with them. What protocols do you use to secure them during physical access?

Re:Absurd idea

[geekmux]

All such attempts would do is give money to some lawyers to write a better EULA. What? "My device is not insecure if used as intended, and I can't help it if consumers use it improperly".

First of all, these devices are insecure by default so the pathetic defense of "used as intended" isn't one, which would force manufacturers to do exactly what should be done; make them secure by default.

And if manufacturers don't want to do this, then they can enjoy increased legal fees with decreased sales numbers, as hackers would continue to target their weak-ass products and exploit them. At some point, one would hope Common F. Sense would join the Board and convince the manufacturer to do the right thing.