US Government Offers $25,000 Prize For Inventing A Way To Secure IoT Devices

An anonymous reader writes: America's Federal Trade Commission has announced a $25,000 prize for whoever creates the best tool for securing consumers' IoT devices. The so-called "IoT Home Inspector Challenge" asks participants to create something that will work on current, already-on-the-market IoT devices, with extra points also awarded for scalability ad easy of use.

"Contestants have the option of adding features, such as those that would address hard-coded, factory default, or easy-to-guess passwords," according to the official site, but "The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software." The winning submission can't be just a policy (or legal) solution, and will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.
Computerworld points out that "This isn't the first time the FTC has offered cash for software tools. In 2015, it awarded $10,500 to developers of an app that could block robocalls."

Solution

Throw the IoT in the trash and get regular devices that do not connect to the internet.

Re: Solution

Your check is in the mail - Uncle Sam

Re:Solution

[mikael]

Even if they do not connect to the public Internet, any home user who has their own private internet for their appliances (smart TV, fridge, toaster, router, garage door and smartphone with bluetooth connectivity) still has the problem of someone trying to guess passwords through repeated attempted connections to each device via wireless connections. How many articles have there been on somebody creating a gadget that simply cycles through every single possible passcode combination?

Even with a personal wifi router, it seems crazy that every device including smartphones should only need to know the one wi-fi password, and that's likely to be backed up somewhere to a Samsung, Sony or Google server somewhere.

Re: Solution

[FatdogHaiku]

I liked this part near the bottom of the rules (12 f.)
"The Sponsor reserves the right to amend the terms and conditions of the official rules at any time, including the rights or obligations of the Contestants and the Sponsor.

So kids, Hurry and send in your multi-million dollar product in good working order and we'll give you a pittance and introduce you to the civil legal system!

Re: Solution

[nbauman]

I liked this part near the bottom of the rules (12 f.)
"The Sponsor reserves the right to amend the terms and conditions of the official rules at any time, including the rights or obligations of the Contestants and the Sponsor.

So kids, Hurry and send in your multi-million dollar product in good working order and we'll give you a pittance and introduce you to the civil legal system!

Your legal analysis is correct.

I once heard a freelance writer give a talk on writing contracts, and she described the worst contract (for the writer) she had ever seen. It was the Redbook "Writing contest."

Redbook readers were invited to submit short story manuscripts, the winners would get a pittance (and the honor of being the winner), and Redbook would own all the rights.

I realized that Redbook was basically asking people to submit stories on spec, in the hope that they would be chosen out of thousands of entries. If they were chosen, Redbook would own the work, and give them a small fee to print it.

That's what contests are. They ask you to work for nothing, compete with thousands of people, and if they like yours better than all the others, they'll own the work and give you a modest payment.

Spending 6 months or a year (or even a month) for $25,000 -- if they feel like it -- isn't a great deal.

If the FTC wants to secure IOT devices, let them hire a staff to work on it. Or let them award competitive grants.

Re:Solution

[rtb61]

The real problem is the whole current hardware software set, entirely too flexible and can never really be secured.

So to secure internet of devices, requires a new fresh start. An operating system and applications, running on device, that all are only capable of doing what they are designed to do. Every bit of flexibility taken out, if it is not neccesary for functionality it is not in the system, not in the OS, not in the application and not in the hardware.

Want a device to no do a thing, than make that thing impossible to do. So a new custom hugely simplified modular operating system, that can only do what it is designed to do, not one bit more, running on simplified hardware that can only do what it is designed to do. So it is all about not being able to do stuff than attempting to control stuff it is capable of doing but you do not want it to do, which when you think about it, is really dumb.

The whole idea is to get away from blocking bad stuff, too only allowing good stuff and everything else, absolutely everything else is blocked. Early step would be to create a library of allowed traffic data transmissions and then only allow those transmissions through, everything else is ignored, not even processed, just binned.

Here's my way.

Remove internet connectivity. There you go, pay me.

Easy Solution - Hold Manufacturers Responsible

[sinij]

Easy Solution - Hold Manufacturers Responsible. Pass legislation that any IoT device must be maintained with security patches for 2 years past sale and any substantial deviation from industry best practices (e.g. hard coded credentials, open telnet) would lead to hefty penalty.

Treat these guys as you'd treat factories that dumped toxic waste into rivers.

$25K for a Multimillion Dollar Solution?

Ummm... okay. Good luck with that.

The Backasswards solution

[geekmux]

I have a better idea. How about the US Government fine companies 75% of their net profits every time they design and sell a product that's insecure to begin with.

That goes for everything, not just IoT. The future of autonomous vehicles scares the shit out of me because of the half-assed approach towards securing them.

Re:The Backasswards solution

[Sarten-X]

The problem is defining "secure" and "insecure". In the US, the standard is "perfect tender", where the company just has to produce a product that is perfect to the best of their ability, and acceptable to the customer. The product may have been insecure from the start, but nobody knew it, because the vulnerabilities weren't known yet.

Three years ago, we had no idea that the rowhammer effect could corrupt data. Two years ago, we didn't think it had security implications. Now we know better, but my desktop was built four years ago.

There are some vulnerabilities that can be resolved, like default passwords... but those are comparatively rare. For production and installation ease, the devices are usually shipped with a default password and the user is provided instructions to change the password. The problem is that the users don't read the instruction manual for their new lightbulbs. In this case, the product is designed and sold to be secure, but the user's inaction caused the insecurity.

Ultimately, the liability for an attack lies (legally) with the attacker. It's been that way for several thousand years, and is fundamental to the legal framework in this country. Trying to change that will have many unintended consequences.

Re:The Backasswards solution

[AmiMoJo]

Because eBay and Banggood and AliExpress and all the other ways people import products from China. It's hard to fine companies in China when you are a US regulator. Even blocking their imports will fail as they will just re-brand faster than the US legal system can react.

Besides, there would be endless legal arguments over what counts as "insecure". If you did everything right but someone finds a previously unknown bug in OpenSSL that is part of your 8 year old product, how much responsibility can you have for maintaining update servers and making sure all the remaining products out there get patched? Would it be okay to just mail everyone a letter saying "don't use this product any more, here is a $1.50 coupon for a newer model"?

It needs a technical solution. One which doesn't involve trusting or requiring manufacturers to do a good job.

Re:The Backasswards solution

[Sarten-X]

Joseph Bramah's lock was considered secure for 67 years, until Alfred Charles Hobbs picked it after a 51-hour effort in 1851. Now, modern tools and techniques can pick such a lock in a matter of minutes.

So let's suppose you had purchased one of Bramah's locks in 1850, with a 65-year history of perfection. If you were robbed in 1853, who bears the liability? Is it Bramah (actually his sons who inherited the business) for making an insecure lock that was sold as being secure? Is it you, for not replacing the lock as soon as a picking technique had been proven? Or is it the thief who actually exploited the vulnerability and broke the law?

If I could secure IoT devices

[rsilvergun]

I could make a heck of alot more than $25k...

Multi faceted approach

[JASegler]

There isn't going to be a magic wand for this. But a multifaceted approach would help.

1) Standards body to oversee the software and protocols.

2) Standard IOT base software stacks and protocols. Ideally run as an open source style project with companies encouraged to give back to the software stacks. Maybe protection from being sued for security problems found if they are using the certified software stacks. i.e. we were using the certified software stack in a certified way is a valid legal defense. If your modifications are the problem you lose that protection. Makes getting your modifications into the base stacks very appealing to the lawyers, etc.

3) Certification program that takes completed devices and runs them through tests. Penetration tests of the completed devices. Manual and automated review of the software. Should be easy to fast track the software reviews if your building on top of one of the approved IOT base software stacks.

4) Require a way to easily update the software of the devices. The reality is forced updates are going to have to be required because most won't manually update the devices.

5) Require that a fully functional software stack be put in escrow for each device and revision of software. The company must provide support for the device or the the software base is released. Lack of support for the device is decided by standards board not the company. Fully functional means that someone can take the stack, compile it and successfully install it on the device. No hidden BS boot encryption keys that are missing, etc. If there are encryption keys like that then they have to be put in escrow with the rest of the software stack.

6) Media campaign to get people to buy only certified IOT devices.

Probably plenty more things that are good ideas/best practices. But this would be a start.

$25K? That's insulting.

[azav]

The importance of this is high and $25K is an insult to the amount of effort required to perform to do this.

That number is so low, it's meaningless.

Re:Personal IoT Standard

[silas_moeckel]

The M&M theory, a firewall device that all communication must pass through if it needs to leave the building. It must be able to see all traffic so it's a https proxy and a scene to register all access a device needs and have it allowed by the user.

So get new IoT lightbulb plug it in connect to the IoT SSID. Register what you need to connect to and what data is passed allow users to allow/deny at a fine-grained level. All easily implemented on the wifi AP you already have and gives a place for updates etc add different radios as required.

Oddly similar to a vera or other zwave hub because that's an actual standard that's reasonably well secured.

Gimme a break!

[jenningsthecat]

25 kilobucks???!!! WTF?? Realistically, such a solution would be worth AT LEAST seven figures. And anyone smart enough to come up with it shouldn't be dumb enough to sell it off for chump change, especially in an era where 'rounded corners' can not only be patented, but can almost be successfully defended against "infringement".

Do i win?

[Highdude702]

Use a Hammer!

Verry simple

[MeNeXT]

Unmaintained, unsupported or unpatched (say 30 days) products no longer benefit from copyright and patent law.

Just keep right on failing

[WaffleMonster]

The best way to secure "IoT" is for the industry to keep right on marching toward a not so distant future where "IoT" and "SMART" are widely viewed as toxic and undesirable.

At some point the consumer is going to ask themselves... do I REALLY want to pay $200 for fake FBI notices, ransom notes and advertising burned into my toast or can I get by with the $20 wall-e-mart special?

Do I really want to put up with a toaster that stops making toast whenever Internet is down, whenever original vendor goes out of business, wants me to buy a new one or no longer feels like "supporting" their creation? Can I get by with the $20 wall-e-mart special?

Do I want my appliances watching me stumbling about my kitchen and uploading my performances to James Clapper and criminal gangs or can I get by with the $20 wall-e-mart special?

Do I take members of US intelligence agencies seriously when they warn/gloat:

"Items of interest will be located, identified, monitored and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers and energy harvesters all connected to next-generation Internet using abundant, low-cost and high-power computing."

Or

"In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for
recruitment, or to gain access to networks or user credentials."

Perhaps I can get by with the $20 wall-e-mart special?

Change the basic network protocol!

[SysEngineer]

the basic protocol should support network security isolation. The protocol should also support a cryptographic ID not just location and routing. Then for the "DHCP" us a Web of Trust (WoT), to Authenticate, Authorize and Audit (AAA) the local Things.

A Way To Secure IoT Devices

[khz6955]

How about putting a read-write switch that renders the core Operating System read-only except when you're updating it.

Re:Doesn't work

[sinij]

The only winning move it to play WITH security. We don't accept cars that suddenly explode, we don't accept phones that burst on fire, we shouldn't accept IoT that is hacked and used to bring parts of Internet down.